The Ancillary Function Driver (AFD) supports Windows sockets applications and is contained in the afd.sys file.
The afd.sys driver runs in kernel mode and manages the Winsock TCP/IP communications protocol. An elevation of
privilege vulnerability exists where the AFD improperly validates input passed from user mode to the kernel.
An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.
An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode
(i.e. with NT AUTHORITY\SYSTEM privileges).
- The exp was from @Tomislav Paskalev
Vulnerability reference:
c:\> MS11-046.exe