Guides, Privilege Escalation, Windows

Windows Privilege Escalation – Kernel Exploits

April 24, 2021 | by Stefano Lanaro | Leave a comment

Introduction

The kernel is a component of the operating system that sits at the core of it, it has complete control over everything that occurs in the system. Because of this, exploiting vulnerabilities in the kernel will pretty much always result in a full system compromise.

Kernel exploits affect a certain version of a kernel or operating system and they are generally executed locally on the target machine in order to escalate privileges to system.

Identifying OS & Kernel Information

The first step required is to enumerate the current operating system and any information related to currently installed patches and hotfixes, in order to find any available kernel exploits.

Manual enumeration

The following commands can be used to manually enumerate kernel info:

systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

Example below in Windows 7 Professional:

the most important things are the operating system version, the build and installed hotfixes.

As seen from the example above, the current system is running Windows 7 Professional build 7601, and has the following hotfixes installed:

  • KB2534111
  • KB2999226
  • KB976902

Automated enumeration

Automated enumeration scripts such as WinPEAS can be used to enumerate operating system and kernel information as well:

Finding Available Kernel Exploits

The next step is to find out whether there are any known exploits available that affect the kernel version used by the machine.

Manual Enumeration

SearchSploit can be used to find kernel exploits, the syntax is as follows:

searchsploit Microsoft Windows [OS version]; searchsploit Microsoft Windows [build number]

They can then be mirrored with SearchSploit using the following syntax:

searchsploit -m path/to/exploit/xxxxx.cpp

Example below:

A simple Google search can often do the job:

Automated enumeration

The Windows Exploit Suggester script can be used to identify available Kernel Exploits. It requires to provide a database file, which can be generated by using the –update flag, and a file containing the output of the “systeminfo” command:

The Windows Exploit Suggester – Next Generation (WES-NG) is a more modern implementation of the above script.

Additionally, the Exploit Suggester Metasploit module can be used to carry out this task, by selecting the module, setting the session and running it:

Compiling the Exploit

MinGW can be used to compile windows-based exploits, using the following command:

#for x32 based systems
i686-w64-mingw32-gcc [exploit.cpp] –o [exploit.exe]
#for x64 based systems
x86_64-w64-mingw32-gcc [exploit.cpp] –o [exploit.exe]

When cross-compiling, issues can arise due to libraries, syntax, architecture etc. If that is the case, it will be required to compile the exploit on a Windows machine using either MinGW or Visual Studio. When this is not possible, pre-compiled exploited can be found on GitHub, this is a great repository that contains many Windows kernel exploits that are already compiled and ready to run.

Executing Kernel Exploits

Once proper enumeration steps have been conducted and a suitable exploit has been identified and compiled where necessary, it is time to execute it and attempt to elevate privileges to system.

Manual Exploitation

Once the exploit has been transferred to the victim machine, using tools such as Certutil or Powershell, all that is left to do is to execute it from the command line:

Upon execution of the above exploit, it returned a system-level reverse shell.

Automated Exploitation

There are often Metasploit modules available that will allow to escalate privileges by exploiting known kernel exploit.

These can be used by selecting the exploit and setting the options:

  • session to specify the meterpreter session to run the exploit against
  • payload to specify the payload type, in this case the Windows reverse TCP shell
  • HOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

Upon execution of the above module, Metasploit returned a system-level reverse shell.

Conclusion

Although Kernel Exploits are often an easy way to system, they should be the last resort when conducting a penetration test, as some of them have a risk of breaking the machine and a fair number of them will only run once.