CVE-2018-5701

CRITICAL

iolo System Shield 5.0.0.136 - Arbitrary Write via amp.sys IOCtl 0x00226003

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-5701. PoCs published by Brandon Marshall, Parvez Anwar.

AI-analyzed exploit summary This exploit leverages a vulnerability in the System Mechanic driver (amp.sys) to perform arbitrary read/write operations in kernel memory via crafted IOCTL calls. It demonstrates both reading and writing QWORD values to arbitrary addresses, which can be used for privilege escalation or other kernel-level exploits.

Description

In Iolo System Shield AntiVirus and AntiSpyware 5.0.0.136, the amp.sys driver file contains an Arbitrary Write vulnerability due to not validating input values from IOCtl 0x00226003.

Exploits (2)

exploitdb WORKING POC

by Brandon Marshall · textlocalwindows

https://www.exploit-db.com/exploits/51044

View Code ZIP pw:eip

This exploit leverages a vulnerability in the System Mechanic driver (amp.sys) to perform arbitrary read/write operations in kernel memory via crafted IOCTL calls. It demonstrates both reading and writing QWORD values to arbitrary addresses, which can be used for privilege escalation or other kernel-level exploits.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: System Mechanic v15.5.0.61 (amp.sys driver 5.4.11)

No auth needed

Prerequisites: Access to the vulnerable System Mechanic driver · Administrative privileges to interact with the driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Parvez Anwar · clocalwindows

https://www.exploit-db.com/exploits/43929

View Code ZIP pw:eip

This exploit targets a privilege escalation vulnerability in System Shield AntiVirus & AntiSpyware by manipulating registry permissions and token addresses to escalate privileges. It leverages the vulnerable driver `amp.sys` to achieve arbitrary write access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: System Shield AntiVirus & AntiSpyware 5.0.0.136 with driver amp.sys 5.4.11.1

No auth needed

Prerequisites: Windows 7 or 10 (64-bit) · Vulnerable version of System Shield AntiVirus & AntiSpyware installed

MITRE ATT&CK

T1134 - Access Token Manipulation T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.greyhathacker.net/?p=1006

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/146165/System-Shield-5.0.0.136-Privilege-Escalation.html

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43929/

Scores

CVSS v3 9.8

EPSS 0.2169

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-119

Status published

Products (1)

iolo/system_shield 5.0.0.136

Published Jan 31, 2018

Tracked Since Feb 18, 2026