I initially identified this vulnerability (if you can call it a vulnerability, concidering the administrator-to-kernel is <a href="https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria">not</a> concidered a security boundary) during some kernel driver research. I identified four attack vectors in the driver. I later found out that <a href="https://github.com/h0mbre">@h0mbre</a> <a href="https://h0mbre.github.io/RyzenMaster_CVE/">identified</a> two of these vectors back in 2020. Back then, every user on the system could open handles to the symbolic link. AMD 'fixed' it by restricting access to local administrators. But from a threat actor and red teaming perspective, it is still very useful.
18
18
19
-
**Theexploitwas developed and tested on Windows 10 Pro 22H2 19045.2486.** The executable is somewhat stable. TheCobalt Strike beaconishas a stack limitation of 4096 bytes, so it's less likely to work (during development it always did work though).
19
+
**I developed and testedthisexploit on Windows 10 Pro 22H2 19045.2486.** The executable is somewhat stable. Cobalt Strike beaconshave a stack limitation of 4096 bytes, so it's less likely to work (during development it always *did* work though). Theexecutableshouldalwayswork.