View Single Post
  #1  
Old 10-02-2007, 08:03
elephant elephant is offline
Friend
 
Join Date: Feb 2005
Posts: 89
Rept. Given: 2
Rept. Rcvd 26 Times in 13 Posts
Thanks Given: 130
Thanks Rcvd at 107 Times in 37 Posts
elephant Reputation: 26
Talking Run Ring0 code in Vista 64bits

Yes, it is possible. Ruben Santamarta from ReverseMode.com has released an exploit (in form of a kartoffel plugin) to run code through a vulnerable signed driver in Speedfan (www.almico.com/speedfan.php).

Spanish readers can check this funny blog entry for further information: http://blog.48bits.com/?p=169

Attached to this post is Kartoffel and the exploit.

Cheers.


Vulnerable code in speedfan.sys

Code:
Code (asm)
                cmp     dword ptr [rdx+8], 8 ; Ouputbuffer size
                 jb      short loc_11171
                 cmp     dword ptr [rdx+10h],0Ch ;InputBuffer size
                 jb      short loc_11171
                 mov     r8d, [rsi+4]    ; inputBuffer[1]
                 mov     r9d, [rsi+8]    ; InputBuffer[2]
                 mov     rax, r8
                 shl     rax, 20h
                 or      rax, r9
                 mov     rdx, rax
                 shr     rdx, 20h
                 mov     ecx, [rsi]      ; inputBuffer[0]
                 wrmsr                     ; Chungo
Attached Files
File Type: zip speedfan_plugin_x64.zip (179.5 KB, 17 views)
File Type: rar setup64.rar (732.2 KB, 14 views)

Last edited by elephant; 10-03-2007 at 03:19.
Reply With Quote