CVE-2014-4971

Exploitation Summary

EIP tracks 6 public exploits for CVE-2014-4971. PoCs published by Metasploit, KoreLogic, Matt Bergin, Spencer McIntyre, including Metasploit module exploits/windows/local/bthpan.

AI-analyzed exploit summary This is a Metasploit module for CVE-2014-4971, a privilege escalation vulnerability in Microsoft Bluetooth Personal Area Networking (BthPan.sys). It exploits a memory corruption flaw to overwrite HalDispatchTable and execute arbitrary kernel code.

Description

Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.

Exploits (6)

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows_x86

https://www.exploit-db.com/exploits/34982

View Code ZIP pw:eip

This is a Metasploit module for CVE-2014-4971, a privilege escalation vulnerability in Microsoft Bluetooth Personal Area Networking (BthPan.sys). It exploits a memory corruption flaw to overwrite HalDispatchTable and execute arbitrary kernel code.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows XP SP3 with Bluetooth Personal Area Networking (BthPan.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows XP SP3 system · Bluetooth Personal Area Networking (BthPan.sys) driver loaded

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Metasploit · rubylocalwindows_x86

https://www.exploit-db.com/exploits/34167

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4971, an arbitrary write vulnerability in MQAC.sys, to escalate privileges to SYSTEM on Windows XP SP3. It uses token stealing to achieve privilege escalation.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Windows XP SP3 with MQAC.sys

Auth required

Prerequisites: Local access to the target system · MQAC.sys driver loaded · Non-SYSTEM privileges

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1134 - Access Token Manipulation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by KoreLogic · pythonlocalwindows

https://www.exploit-db.com/exploits/34131

View Code ZIP pw:eip

This exploit leverages a write-what-where vulnerability in BthPan.sys on Windows XP SP3 via an unvalidated OutputBuffer in DeviceIoControlFile calls. It allows arbitrary memory writes to escalate privileges by overwriting HalDispatchTable+0x4 and executing shellcode via NtQueryIntervalProfile.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows XP SP3 (BthPan.sys 5.1.2600.5512)

No auth needed

Prerequisites: Windows XP SP3 with Bluetooth Personal Area Networking enabled · Userland process execution

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC

by KoreLogic · textlocalwindows

https://www.exploit-db.com/exploits/34112

View Code ZIP pw:eip

The exploit demonstrates a write-what-where vulnerability in MQAC.sys on Windows XP SP3, allowing arbitrary memory writes via a crafted DeviceIoControlFile call. It includes a Python PoC that escalates privileges by overwriting HalDispatchTable+0x4 and triggering shellcode execution via NtQueryIntervalProfile.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows XP SP3 MQ Access Control (MQAC.sys) 5.1.0.1110

No auth needed

Prerequisites: Access to a Windows XP SP3 system with MQAC.sys loaded

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC NORMAL

rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/bthpan.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4971, a privilege escalation vulnerability in the Microsoft Bluetooth Personal Area Networking (BthPan.sys) driver. It leverages memory corruption to overwrite the HalDispatchTable and execute arbitrary kernel code, elevating privileges to SYSTEM on Windows XP SP3.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Microsoft Windows XP SP3 with Bluetooth Personal Area Networking (BthPan.sys)

Auth required

Prerequisites: Local access to a vulnerable Windows XP SP3 system · Bluetooth Personal Area Networking (BthPan.sys) driver loaded

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 19, 2026 Full analysis →

metasploit WORKING POC NORMAL

by Matt Bergin, Spencer McIntyre · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/mqac_write.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2014-4971, an arbitrary kernel memory write vulnerability in MQAC.sys on Windows XP SP3. It escalates privileges to SYSTEM by overwriting the HalDispatchTable and injecting a payload into a SYSTEM process.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Microsoft Windows XP SP3 with MQAC.sys (MSMQ)

No auth needed

Prerequisites: Local access to a vulnerable Windows XP SP3 system · MSMQ (MQAC.sys) installed

MITRE ATT&CK