Skip to content

otavioarj/SIOCtl

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

SIOCtl

Simple IOCTL dispatcher


This is a generic IOCTL "dispatcher". I made this to be used as a POC for CVE 2018-8060 and 2018-8061, but it can be used to any device, IOCTL and data, thought.
  • Input data is a binary file, containing raw data to be used as input buffer in IO control.
  • Output data is displayed as hexdecimal dump.

CVE 2018-8060

  • Description:
    HWiNFO AMD64 Kernel driver version 8.98 and lower allows unprivileged user to send IOCTL to device driver. If input and/or output buffer pointers are null or if these buffer's data are invalid a null/invalid pointer occurs, resulting into Windows kernel panic a.k.a Blue Screen.

  • POC:
    An unprivileged user sends some IOCTLs, to symbolic device "HWiNFO32", higher than 0x85FE2600 with in/out buffer's data being arbitrary, results in a pointer dereference inside the scope of the device driver; causing a kernel panic. Some cases results into CWE-476 (NULL Pointer Dereference) or CWE-781 (Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code)
    • The easiest way to trigger it, is to use input buffer as null :).

CVE 2018-8061

  • Description:
    HWiNFO AMD64 Kernel driver version 8.98 and lower allows unprivileged user to send special IOCTL to device driver, resulting in direct physical memory read or write.

  • POC:
    An unprivileged user sending an especial IOCTLs, i.e 0x85FE2608 to symbolic device "HWiNFO32", with in-buffer (user-space) containing a physical memory address, size and a virtual memory address, results in the driver mapping the physical memory and reading it, copying its content to the virtual address.
    The file 8061.data is formatted in this fashion:

    • Phy. Address: FFFFF7F100002000 (source)
    • Size: 00000008
    • Dest. Virt. Address: 4141414141414141

About

Simple IOCTL dispatcher for CVE-2018-8060/8061

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages