Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus

Hi again,
This time I worked on Kernel-Land a little. Microsoft Windows Kernel Intel x64 SYSRET Vulnerability (MS12-042) was only exploited by VUPEN, apparently! But no PoC or exploit publicly available. So I decided to work on this challenge just for fun.At first glance, it was difficult to get Code-Execution but after several times struggling with Windbg I finally succeeded on triggering the bug and get code-execution. By the way, Windbg had stupid bug on executing SWAPGS by single-stepping! I don’t really know why, but the guest VM always reboots! I managed to get it to work with IDA Pro + GDB remote Debugging plugin after all!

So, anyway, here is the demonstration on Youtube.

The shellcode disables Code Signing and will grant NT SYSTEM privilege to specified Application or already running process (PID), after successfully running exploit, I demonstrated installing an unsigned Driver (which Dbgprints “Microsoft eats it own dog food”) and granting NT SYSTEM privilege to cmd.exe .

WARNING: This is only a proof-of-concept, although its programmed to be very reliable, I won’t take any responsibility of any damage or abuse. Sorry kids!
Here are source codes.

UPDATE : I’ve just tested the exploit on Windows 2008 R2 SP1 x64, exploit works like a charm without any modification.

This is imported from my old WP blog, some links might be broken, original post.