🤬
  • ■ ■ ■ ■ ■
    README.md
    skipped 15 lines
    16 16  
    17 17  I initially identified this vulnerability (if you can call it a vulnerability, concidering the administrator-to-kernel is <a href="https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria">not</a> concidered a security boundary) during some kernel driver research. I identified four attack vectors in the driver. I later found out that <a href="https://github.com/h0mbre">@h0mbre</a> <a href="https://h0mbre.github.io/RyzenMaster_CVE/">identified</a> two of these vectors back in 2020. Back then, every user on the system could open handles to the symbolic link. AMD 'fixed' it by restricting access to local administrators. But from a threat actor and red teaming perspective, it is still very useful.
    18 18  
    19  -**The exploit was developed and tested on Windows 10 Pro 22H2 19045.2486.** The executable is somewhat stable. The Cobalt Strike beacon is has a stack limitation of 4096 bytes, so it's less likely to work (during development it always did work though).
     19 +**I developed and tested this exploit on Windows 10 Pro 22H2 19045.2486.** The executable is somewhat stable. Cobalt Strike beacons have a stack limitation of 4096 bytes, so it's less likely to work (during development it always *did* work though). The executable should always work.
    20 20  
    21 21  <p align="center">
    22 22   <img width="1000" src="https://raw.githubusercontent.com/tijme/amd-ryzen-master-driver-v17-exploit/master/.github/screenshot.png" />
    skipped 20 lines
    43 43  ## Limitations
    44 44  
    45 45  * Due to the ACL on the symbolic link only local administrators can communicate with the driver.
     46 +* The physical memory limits are currently hardcoded.
    46 47  
    47 48  ## Todo
    48 49  
    49 50  * Load the vulnerable driver from memory instead of from disk.
    50 51  * Make the exploit stable & compatible with multiple Windows versions.
     52 +* Adjust physical page iterations based on how many RAM is available.
    51 53  
    52 54  ## Issues
    53 55  
    skipped 6 lines
Please wait...
Page is in error, reload to recover