11 comments on “Exploiting System Shield AntiVirus Arbitrary Write Vulnerability using SeTakeOwnershipPrivilege

  1. Nice write up – where can I get the vulnerable app? I checked IOLO’s website and the exploitdb but I can’t find 5.0.0.136

  2. Hello.
    Thanks for this demonstration!

    I have a question. With this exploit, can we access to the winlogon.exe and open a handle for read and write memory?

    Kind regards,

  3. Why doesn’t it work with csrss.exe?

    pHandle = OpenProcess(PROCESS_VM_READ, 0, 428); //my csrss PID
    printf(“> pHandle: %d || %s\n”, pHandle, pHandle);
    i got: 0 || (null)

  4. The SeDebugPrivilege is already enabled in this exploit, what you can do it use a previous exploit of mine which uses shellcode being injected in the winlogon process.

  5. Thanks! I found with its hex byte ’03 60 22′ in IDA search and reached vulnerable function.

Leave a Reply

Your email address will not be published. Required fields are marked *