nmulasmajic / syscall_exploit_cve-2018-8897 Goto Github PK

Hello, could you give me some help about the exp... I'm sorry, I'm not good at English. So I can't express myself enough.

When I execute the code, I will fail at here.

So I debug it. and I find that the SymGetTypeFromNameW fails but GetLastError returns 0. So I find some help from Google and set DBGHELP_WININET=1. but it not work.

Can you give me some help, Thank U very much.

Hi,

I've been having issues with the poc on an unpatched windows 10 x64 (build 14393) VM (VMWare workstaion version: 14.0.0 build-6661328). After hard coding the correct offsets, the poc fails with the message:

"ERROR: Exploit failed to run. Is your machine patched?"

When debugging the VM using IDA (remote gdb) in a similar way to what was shown in the poc videos, when stepping over the 'syscall' instruction, KiSystemCall64 is called as usual and it seems like the deferred hardware breakpoint just doesn't fire.

While searching for the possible cause of this problem, I've read the following in Can Bölük's blog:

Before starting, I would like to note that this exploit may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3. I debugged it by “simulating” this situation.

While your poc uses syscall instead of INT3, I'm wondering if VMWare's workstation configuration is somehow related to this problem...

Any help resolving this issue would be greatly appreciated,
Thank you.