A vulnerability within the Microsoft TCP/IP protocol driver tcpip.sys, can allow an attacker to inject controlled memory into an arbitrary location within the kernel.
a10f3a60dd5ca145c224a448fbe2a59eb98a01bc4f0e54ff4952738ca7c1e8d5
A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile.
d94d249bed8485ab2ccc4e373683d6802502b4edd5262cd0b25082323dcef9a7
A vulnerability within the VBoxGuest driver allows an attacker to inject memory they control into an arbitrary location they define. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile on Windows XP SP3 systems. This has been tested with VBoxGuest Additions up to 4.3.10r93012.
ed08fc54fb11f75fb8240f00e12ad3f0eb15c9ef81cff67a88e74e2b8793b557