The kernel is the colonel of the operating system. It's the software that allows the operating system to link applications to hardware, translating application requests into instructions for the CPU. In fact, it's hard to distinguish an operating system per se from its kernel; it is the heart of the OS. A bug in a user's application may cause crashes, instability, slowness, and so on, but a bug in the kernel can crash the entire system. An even more devastating potential is arbitrary code execution with the highest privileges available on the operating system. Kernel attacks are a hacker's dream.

Absolutely everything in an operating system works with the kernel in some form. As the core of the operating system, the kernel requires isolation from the less-privileged processes on the system; without isolation, it could be corrupted and a corrupt kernel renders the system unusable. This isolation is accomplished by rendering the kernel's space in memory as off-limits to processes on the user side. Despite this, full isolation would make the computer useless for users and their applications – interfaces are a necessity. These interfaces create doorways for the attacker into the highest privilege level possible on a Windows computer.

An in-depth discussion of the Windows NT kernel is out of scope for this discussion, but we'll introduce kernel security concepts and step through a Metasploit exploit module against the Windows kernel to better understand how it works. We'll explore a hands-on introduction to exploiting a kernel vulnerability to elevate privileges on a Windows target. 

In this chapter, we'll cover the following:

• An overview of kernel concepts and attacks
• The concept of pointers to illustrate null pointer flaws
• Code from the Metasploit module for exploiting the CVE-2014-4113 vulnerability
• A demonstration of leveraging this module for privilege escalation after gaining a foothold on a Windows 7 target