CVE-2018-6606

HIGH

MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation via IOCTL 0x80002010 and 0x8000204C

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-6606. PoCs published by Souhail Hammou, bullhead-repo.

AI-analyzed exploit summary This exploit demonstrates a local privilege escalation vulnerability in MalwareFox AntiMalware 2.74.0.150 by abusing an IOCTL (0x80002010) to register a process as trusted by the driver, then using another IOCTL (0x8000204C) to obtain a full-access handle to winlogon.exe, ultimately injecting shellcode to spawn a SYSTEM shell.

Description

An issue was discovered in MalwareFox AntiMalware 2.74.0.150. Improper access control in zam32.sys and zam64.sys allows a non-privileged process to register itself with the driver by sending IOCTL 0x80002010 and then using IOCTL 0x8000204C to \\.\ZemanaAntiMalware to elevate privileges.

Exploits (2)

exploitdb WORKING POC

by Souhail Hammou · clocalwindows

https://www.exploit-db.com/exploits/43987

View Code ZIP pw:eip

This exploit demonstrates a local privilege escalation vulnerability in MalwareFox AntiMalware 2.74.0.150 by abusing an IOCTL (0x80002010) to register a process as trusted by the driver, then using another IOCTL (0x8000204C) to obtain a full-access handle to winlogon.exe, ultimately injecting shellcode to spawn a SYSTEM shell.

Classification

Working Poc 100%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: MalwareFox AntiMalware 2.74.0.150

No auth needed

Prerequisites: MalwareFox AntiMalware 2.74.0.150 installed · Local access to the target system

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1055 - Process Injection

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by bullhead-repo · poc

https://github.com/bullhead-repo/CVE-2018-6606

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2018-6606, which leverages a vulnerable driver (ZemanaAntiMalware) to terminate arbitrary processes by PID. The exploit embeds a malicious driver in its resources, loads it as a service, and uses DeviceIoControl to interact with the driver for privilege escalation and process termination.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Zemana AntiMalware (driver version vulnerable to CVE-2018-6606)

Auth required

Prerequisites: Administrator privileges · Vulnerable Zemana AntiMalware driver installed · Windows 10 (64-bit) environment

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Mar 18, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/SouhailHammou/Exploits/blob/master/CVE-2018-6606/Malwarefox_privescl_1.c

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43987/

Scores

CVSS v3 7.8

EPSS 0.0146

EPSS Percentile 81.3%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-732

Status published

Products (1)

malwarefox/antimalware 2.74.0.150

Published Feb 04, 2018

Tracked Since Feb 18, 2026