- DriverGenius 9.70.0.346, mydrivers64.sys 9.2.707.1214
- http://www.drivergenius.com/
Arbitrary Kernel Execution
From IoControlCode 0x9C402088, a normal user can call __writemsr, which can lead to arbitrary kernel execution.
In the attached file ArbitraryKernelExecution.zip, there are writemsr.exe, writemsr.cpp, ArbitraryKernelExecution.cpp, DGSetup_Home_BZNR.exe, and mydrivers64.sys. writemsr.exe is the PoC to call wrmsr where DGSetup_Home_BZNR.exe which contains the vulnerable driver mydrivers64.sys is installed, and writemsr.cpp is the source code of writemsr.exe. To reproduce the issue, install DGSetup_Home_BZNR.exe and execute writemsr.exe. It is expected that the system will call __writemsr once writemsr.exe is executed. To achieve arbitrary kernel execution, refer to the project https://git.back.engineering/_xeroxz/msrexec, and replace main.cpp in the project to ArbitraryKernelExecution.cpp in the attachment. Password for attachment: ArbitraryKernelExecution https://drive.google.com/file/d/1kYCec3kYCzD9s2Vnclp_aW5jLneWqHC_/view?usp=sharing