Run Ring0 code in Vista 64bits

[elephant]

Yes, it is possible. Ruben Santamarta from ReverseMode.com has released an exploit (in form of a kartoffel plugin) to run code through a vulnerable signed driver in Speedfan (www.almico.com/speedfan.php).

Spanish readers can check this funny blog entry for further information: http://blog.48bits.com/?p=169

Attached to this post is Kartoffel and the exploit.

Cheers.


Vulnerable code in speedfan.sys

Code:

Code (asm)
                cmp     dword ptr [rdx+8], 8 ; Ouputbuffer size
                 jb      short loc_11171
                 cmp     dword ptr [rdx+10h],0Ch ;InputBuffer size
                 jb      short loc_11171
                 mov     r8d, [rsi+4]    ; inputBuffer[1]
                 mov     r9d, [rsi+8]    ; InputBuffer[2]
                 mov     rax, r8
                 shl     rax, 20h
                 or      rax, r9
                 mov     rdx, rax
                 shr     rdx, 20h
                 mov     ecx, [rsi]      ; inputBuffer[0]
                 wrmsr                     ; Chungo