CVE-2018-8897

Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages.

• KVA Shadowing should be disabled and the relevant security update should be uninstalled.
• This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3.

Detailed explanation:

https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/

Result: