- Wise System Monitor 1.5.3.54, WiseHDInfo64.dll 1.0.2.21
- http://www.wisecleaner.com/wise-system-monitor.html
Arbitrary Kernel Execution
From IoControlCode 0x9C402088, a normal user can call __writemsr, which can lead to arbitrary kernel execution.
In the attached file ArbitraryKernelExecution.zip, there are writemsr.exe, writemsr.cpp, ArbitraryKernelExecution.cpp, WSMSetup_1.5.3.127.exe, and WiseHDInfo64.dll(which in fact a .sys). writemsr.exe is the PoC to cause writing msr where WSMSetup_1.5.3.127.exe which contains the vulnerable driver WiseHDInfo64.dll is installed, and writemsr.cpp is the source code of writemsr.exe. To reproduce the issue, install WSMSetup_1.5.3.127.exe and execute writemsr.exe. It is expected that the system will call __writemsr once writemsr.exe is executed.
To achieve arbitrary kernel execution, refer to the porject https://git.back.engineering/_xeroxz/msrexec, and replace main.cpp in the project to ArbitraryKernelExecution.cpp in the attachment.
Password for attachment: ArbitraryKernelExecution https://drive.google.com/file/d/15k4sO3qRWDORWjU2QyOVoT_DumX6LrWu/view?usp=sharing