CVE-2018-19320

Exploiting ring0 memcpy-like functionality to disable Driver Signing Enforcement (DSE) as documented here: http://deniable.org/windows/windows-callbacks

Disclaimer

This is exploit is released in the interest of exploring the Windows kernel for self-education. I take zero responsibility for bugchecks, and for whatever you do with this. Don't be stupid.

Usage

Demo

Is this exploit PatchGuard friendly? Please read http://deniable.org/windows/windows-callbacks. Short answer is CI.dll variables are protected by PatchGuard indeed (starting with Windows 8.1). However, this doesn't mean we'll get an instant PatchGuard action (bugcheck). This will eventually lead to a bugcheck when PatchGuard notices the change. However, if we revert the change (restore the original state) we'll be fine. There's a risk here obviously, as we don't know when is PatchGuard going to look at our global variable. PatchGuard runs randomly, so it can happen immediately after our change, 5 minutes later, one hour later, 24 hours later, we don't know.

Driver

You'll have to find the vulnerable driver yourself. Again, don't be stupid. Use if for self-education only.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-19320
• https://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities