View Single Post
Old 10-02-2007, 08:03
elephant elephant is offline
Join Date: Feb 2005
Posts: 88
Rept. Given: 2
Rept. Rcvd 26 Times in 13 Posts
Thanks Given: 132
Thanks Rcvd at 106 Times in 36 Posts
elephant Reputation: 26
Talking Run Ring0 code in Vista 64bits

Yes, it is possible. Ruben Santamarta from has released an exploit (in form of a kartoffel plugin) to run code through a vulnerable signed driver in Speedfan (

Spanish readers can check this funny blog entry for further information:

Attached to this post is Kartoffel and the exploit.


Vulnerable code in speedfan.sys

Code (asm)
                cmp     dword ptr [rdx+8], 8 ; Ouputbuffer size
                 jb      short loc_11171
                 cmp     dword ptr [rdx+10h],0Ch ;InputBuffer size
                 jb      short loc_11171
                 mov     r8d, [rsi+4]    ; inputBuffer[1]
                 mov     r9d, [rsi+8]    ; InputBuffer[2]
                 mov     rax, r8
                 shl     rax, 20h
                 or      rax, r9
                 mov     rdx, rax
                 shr     rdx, 20h
                 mov     ecx, [rsi]      ; inputBuffer[0]
                 wrmsr                     ; Chungo
Attached Files
File Type: zip (179.5 KB, 17 views)
File Type: rar setup64.rar (732.2 KB, 14 views)

Last edited by elephant; 10-03-2007 at 03:19.
Reply With Quote