From 36c9e89af5cdafc62341a705c0a8f3fe521ad979 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 23 Feb 2021 22:03:20 +0000 Subject: [PATCH] Update README.md --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 60ba657..0bcdaaa 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,3 @@ -# Credit - Special Thanks - -* [@drew](https://twitter.com/drewbervisor) - pointing out AC bit in RFLAGS can be set in usermode. I originally assumed since the `STAC` instruction could not be executed in usermode that `POPFQ` would throw an exception if AC bit was high and CPL was greater then zero. Without this key information the project would have been a complete mess. Thank you! -* [@0xnemi](https://twitter.com/0xnemi) / [@everdox](https://twitter.com/nickeverdox) - [mov ss/pop ss exploit](https://www.youtube.com/watch?v=iU_No7gdcwc) 0xnemi's use of syscall and the fact that RSP is not changed + use of ROP made me think about how there are alot of vulnerable drivers that expose arbitrary wrmsr which could be used to change LSTAR and effectivlly replicate his solution... -* [@Ch3rn0byl](https://twitter.com/notCh3rn0byl) - donation of a few vulnerable drivers which exposed arbitrary WRMSR/helped test with KVA shadowing enabled/disabled. -* [@namazso](https://twitter.com/namazso) - originally hinting at this project many months ago. its finally done :) - # MsrExec - Elevate Arbitrary WRMSR To Kernel Execution @@ -75,6 +68,13 @@ pop r10 ; restore r10... ret ``` +# Credit - Special Thanks + +* [@drew](https://twitter.com/drewbervisor) - pointing out AC bit in RFLAGS can be set in usermode. I originally assumed since the `STAC` instruction could not be executed in usermode that `POPFQ` would throw an exception if AC bit was high and CPL was greater then zero. Without this key information the project would have been a complete mess. Thank you! +* [@0xnemi](https://twitter.com/0xnemi) / [@everdox](https://twitter.com/nickeverdox) - [mov ss/pop ss exploit](https://www.youtube.com/watch?v=iU_No7gdcwc) 0xnemi's use of syscall and the fact that RSP is not changed + use of ROP made me think about how there are alot of vulnerable drivers that expose arbitrary wrmsr which could be used to change LSTAR and effectivlly replicate his solution... +* [@Ch3rn0byl](https://twitter.com/notCh3rn0byl) - donation of a few vulnerable drivers which exposed arbitrary WRMSR/helped test with KVA shadowing enabled/disabled. +* [@namazso](https://twitter.com/namazso) - originally hinting at this project many months ago. its finally done :) + # Lisence TL;DR: if you use this project, rehost it, put it on github, include `_xeroxz` in your release.