Skip to content

spawn451/CVE-2025-8061-Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
driver
driver
 
 
src
src
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2025-8061 Exploit

Overview

Proof-of-Concept exploit for LnvMSRIO.sys (Lenovo MSR I/O Driver), demonstrating arbitrary physical memory read/write and kernel memory access via Superfetch VA-to-PA translation.

Driver Information

Property Value
Driver Name LnvMSRIO.sys
Device Name \\.\WinMsrDev
Service Name LnvMSRIO
Vendor Lenovo
Purpose MSR and physical memory access for system utilities

Vulnerable IOCTLs

The driver exposes privileged kernel operations to usermode:

IOCTL Code Function Description PoC
0x9C406104 Physical Memory READ Maps via MmMapIoSpace
0x9C40A108 Physical Memory WRITE Maps and writes physical memory
0x9C402084 MSR READ Read Model-Specific Register
0x9C402088 MSR WRITE Write Model-Specific Register

Input Structures

Physical Memory Read (16 bytes):

Offset 0:  UInt64  PhysicalAddress
Offset 8:  DWORD   AccessSize (1=byte, 2=word, 8=qword)
Offset 12: DWORD   Count (number of elements)

Physical Memory Write (16 bytes header + data):

Offset 0:  UInt64  PhysicalAddress
Offset 8:  DWORD   AccessSize
Offset 12: DWORD   Count
Offset 16: Data[]  (bytes to write)

Exploitation Technique

VA-to-PA Translation

Since the driver only provides physical memory access, we use the Superfetch technique to translate kernel virtual addresses to physical addresses:

  1. Query Superfetch for physical memory ranges via NtQuerySystemInformation(SystemSuperfetchInformation)
  2. Build a VA→PA translation table from PFN entries
  3. Translate kernel VAs to physical addresses
  4. Read/Write physical memory using driver IOCTLs

Usage

LnvMSRIOExploit.exe <path_to_LnvMSRIO.sys>

Requirements:

  • Run as Administrator
  • 64-bit Windows (for Superfetch VA→PA)
  • Driver file must exist at specified path

Build Instructions

  1. Open LnvMSRIOExploit.dproj in Delphi IDE (RAD Studio)
  2. Set target platform to Windows 64-bit
  3. Build → Build Project (Ctrl+Shift+F9)
  4. Output: Win64\Release\LnvMSRIOExploit.exe

Disclaimer

This tool is provided for educational and authorized security research purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.

License

For research and educational purposes only.

About

Exploit LnvMSRIO.sys vulnerable driver

Resources

Readme
Activity

Stars

7 stars

Watchers

0 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages