Exploiting Windows Device Drivers

Piotr Bania has written a paper on "Exploiting Windows Device Drivers".

Now before you get all riled up and fretting that Windows is doomed, please note as you read through this that for this approach to work, you have to have administrative privileges on the system to install code at ring0. You will need to find a vulnerable driver (ok thats not THAT hard I guess), and for Piotr's method to work it requires that you MUST be in your thread's context at time of exploitation (well thats more an issue with KeUsermodeCallback than anything else).

All little nuggets that make this more difficult to execute in a real-world situation. With that said however, this is a maturing of this attack vector. Due to lack of technical paper on the subject (even though Hogland's rootkit book is now out there), the results shared by Piotr's research will go a long way to fuel more work in this space. In his paper a device driver exploitation technique is introduced, and he provides a detailed description of techniques used, including full exploit code with sample vulnerable driver code for testing.

If you are familiar with IA-32 assembly and have previous experience with software vulnerability exploitation, you might find this article interesting. I would suggest, as Piotr does, that reading the two mentioned whitepapers in his paper be a first step in fully understanding his approach.