Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-38304 PoC — Ni-Pal 输入验证错误漏洞

Source
https://github.com/philsajdak/CVE-2021-38304-PoC
Associated Vulnerability
Title:Ni-Pal 输入验证错误漏洞 (CVE-2021-38304)
Description:Ni-Pal是美国Ni公司的一个软件组件。用于为多个NI驱动提供必需功能。 NI-PAL driver存在安全漏洞,该漏洞源于网络系统或产品缺乏有效的权限许可和访问控制措施。
Description
CVE-2021-38304 Proof of Concept
Readme
# CVE-2021-38304 Proof of Concept
### Overview

This repository contains a proof of concept for a critical security vulnerability in older versions of the National Instruments `nipalk.sys` driver. The vulnerability allows for arbitrary code execution and memory disclosure in kernel mode. It is intended purely for personal research only.

### Description

The `nipalk.sys` driver improperly handles user-supplied pointers during the processing of a specific IOCTL request. This flaw enables an attacker to supply a function pointer that the driver will call in kernel context with controlled parameters.

### Key points

* __Function Pointer Control__: The driver calls a user-supplied function pointer without proper validation.
* __Parameter Control__: The attacker can control the `RCX` and `RDX` registers during the function call.
* __Memory Disclosure__: By calling functions like `RtlCopyMemory`, an attacker can read arbitrary kernel memory.
* __Denial of Service (DoS)__: Passing an invalid function pointer causes a system crash due to the driver's lack of input validation.

### Root Cause

The vulnerability arises from the driver's failure to validate  pointers provided by user-mode applications. During the processing of IOCTL `0xABCD03C4`, the driver retrieves a function pointer from a user-controlled structure and invokes it without proper checks:

```assembly
0045561e 48 8b 01        MOV        RAX,qword ptr [param_1]
00455621 49 8b 52 18     MOV        irp,qword ptr [R10 + 0x18]
00455625 ff 50 08        CALL       qword ptr [RAX + 0x8]
```

* The function pointer at `[RAX + 8]` is executed in kernel context.
* Parameters `RCX` and `RDX` are controlled by the user.

### Output Example

* Successful Memory Leak:

```
[+] Starting exploit
[+] Memory allocated
[+] Values before IOCTL:
   exploit->dummy: 00000000001b0000
   exploit->function_pointer: fffff8017ea21300
[+] Device opened successfully
[+] Sending IOCTL
[+] Values after IOCTL:
   exploit->dummy: 7208f88349c18b48
   exploit->function_pointer: ffff7710f8834937
[+] DeviceIoControl succeeded. Bytes returned: 8
[+] Buffer Output: 1769472
[!] WARNING: exploit->dummy has changed!
[!] WARNING: exploit->function_pointer has changed!
[+] Exploit finished
```

### Disclaimer
This PoC is intended for educational purposes only.
File Snapshot

 [4.0K]  /data/pocs/22177a887f787c5b16312fbb50f2c5eba5d1d8d2
├── [3.1K]  main.cpp
├── [2.3K]  README.md
├── [1.4K]  utils.cpp
└── [ 239]  utils.h

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.