OJ
506a4d9e67
As per discussion on the github issue, the following changes were made: * Project renamed from elevate to kitrap0d, implying that this is not intended to be a generic local priv esc exploit container. * Container DLL no longer generic, always calls the kitrap0d exploit. * Removal of all x64 code and project configurations. * Invocation of the exploit changed so that the address of the payload is passed in to the exploit entry point. The exploit is now responsible for executing the payload if the exploit is successful. This removes the possibility of the payload getting executed when the exploit fails. * Source moved to the appropriate CVE folder. * Binary moved to the appropriate CVE folder. * Little bit of source rejigging to tidy things up.
35 lines
600 B
C
35 lines
600 B
C
/*!
|
|
* @file kitrap0d.h
|
|
*/
|
|
|
|
#ifndef _METERPRETER_SOURCE_ELEVATOR_KITRAP0D_H
|
|
#define _METERPRETER_SOURCE_ELEVATOR_KITRAP0D_H
|
|
|
|
#define KSTACKSIZE 1024
|
|
|
|
#define EFLAGS_TF_MASK 0x00000100 // trap flag
|
|
|
|
#ifndef PAGE_SIZE
|
|
#define PAGE_SIZE 0x1000
|
|
#endif
|
|
|
|
enum
|
|
{
|
|
VdmStartExecution = 0,
|
|
VdmInitialize = 3
|
|
};
|
|
|
|
typedef struct _VDMTIB
|
|
{
|
|
ULONG Size;
|
|
PVOID Padding0;
|
|
PVOID Padding1;
|
|
CONTEXT Padding2;
|
|
CONTEXT VdmContext;
|
|
DWORD Padding3[1024];
|
|
} VDMTIB, * LPVDMTIB;
|
|
|
|
VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset );
|
|
|
|
#endif
|