Analysis of CVE-2019-0708 (BlueKeep)

Next I needed to figure out how to call this function, and how to set the channel name to MS_T120. To trigger the bug, i’d need to call IcaBindVirtualChannels a second time with MS_T120 as the channel name. The second packet sent contains four of the six channel names I saw passed to IcaBindVirtualChannels (missing MS_T120 and CTXTW).

Source: www.malwaretech.com