Exploit MsIo vulnerable driver
This is a PoC for CVE-2019-18845 MsIo64.sys
allowing non-privileged user to map/unmap arbitrary physical memory via ZwMapViewOfSection
/ ZwUnmapViweOfSection
.
If you are interested in abusing physical memory mapping, see project anycall has full implementation of client and driver-sided functionalities.
Allowing non-privileged(non-kernel) component to map arbitrary physical memory is the most bad practice and critically vulnerable way which allowing attacker to gain full control of the system as I demonstrated arbitrary NT-Kernel API invocation in this PoC.
You can try by yourself by executing this while you have driver running.
Also this driver and MsIo64.dll
are fully copy & paste of IO-Memory.
This exploit was first reported 2019 but still remains unfixed and hardware vendors like ASRock still use this driver.
> MsIoExploit.exe
Several sources regarding token steal are from ExploitCapcom
Credit @tandasat
MIT copyright Kento Oki <[email protected]>