can1357 / cve-2018-8897 Goto Github PK

Hi
I have same problem here also I change the binary form to integer and the only problem is :
IntelliSense: unknown attribute "code_seg"

Could you tell me how to fix it please ?
Best Regards,

Hi, bro! I'm a new guy to kernel exploit. I set up the kernel debug environment with Virtual KD and WinDbg. After that, I run the exp, but it can't perform privilege escalation successfully. I tested this on Windows 10 1709 in the Vmware with kernel debug mode. I don't know whether the KernelShellcode is executed or not. So I want to debug it. But I dont know how to do. It always stoped on int 3, and then I dont know how to simulate #DB event as you said, so I just type command 'g' in WinDbg. I'm so confused. Can you help me solve this?

Hi, can1357!first,thank you very much for providing the exp of cve-2018-8897 ,then, I try to test your exp on some OS,including win 7,2008 r2,win 10,but,all of these failed(I tested it on physical machines)
i don’know where the problem is...
As shown below(win 10(10.0.10240)):

when i press any key,the computer was down,the code of BSOD was KMODE_EXCEPTION_NOT_HANDLED.
I used vs2012 to complie the file
I wanna know What went wrong?
and which OS you are testing on
appreciate the response

Hi

i see the other issue i do what u suggest
1)Build Dependencies
2)Microsoft Macro Assembler
3)Properties>C/C++>Code Generation>Security Check (/GS-)

and the compile not work to me

"We cannot predict which half of XMM15 will get hit due to the mask we apply to comply with the movaps alignment requirement, so first two pointers should simply point at a [RETN] instruction"

I didn’t understand this paragraph.

Another question:
`NON_PAGED_CODE void KernelShellcode()
{
__writedr( 7, 0 );

uint64_t Cr4Old = __readgsqword( Offset_Pcr__Prcb + Offset_Prcb__Cr4 );
__writecr4( Cr4Old & ~( 1 << 20 ) );<------------------------disable cpu smep again?

__swapgs();
    ......

}`
You have disabled cpu smep, why disable smep again in KernelShellcode?
In addition, the operating system automatically restores smep every time a thread switch occurs(KiSwapContext). At this point, when your thread starts executing the remaining instructions, an exception will be thrown.

Good evening! Lovely POc, worked great on a few operating systems. Was curious, though , is there any reasons why it would not work on an Windows 7 SP1 x64 OS despite having any older version then the software update? Appears to fail on allocating a null page, or

Offset_KThread_ApcStateFill_Process

is there anyway I may be able to fix this?

appreciate the response =)

Hi,

thanks for the exploit. May it be possible to add build instructions?

Thanks!

.