A Windows Kernel LPE exploit for HEVD targeting the Stack Overflow vulnerability on 1607 (RS1)
This exploit targets the classic stack buffer overflow vulnerability in the HEVD.sys driver, this exploit was written on Windows 10 64-bit 1607 so a SMEP (Supervisor Mode Execution Prevention) bypass is needed. This exploit builds a ROP chain to move the correct bits to disable SMEP into the CR4 (Control Register 4) Intel register. In order to build a ROP chain, leaking the NTOSKRNL.exe base address is needed (bypassing KASLR), this exploit using the EnumDeviceDrivers information leak to aid in offset calculations for the ROP chain.
