## https://sploitus.com/exploit?id=5FE2BF50-A60A-5C67-915E-17BDBFDD88BD
# Wincor Nixdorf wnBios64.sys Stack Buffer Overflow Vulnerability
## Overview
This repository contains a security analysis and proof-of-concept (PoC) exploit for a stack buffer overflow vulnerability in the Wincor Nixdorf `wnBios64.sys` kernel driver.
**Vulnerability Type**: Stack Buffer Overflow
**CWE**: CWE-121 (Stack-based Buffer Overflow)
**Severity**: High (Local Privilege Escalation / Kernel Code Execution)
**Affected Component**: IOCTL Handler `0x80102058`
## Affected Product
- **Driver**: `wnBios64.sys`
- **Vendor**: Wincor Nixdorf International GmbH
- **Version**: 1.2.0.0 (DriverVer=05/28/2015,1.2.0.0)
- **Supported Operating Systems**:
- Windows 7 x64
- Windows Server 2003 x64
- Windows Server 2008 x64
- **Service Name**: `wnbios`
- **Device Names**: `\\.\wnBios64`, `\\.\wnBios`, `\\.\WinBios64`, `\\.\WinBios`
- **ClassGUID**: `{5b1efa1f-817b-4da5-b7de-bff21378b734}`
## Vulnerability Details
### Root Cause
The IOCTL handler `0x80102058` contains a stack buffer overflow vulnerability due to missing bounds checking on user-controlled input length.
**Vulnerable Code Pattern**:
```c
case 0x80102058:
v8 = Options; // Options is user-controlled, no bounds check!
memmove(Src, a2->AssociatedIrp.MasterIrp, Options); // ⚠️ Overflow!
// ... some operations ...
memmove(MasterIrp, Src, v8); // ⚠️ Information leak
a2->IoStatus.Information = v8;
break;
```
**Key Variables**:
- `Src[40]`: 40-byte stack buffer located at `[rsp+90h] [rbp-88h]`
- `Options`: User-controlled length parameter with **no bounds checking**
- `v8`: Stores the Options value for return data
### Vulnerability Characteristics
1. **Stack Buffer Overflow**
- When `Options > 40`, `memmove(Src, MasterIrp, Options)` overflows the stack buffer
- Can overwrite local variables, return addresses, and other stack data
- Potential for kernel code execution or system crash (BSOD)
2. **Information Disclosure**
- `memmove(MasterIrp, Src, v8)` reads and returns stack buffer contents to user space
- When `v8 > 40`, can leak kernel addresses and other sensitive stack data
- Observed kernel addresses in the range `0x80000000 - 0xFFFFFFFF`
3. **Read/Write Capabilities**
- **Write**: `memmove(Src, MasterIrp, Options)` - Write to stack buffer
- **Read**: `memmove(MasterIrp, Src, v8)` - Read from stack buffer
### Impact
- **Local Privilege Escalation**: Potential kernel code execution
- **System Instability**: Can cause system crashes (BSOD)
- **Information Disclosure**: Kernel address leakage may aid exploitation
- **Denial of Service**: Unprivileged users can crash the system
## Proof of Concept
The repository includes a comprehensive PoC (`poc_wnbios64_stack_exploit.c`) that demonstrates:
1. **Normal Read/Write Test**: Basic functionality test (40 bytes)
2. **Information Leak Test**: Reading beyond buffer boundaries to leak stack data
3. **Stack Buffer Overflow Test**: Triggering overflow with various payload sizes
4. **Address Data Analysis**: Extracting and analyzing leaked kernel addresses
### Compilation
```bash
# On Windows with Visual Studio or MinGW
gcc poc_wnbios64_stack_exploit.c -o poc_wnbios64_stack_exploit.exe
```
### Usage
```bash
# Run as Administrator
poc_wnbios64_stack_exploit.exe
```
**Warning**: This PoC may cause system instability or crashes. Use only in a controlled test environment.
## Technical Analysis
### Stack Layout
- Buffer location: `[rsp+90h] [rbp-88h]`
- Buffer size: 40 bytes
- Overflow capability: User-controlled length (no maximum limit)
### Exploitation Scenarios
1. **Information Disclosure** (Relatively Safe)
- Use 100-byte input to read beyond buffer
- Extract kernel addresses from leaked stack data
- Analyze address patterns for exploitation
2. **Stack Buffer Overflow** (High Risk)
- Construct payload > 40 bytes
- Overwrite return address or critical stack variables
- Potential for kernel code execution or BSOD
3. **Combined Exploitation** (Most Effective)
- Use information leak to gather kernel addresses
- Construct precise overflow payload based on leaked data
- Achieve stable code execution
### Observed Behavior
- Kernel addresses observed in leaked data (offsets 96-99)
- Address values vary between calls (dynamic data)
- All addresses fall within kernel address space (`0x80000000 - 0xFFFFFFFF`)
- Large overflows (>100 bytes) frequently cause system crashes
## Mitigation
**Vendor Response**: Not yet disclosed (pending CVE assignment)
**Recommended Mitigations**:
1. Add bounds checking before `memmove` operations
2. Validate `Options` parameter against buffer size (40 bytes)
3. Use secure functions like `RtlCopyMemory` with explicit size limits
4. Implement input validation for all IOCTL handlers
**Temporary Workarounds**:
- Restrict access to device objects (`\\.\wnBios64`, etc.)
- Uninstall the driver if not required
- Monitor for driver loading and block if possible
## Files
- `README.md` - This file
- `poc_wnbios64_stack_exploit.c` - Complete PoC exploit code
- `wnBios64_栈缓冲区利用总结.md` - Detailed vulnerability analysis (Chinese)
- `wnBios64_IOCTL_0x80102058_利用方案.md` - Exploitation methodology (Chinese)
- `wnBios64.inf` - Driver installation information file
## Disclosure Timeline
- **Discovery Date**: [To be filled]
- **Report Date**: [To be filled]
- **Vendor Notification**: [To be filled]
- **CVE Assignment**: [Pending]
## Credits
- **Researcher**: 250wuyifan (2017447579@qq.com)
- **Analysis Date**: 2024
## License
This repository is for educational and security research purposes only. Use responsibly and only in authorized testing environments.
## Disclaimer
This vulnerability analysis and PoC are provided for security research and educational purposes only. The authors are not responsible for any misuse of this information. Users are responsible for ensuring they have proper authorization before testing this vulnerability.
## References
- [CWE-121: Stack-based Buffer Overflow](https://cwe.mitre.org/data/definitions/121.html)
- [Wincor Nixdorf](https://www.wincor-nixdorf.com/) (Vendor website)
---
**Note**: This vulnerability is pending CVE assignment. Please check back for updates.