poc for CVE-2023-23388 (LPE in Windows 10/11 bthserv service)This repository contains a poc for CVE-2023-23388, which is described in [this series](https://ynwarcs.github.io/z-btadv-cves), particularly in [this post](https://ynwarcs.github.io/v-cve-2023-23388). It's an LPE in the bluetooth service (aka **bthserv**) in Windows 10/11 that allows an unprivileged user to escalate to LOCAL SERVICE. This repo doesn't contain an exploit, only a poc.
## building, running, etc.
**Use a VM. This could be a virus.**
MS fixed the vulnerability in March 2023 security update so you'll need to target a system that doesn't have that applied. You could also dirty patch the fix for testing, it shouldn't be too hard once you read the post. The system also needs bluetooth to be turned on, as the service may not run otherwise or may discard RPC requests. To compile the poc, open up the solution in VS 2022 and build it either in Debug or Release. Then run **poc.exe** with no arguments. It will trigger the vulnerability with `EventType=-0x50C`. There's no particular reason I chose that value, it just showcased the behaviour nicely since it guaranteed a crash.
[4.0K] /data/pocs/47b716310cf936cdaf5a5447fc2ae1aeb47471db
├── [1.0K] LICENSE
├── [4.0K] poc_dll
│ ├── [2.3K] dllmain.cpp
│ ├── [8.2K] poc_dll.vcxproj
│ ├── [ 959] poc_dll.vcxproj.filters
│ └── [ 165] poc_dll.vcxproj.user
├── [4.0K] poc_exe
│ ├── [4.9K] main.cpp
│ ├── [7.8K] poc_exe.vcxproj
│ ├── [ 956] poc_exe.vcxproj.filters
│ └── [1.2K] poc_exe.vcxproj.user
├── [2.1K] poc.sln
└── [1.1K] README.md
2 directories, 11 files