Share
## https://sploitus.com/exploit?id=85163A8B-797B-55C7-A729-5DB3F561A05A
# CVE-2025-8061 Exploit

## Overview

Proof-of-Concept exploit for **LnvMSRIO.sys** (Lenovo MSR I/O Driver), demonstrating arbitrary physical memory read/write and kernel memory access via Superfetch VA-to-PA translation.

## Driver Information

| Property | Value |
|----------|-------|
| **Driver Name** | LnvMSRIO.sys |
| **Device Name** | `\\.\WinMsrDev` |
| **Service Name** | LnvMSRIO |
| **Vendor** | Lenovo |
| **Purpose** | MSR and physical memory access for system utilities |

## Vulnerable IOCTLs

The driver exposes privileged kernel operations to usermode:

| IOCTL Code | Function | Description | PoC |
|------------|----------|-------------|-----|
| `0x9C406104` | Physical Memory READ | Maps via MmMapIoSpace | โœ… |
| `0x9C40A108` | Physical Memory WRITE | Maps and writes physical memory | โœ… |
| `0x9C402084` | MSR READ | Read Model-Specific Register | โŒ |
| `0x9C402088` | MSR WRITE | Write Model-Specific Register | โŒ |

## Input Structures

**Physical Memory Read (16 bytes):**
```
Offset 0:  UInt64  PhysicalAddress
Offset 8:  DWORD   AccessSize (1=byte, 2=word, 8=qword)
Offset 12: DWORD   Count (number of elements)
```

**Physical Memory Write (16 bytes header + data):**
```
Offset 0:  UInt64  PhysicalAddress
Offset 8:  DWORD   AccessSize
Offset 12: DWORD   Count
Offset 16: Data[]  (bytes to write)
```

## Exploitation Technique

### VA-to-PA Translation

Since the driver only provides **physical** memory access, we use the **Superfetch** technique to translate kernel virtual addresses to physical addresses:

1. Query Superfetch for physical memory ranges via `NtQuerySystemInformation(SystemSuperfetchInformation)`
2. Build a VAโ†’PA translation table from PFN entries
3. Translate kernel VAs to physical addresses
4. Read/Write physical memory using driver IOCTLs

## Usage

```
LnvMSRIOExploit.exe 
```

**Requirements:**
- Run as **Administrator**
- **64-bit Windows** (for Superfetch VAโ†’PA)
- Driver file must exist at specified path

## Build Instructions

1. Open `LnvMSRIOExploit.dproj` in Delphi IDE (RAD Studio)
2. Set target platform to **Windows 64-bit**
3. Build โ†’ Build Project (Ctrl+Shift+F9)
4. Output: `Win64\Release\LnvMSRIOExploit.exe`


## Disclaimer

This tool is provided for **educational and authorized security research purposes only**. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.

## License

For research and educational purposes only.