## https://sploitus.com/exploit?id=F82576EA-99AB-5361-9E2A-0AA6312304C0
# CVE-2021-38304 Proof of Concept
### Overview
This repository contains a proof of concept for a critical security vulnerability in older versions of the National Instruments `nipalk.sys` driver. The vulnerability allows for arbitrary code execution and memory disclosure in kernel mode. It is intended purely for personal research only.
### Description
The `nipalk.sys` driver improperly handles user-supplied pointers during the processing of a specific IOCTL request. This flaw enables an attacker to supply a function pointer that the driver will call in kernel context with controlled parameters.
### Key points
* __Function Pointer Control__: The driver calls a user-supplied function pointer without proper validation.
* __Parameter Control__: The attacker can control the `RCX` and `RDX` registers during the function call.
* __Memory Disclosure__: By calling functions like `RtlCopyMemory`, an attacker can read arbitrary kernel memory.
* __Denial of Service (DoS)__: Passing an invalid function pointer causes a system crash due to the driver's lack of input validation.
### Root Cause
The vulnerability arises from the driver's failure to validate pointers provided by user-mode applications. During the processing of IOCTL `0xABCD03C4`, the driver retrieves a function pointer from a user-controlled structure and invokes it without proper checks:
```assembly
0045561e 48 8b 01 MOV RAX,qword ptr [param_1]
00455621 49 8b 52 18 MOV irp,qword ptr [R10 + 0x18]
00455625 ff 50 08 CALL qword ptr [RAX + 0x8]
```
* The function pointer at `[RAX + 8]` is executed in kernel context.
* Parameters `RCX` and `RDX` are controlled by the user.
### Output Example
* Successful Memory Leak:
```
[+] Starting exploit
[+] Memory allocated
[+] Values before IOCTL:
exploit->dummy: 00000000001b0000
exploit->function_pointer: fffff8017ea21300
[+] Device opened successfully
[+] Sending IOCTL
[+] Values after IOCTL:
exploit->dummy: 7208f88349c18b48
exploit->function_pointer: ffff7710f8834937
[+] DeviceIoControl succeeded. Bytes returned: 8
[+] Buffer Output: 1769472
[!] WARNING: exploit->dummy has changed!
[!] WARNING: exploit->function_pointer has changed!
[+] Exploit finished
```
### Disclaimer
This PoC is intended for educational purposes only.