_xeroxz
/
msrexec
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Update README.md

Browse Source
merge-requests/1/head
_xeroxz 3 years ago
parent 1d579e9278
commit 36c9e89af5
1 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File

14
README.md
Unescape View File

@ -1,10 +1,3 @@
# Credit - Special Thanks
* [@drew](https://twitter.com/drewbervisor) - pointing out AC bit in RFLAGS can be set in usermode. I originally assumed since the `STAC` instruction could not be executed in usermode that `POPFQ` would throw an exception if AC bit was high and CPL was greater then zero. Without this key information the project would have been a complete mess. Thank you!
* [@0xnemi](https://twitter.com/0xnemi) / [@everdox](https://twitter.com/nickeverdox) - [mov ss/pop ss exploit](https://www.youtube.com/watch?v=iU_No7gdcwc) 0xnemi's use of syscall and the fact that RSP is not changed + use of ROP made me think about how there are alot of vulnerable drivers that expose arbitrary wrmsr which could be used to change LSTAR and effectivlly replicate his solution...
* [@Ch3rn0byl](https://twitter.com/notCh3rn0byl) - donation of a few vulnerable drivers which exposed arbitrary WRMSR/helped test with KVA shadowing enabled/disabled.
* [@namazso](https://twitter.com/namazso) - originally hinting at this project many months ago. its finally done :)
<img src="https://imgur.com/nNnOCPK.png"/>
# MsrExec - Elevate Arbitrary WRMSR To Kernel Execution
@ -75,6 +68,13 @@ pop r10 ; restore r10...
ret
```
# Credit - Special Thanks
* [@drew](https://twitter.com/drewbervisor) - pointing out AC bit in RFLAGS can be set in usermode. I originally assumed since the `STAC` instruction could not be executed in usermode that `POPFQ` would throw an exception if AC bit was high and CPL was greater then zero. Without this key information the project would have been a complete mess. Thank you!
* [@0xnemi](https://twitter.com/0xnemi) / [@everdox](https://twitter.com/nickeverdox) - [mov ss/pop ss exploit](https://www.youtube.com/watch?v=iU_No7gdcwc) 0xnemi's use of syscall and the fact that RSP is not changed + use of ROP made me think about how there are alot of vulnerable drivers that expose arbitrary wrmsr which could be used to change LSTAR and effectivlly replicate his solution...
* [@Ch3rn0byl](https://twitter.com/notCh3rn0byl) - donation of a few vulnerable drivers which exposed arbitrary WRMSR/helped test with KVA shadowing enabled/disabled.
* [@namazso](https://twitter.com/namazso) - originally hinting at this project many months ago. its finally done :)
# Lisence
TL;DR: if you use this project, rehost it, put it on github, include `_xeroxz` in your release.

Write Preview
Loading…
Cancel
Save