The Windows streaming driver (ks.sys) has a design vulnerability which can result in arbitrary memory write. This module allows a local unprivileged user to execute arbitrary code with SYSTEM privileges. The steps performed by the exploit are: Opens an audio device with read/write access. Gets the memory address of a kernel object associated with a process, to access its details in kernel space. Allocates memory to create a fake RTL_BITMAP structure in user space, which will allow arbitrary memory read/write operations. Gets the base address of a kernel module (ntoskrnl.exe), necessary for locating functions within kernel space. Computes the address of a gadget in the kernel for use in memory manipulation operations. Writes data to a specific memory address, allowing the system's memory space to be modified. Changes the current process token to gain system privileges Restores the thread mode to avoid BSOD
CVE Link
Exploit Platform
Exploit Type
Product Name