Whitepaper discussing the fact that the Microsoft Server Message Block Redirector Driver (mrxsmb.sys) does not verify the user-mode buffer properly, allowing any user to overwrite any desired memory address. The successful exploitation results in Ring0 code execution.
You can download it from the following link: https://packetstormsecurity.com/files/download/47440/mrxsmb-ring0-advisory.pdf
Source: https://packetstormsecurity.com/files/47440/mrxsmb-ring0-advisory.pdf.html