<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Poc on Rehman's Blog</title><link>https://blog.ahmadz.ai/tags/poc/</link><description>Recent content in Poc on Rehman's Blog</description><image><title>Rehman's Blog</title><url>https://blog.ahmadz.ai/blog.jpg</url><link>https://blog.ahmadz.ai/blog.jpg</link></image><generator>Hugo -- 0.147.5</generator><language>en-us</language><lastBuildDate>Mon, 06 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://blog.ahmadz.ai/tags/poc/index.xml" rel="self" type="application/rss+xml"/><item><title>ASUS bsitf.sys (CVE-2026-13585): Arbitrary Physical Memory Mapping</title><link>https://blog.ahmadz.ai/asus_bsitf_0_day_poc/</link><pubDate>Mon, 06 Apr 2026 00:00:00 +0000</pubDate><guid>https://blog.ahmadz.ai/asus_bsitf_0_day_poc/</guid><description>&lt;p>This was discoved with &lt;a href="https://github.com/416rehman/DeepZero-Agentic-Vulnerability-Research-Pipeline">DeepZero&lt;/a>&lt;/p>
&lt;p>&lt;strong>Tracked as &lt;a href="https://www.cve.org/CVERecord?id=CVE-2026-13585">CVE-2026-13585&lt;/a>.&lt;/strong> ASUS has published a vendor advisory with countermeasures.&lt;/p>
&lt;p>ASUS ships a kernel driver called &lt;code>bsitf.sys&lt;/code> with their Business Manager and Software Manager. It creates a device at &lt;code>\\.\bsitf&lt;/code> that requires admin to open.&lt;/p>
&lt;p>IOCTL &lt;code>0x222808&lt;/code> takes a size from your input buffer, allocates that much physically contiguous kernel memory, maps it into your process, and gives you back the pointer AND the physical address. There&amp;rsquo;s no validation on the size, no limit on how many allocations you can make, and no input checking at all.&lt;/p></description><content:encoded><![CDATA[<p>This was discoved with <a href="https://github.com/416rehman/DeepZero-Agentic-Vulnerability-Research-Pipeline">DeepZero</a></p>
<p><strong>Tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2026-13585">CVE-2026-13585</a>.</strong> ASUS has published a vendor advisory with countermeasures.</p>
<p>ASUS ships a kernel driver called <code>bsitf.sys</code> with their Business Manager and Software Manager. It creates a device at <code>\\.\bsitf</code> that requires admin to open.</p>
<p>IOCTL <code>0x222808</code> takes a size from your input buffer, allocates that much physically contiguous kernel memory, maps it into your process, and gives you back the pointer AND the physical address. There&rsquo;s no validation on the size, no limit on how many allocations you can make, and no input checking at all.</p>
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span>alloc_size <span style="color:#f92672">=</span> <span style="color:#f92672">*</span>(DWORD <span style="color:#f92672">*</span>)Irp<span style="color:#f92672">-&gt;</span>AssociatedIrp.SystemBuffer;
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>kernel_va <span style="color:#f92672">=</span> <span style="color:#a6e22e">MmAllocateContiguousMemory</span>(alloc_size, <span style="color:#ae81ff">0xffffffff</span>);
</span></span><span style="display:flex;"><span>mdl <span style="color:#f92672">=</span> <span style="color:#a6e22e">IoAllocateMdl</span>(kernel_va, alloc_size, FALSE, FALSE, NULL);
</span></span><span style="display:flex;"><span><span style="color:#a6e22e">MmBuildMdlForNonPagedPool</span>(mdl);
</span></span><span style="display:flex;"><span>user_va <span style="color:#f92672">=</span> <span style="color:#a6e22e">MmMapLockedPages</span>(mdl, UserMode);
</span></span><span style="display:flex;"><span>
</span></span><span style="display:flex;"><span>output[<span style="color:#ae81ff">0</span>] <span style="color:#f92672">=</span> user_va;
</span></span><span style="display:flex;"><span>output[<span style="color:#ae81ff">1</span>] <span style="color:#f92672">=</span> <span style="color:#a6e22e">MmGetPhysicalAddress</span>(kernel_va);
</span></span></code></pre></div><p>I tested three versions, they all have the same bug:</p>
<table>
  <thead>
      <tr>
          <th>Version</th>
          <th>Filename</th>
          <th>Pool Type</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>3.0.10.0</td>
          <td>bsitf.sys</td>
          <td><code>NonPagedPool</code> (executable)</td>
      </tr>
      <tr>
          <td>3.1.10.0</td>
          <td>AsusBSItf.sys</td>
          <td><code>NonPagedPoolNx</code></td>
      </tr>
      <tr>
          <td>3.1.25.0</td>
          <td>AsusBSItf.sys</td>
          <td><code>NonPagedPoolNx</code></td>
      </tr>
  </tbody>
</table>
<h2 id="what-can-you-actually-do-with-this">What can you actually do with this</h2>
<p>To be clear about what this is and isn&rsquo;t: the buffer you get is a fresh kernel pool allocation. You control its contents but not where it lands in kernel memory. You can&rsquo;t use this alone to overwrite arbitrary kernel structures.</p>
<p>What it does give you:</p>
<p><strong>Pool exhaustion DoS.</strong> Call the IOCTL in a loop without freeing. There&rsquo;s no size cap and no allocation limit. The kernel runs out of NonPagedPool and BSODs. This works from any admin process.</p>
<p><strong>Physical address disclosure.</strong> Every allocation returns its physical address. Useful as an info leak primitive or for DMA attacks.</p>
<p><strong>Shellcode staging (v3.0.x only).</strong> On version 3.0.10.0 the pool type is <code>NonPagedPool</code> which is executable. You can write shellcode from usermode into the buffer and it&rsquo;ll be sitting in executable kernel memory at a known address. But you still need a separate bug to redirect kernel execution there. On v3.1.x versions with <code>NonPagedPoolNx</code> this doesn&rsquo;t apply.</p>
<h2 id="poc">PoC</h2>
<p>The proof of concept is a Rust crate. <code>cargo build --release</code> and you&rsquo;re good.</p>
<p>Load the driver (requires admin):</p>
<pre tabindex="0"><code>sc create bsitf binPath= &#34;C:\path\to\bsitf.sys&#34; type= kernel
sc start bsitf
</code></pre><p>Run:</p>
<pre tabindex="0"><code>cargo run --release
</code></pre><p>Output on Windows 11 24H2:</p>
<pre tabindex="0"><code>[+] device handle acquired

[+] kernel allocation succeeded:
    usermode VA:     0x000001D856F90000
    physical addr:   0x00000000BF6CB000

[*] writing 0xCC pattern...
[+] readback: usermode R/W CONFIRMED

[+] mapping freed via IOCTL 0x22280C
</code></pre><p><img alt="POC Execution" loading="lazy" src="/bsitf-executing_poc.png"></p>
<p><img alt="Reading from Physical Addr" loading="lazy" src="/bsitf-printing_kernal_addr.png"></p>
<p>Full source is on <a href="https://github.com/416rehman/asus-bsitf-0-day-poc">GitHub</a>.</p>
<h2 id="timeline">Timeline</h2>
<table>
  <thead>
      <tr>
          <th>Date</th>
          <th>Event</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>2026-04-06</td>
          <td>Vulnerability discovered</td>
      </tr>
      <tr>
          <td>2026-04-06</td>
          <td>PoC confirmed on Windows 11 24H2</td>
      </tr>
      <tr>
          <td>2026-04-06</td>
          <td>Report submitted to ASUS PSIRT</td>
      </tr>
      <tr>
          <td>2026-07-14</td>
          <td>CVE assigned &amp; case closed — <a href="https://www.cve.org/CVERecord?id=CVE-2026-13585">CVE-2026-13585</a></td>
      </tr>
      <tr>
          <td>2026-07-15</td>
          <td>Vendor advisory &amp; countermeasures released</td>
      </tr>
  </tbody>
</table>
]]></content:encoded></item></channel></rss>