The Windows kernel (ntoskrnl.exe) is the core part of the operating system. Its duties include managing memory, scheduling threads to run on the CPU, controlling device I/O, and other tasks. It runs at the most privileged level on the CPU (Ring 0), and has priority over all other processes. Exploits that attack the kernel are extremely powerful. They escalate your privilege, but can also destabilize the system. Advanced persistent threats (APTs) use kernel vulnerabilities to keep their malware hidden. Malicious code that runs in the kernel is hard to detect and even harder to get rid of. GitHub lists over 50 Windows kernel exploits for download. A Metasploit search query search kernel platform:windows returns about 20 results. The following table summarizes some of the more notable Windows kernel exploits. Nearly all are local exploits, meaning that they must be run after you have gained access to the system.

Vulnerability

Description

Exploit

EternalBlue

  • CVE-2017-0143, MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption buffer overflow.
  • SMB 1.0 improper handling of certain requests.
  • Affects Windows Server 2016, 2008 R2, and Windows 7 (x64 all service packs).

Metasploit module:

  • exploit/windows/smb/ms17_010_eternalblue

Kernel mode drivers

  • CVE-2016-7255, MS16-135 Windows kernel mode drivers incorrectly handle objects in memory.
  • Local privilege elevation.
  • Affects Windows Server 2016, Windows 8.1, 8, and 7.

https://github.com/mwrlabs/CVE-2016-7255

Secondary Logon Service

  • CVE-2016-0099, MS16-032 Secondary Logon Handle Local privilege elevation.
  • Exploits lack of sanitization of standard handles in Windows Secondary Logon Service.
  • Affects Windows Vista through Server 2016, all platforms and service pack levels.

Metasploit module:

  • exploit/windows/local/
    ms16_032_secondary_logon_handle_privesc

https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032

Kernel mode drivers

  • CVE-2015-1701, MS15-051 Windows kernel mode drivers allow local privilege elevation and arbitrary code.
  • Affects Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, and Windows Server 2012.

Metasploit module:

  • exploit/windows/local/ms15_051_client_copy_image

Null pointer dereference

  • CVE-2014-4113, MS14-058 WindowsTrackPopupMenu Win32k NULL Pointer Dereference.
  • Exploits vulnerabilities in how Windows kernel-mode drivers handle objects in memory.
  • Affects Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, and 8.

Metasploit module:

  • exploit/windows/local/ms14_058_track_popup_menu

https://github.com/sam-b/CVE-2014-4113

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39666.zip

Kernel vulnerability

  • CVE-2013-5065, MS14-002 Windows Kernel Vulnerability.
  • Affects Windows XP, Windows Server 2003.

Metasploit module:

  • exploit/windows/local/ms_ndproxy

Kernel mode drivers

  • CVE-2013-008, MS13-005 Kernel Mode Driver.
  • Allows a lower-level process to broadcast to a higher-level process, thus effecting a privilege escalation.
  • Affects Windows Server 2003, Windows Server 2008, 7, 8, and Windows Server 2012.

Metasploit module:

  • exploit/windows/local/ms13_005_hwnd_broadcast

https://www.exploit-db.com/exploits/24485/

Kernel vulnerability

  • CVE-2010-0232, MS10-015 Kernel vulnerabilities create a new session with SYSTEM privilege.
  • Exploit relies on kitrap0d.x68.dll and does not run on x64 editions.
  • Affects Windows Server 2003, Windows Server 2008, 7, XP.

Metasploit module:

Note: For an interesting article on the anatomy of kernel exploits, see https://www.lastline.com/labsblog/unmasking-kernel-exploits/