Share
## https://sploitus.com/exploit?id=85163A8B-797B-55C7-A729-5DB3F561A05A
# CVE-2025-8061 Exploit
## Overview
Proof-of-Concept exploit for **LnvMSRIO.sys** (Lenovo MSR I/O Driver), demonstrating arbitrary physical memory read/write and kernel memory access via Superfetch VA-to-PA translation.
## Driver Information
| Property | Value |
|----------|-------|
| **Driver Name** | LnvMSRIO.sys |
| **Device Name** | `\\.\WinMsrDev` |
| **Service Name** | LnvMSRIO |
| **Vendor** | Lenovo |
| **Purpose** | MSR and physical memory access for system utilities |
## Vulnerable IOCTLs
The driver exposes privileged kernel operations to usermode:
| IOCTL Code | Function | Description | PoC |
|------------|----------|-------------|-----|
| `0x9C406104` | Physical Memory READ | Maps via MmMapIoSpace | โ
|
| `0x9C40A108` | Physical Memory WRITE | Maps and writes physical memory | โ
|
| `0x9C402084` | MSR READ | Read Model-Specific Register | โ |
| `0x9C402088` | MSR WRITE | Write Model-Specific Register | โ |
## Input Structures
**Physical Memory Read (16 bytes):**
```
Offset 0: UInt64 PhysicalAddress
Offset 8: DWORD AccessSize (1=byte, 2=word, 8=qword)
Offset 12: DWORD Count (number of elements)
```
**Physical Memory Write (16 bytes header + data):**
```
Offset 0: UInt64 PhysicalAddress
Offset 8: DWORD AccessSize
Offset 12: DWORD Count
Offset 16: Data[] (bytes to write)
```
## Exploitation Technique
### VA-to-PA Translation
Since the driver only provides **physical** memory access, we use the **Superfetch** technique to translate kernel virtual addresses to physical addresses:
1. Query Superfetch for physical memory ranges via `NtQuerySystemInformation(SystemSuperfetchInformation)`
2. Build a VAโPA translation table from PFN entries
3. Translate kernel VAs to physical addresses
4. Read/Write physical memory using driver IOCTLs
## Usage
```
LnvMSRIOExploit.exe
```
**Requirements:**
- Run as **Administrator**
- **64-bit Windows** (for Superfetch VAโPA)
- Driver file must exist at specified path
## Build Instructions
1. Open `LnvMSRIOExploit.dproj` in Delphi IDE (RAD Studio)
2. Set target platform to **Windows 64-bit**
3. Build โ Build Project (Ctrl+Shift+F9)
4. Output: `Win64\Release\LnvMSRIOExploit.exe`
## Disclaimer
This tool is provided for **educational and authorized security research purposes only**. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.
## License
For research and educational purposes only.