History

bwatters-r7 eab62c18c6 Update mov_ss and add mov_ss_dll		2018-07-27 09:40:34 -05:00
..
Error.h	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
KernelRoutines.h	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
LICENSE	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
LockedMemory.h	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
Native.asm	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
Native.h	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
NtDefines.h	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
README.md	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
cve-2018-8897-exe.cpp	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
cve-2018-8897-exe.sln	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
cve-2018-8897-exe.vcxproj	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00
cve-2018-8897-exe.vcxproj.filters	Update mov_ss and add mov_ss_dll	2018-07-27 09:40:34 -05:00

README.md

CVE-2018-8897

Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages.

KVA Shadowing should be disabled and the relevant security update should be uninstalled.
This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3.

Detailed explanation:

https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/

Result: