CVE-2025-8061 Exploit
December 10, 2025 · View on GitHub
Overview
Proof-of-Concept exploit for LnvMSRIO.sys (Lenovo MSR I/O Driver), demonstrating arbitrary physical memory read/write and kernel memory access via Superfetch VA-to-PA translation.
Driver Information
| Property | Value |
|---|---|
| Driver Name | LnvMSRIO.sys |
| Device Name | \\.\WinMsrDev |
| Service Name | LnvMSRIO |
| Vendor | Lenovo |
| Purpose | MSR and physical memory access for system utilities |
Vulnerable IOCTLs
The driver exposes privileged kernel operations to usermode:
| IOCTL Code | Function | Description | PoC |
|---|---|---|---|
0x9C406104 | Physical Memory READ | Maps via MmMapIoSpace | ✅ |
0x9C40A108 | Physical Memory WRITE | Maps and writes physical memory | ✅ |
0x9C402084 | MSR READ | Read Model-Specific Register | ❌ |
0x9C402088 | MSR WRITE | Write Model-Specific Register | ❌ |
Input Structures
Physical Memory Read (16 bytes):
Offset 0: UInt64 PhysicalAddress
Offset 8: DWORD AccessSize (1=byte, 2=word, 8=qword)
Offset 12: DWORD Count (number of elements)
Physical Memory Write (16 bytes header + data):
Offset 0: UInt64 PhysicalAddress
Offset 8: DWORD AccessSize
Offset 12: DWORD Count
Offset 16: Data[] (bytes to write)
Exploitation Technique
VA-to-PA Translation
Since the driver only provides physical memory access, we use the Superfetch technique to translate kernel virtual addresses to physical addresses:
- Query Superfetch for physical memory ranges via
NtQuerySystemInformation(SystemSuperfetchInformation) - Build a VA→PA translation table from PFN entries
- Translate kernel VAs to physical addresses
- Read/Write physical memory using driver IOCTLs
Usage
LnvMSRIOExploit.exe <path_to_LnvMSRIO.sys>
Requirements:
- Run as Administrator
- 64-bit Windows (for Superfetch VA→PA)
- Driver file must exist at specified path
Build Instructions
- Open
LnvMSRIOExploit.dprojin Delphi IDE (RAD Studio) - Set target platform to Windows 64-bit
- Build → Build Project (Ctrl+Shift+F9)
- Output:
Win64\Release\LnvMSRIOExploit.exe
Disclaimer
This tool is provided for educational and authorized security research purposes only. Unauthorized use against systems you do not own or have explicit permission to test is illegal. The author assumes no liability for misuse.
License
For research and educational purposes only.