Kernel Privilege Escalation in Intel Ethernet Diagnostics Driver (IQVW32.sys/IQVW64.sys)

Repository contains a Windows local privilege escalation PoC for CVE-2015-2291 targeting Intel's iqvw64e.sys (device \\.\Nal). Structure: (1) README.md explains reverse engineering of the driver's IRP_MJ_DEVICE_CONTROL handler, the IOCTL 0x80862007 path, and a jump-table dispatch where index 0x33 triggers an internal memmove-like routine. This yields an arbitrary kernel memory copy primitive, which is wrapped into read64/write64 helpers. (2) main.cpp is the operational exploit: it enumerates kernel drivers to find the ntoskrnl.exe base, loads a local ntoskrnl.exe to resolve PsInitialSystemProcess and compute its kernel address, uses the memmove primitive to read the SYSTEM process EPROCESS and its Token, walks the ActiveProcessLinks list to find the current process EPROCESS by UniqueProcessId, overwrites the current process Token with the SYSTEM token (token stealing), then launches powershell.exe. The exploit is build-specific due to hardcoded EPROCESS offsets for Windows 10 x64 22H2 (19045.6466). No network IOCs are present; all interaction is local via the device driver and kernel memory primitives.

This repository provides a detailed write-up and fully functional local privilege escalation exploit for CVE-2015-2291, targeting the Intel Ethernet diagnostics driver (IQVW32.sys/IQVW64.sys) on Windows 7 SP1 and Windows 10 20H2 (both 64-bit). The exploit is implemented in C and assembly, with separate codebases for Windows 7 and Windows 10. The main exploit logic is in 'exploit.c', which interacts with the vulnerable driver via the DeviceIoControl API using the IOCTL code 0x80862007. The exploit leverages the lack of proper input validation in the driver to perform arbitrary memory operations in kernel space, ultimately overwriting function pointers in the HalDispatchTable to execute custom kernel shellcode. The shellcode steals the SYSTEM process token and assigns it to the current process, resulting in a SYSTEM shell. The repository includes all necessary source files, project files for Visual Studio, and detailed technical documentation in the README. The exploit is operational and demonstrates a real-world local privilege escalation technique using a BYOVD (Bring Your Own Vulnerable Driver) approach.

This repository is a proof-of-concept (PoC) exploit for CVE-2015-2291, a privilege escalation vulnerability in the Intel Ethernet diagnostics driver (iqvw64e.sys) on Windows. The exploit is implemented in C++ and consists of two main code files: 'intelExplo.cpp' (main logic) and 'intelExplo.hpp' (definitions and helper functions/structs). The exploit interacts with the driver via the device interface '\\.\Nal' and leverages IOCTLs to perform arbitrary kernel memory read/write operations. By manipulating kernel memory, the exploit locates the SYSTEM process token and overwrites the current process token, effectively granting SYSTEM privileges to the exploit process. It then spawns a SYSTEM shell (cmd.exe). The code also includes additional functionality for physical-to-virtual address translation and mapping physical memory, which can be used for arbitrary kernel memory access. The exploit requires the vulnerable driver to be loaded and accessible, and is intended for local privilege escalation on Windows systems.