{"id":19499918,"url":"https://github.com/tijme/kernel-mii","last_synced_at":"2025-04-25T22:34:49.871Z","repository":{"id":40123665,"uuid":"507289591","full_name":"tijme/kernel-mii","owner":"tijme","description":"Cobalt Strike (CS) Beacon Object File (BOF) foundation for kernel exploitation using CVE-2021-21551.","archived":false,"fork":false,"pushed_at":"2023-05-07T18:38:29.000Z","size":735,"stargazers_count":80,"open_issues_count":0,"forks_count":27,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-05-02T03:23:46.580Z","etag":null,"topics":["beacon","bof","cobalt-strike","cve-2021-21551","exploit","kernel","red-teaming"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tijme.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-25T11:13:45.000Z","updated_at":"2024-03-27T16:28:11.000Z","dependencies_parsed_at":"2023-02-08T13:30:47.984Z","dependency_job_id":null,"html_url":"https://github.com/tijme/kernel-mii","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tijme%2Fkernel-mii","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tijme%2Fkernel-mii/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tijme%2Fkernel-mii/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tijme%2Fkernel-mii/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tijme","download_url":"https://codeload.github.com/tijme/kernel-mii/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224019605,"owners_count":17242177,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["beacon","bof","cobalt-strike","cve-2021-21551","exploit","kernel","red-teaming"],"created_at":"2024-11-10T22:06:43.213Z","updated_at":"2024-11-10T22:06:44.891Z","avatar_url":"https://github.com/tijme.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\r\n    \u003cimg src=\"https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/logo.png\" width=\"450\"/\u003e\r\n\u003c/p\u003e\r\n\u003cp align=\"center\"\u003e\r\n    \u003ca href=\"https://github.com/tijme/kernel-mii/blob/master/LICENSE.md\"\u003e\u003cimg src=\"https://raw.finnwea.com/shield/?firstText=Source\u0026secondText=Licensed\" /\u003e\u003c/a\u003e\r\n    \u003cbr/\u003e\r\n    \u003cb\u003eCobalt Strike Beacon Object File foundation for kernel exploitation using CVE-2021-21551.\u003c/b\u003e\r\n    \u003cbr/\u003e\r\n    \u003csup\u003eBuilt by \u003ca href=\"https://www.linkedin.com/in/tijme/\"\u003eTijme\u003c/a\u003e. Credits to \u003ca href=\"https://github.com/lldre\"\u003eAlex\u003c/a\u003e for teaching me! Made possible by \u003ca href=\"https://northwave-security.com/\"\u003eNorthwave Security\u003c/a\u003e \u003cimg src=\"https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/northwave.png\"/\u003e\u003c/sup\u003e\r\n    \u003cbr/\u003e\r\n\u003c/p\u003e\r\n\r\n## Description\r\n\r\nThis is a Cobalt Strike (CS) Beacon Object File (BOF) which exploits CVE-2021-21551. It only overwrites the beacon process token with the system process token. But this BOF is mostly just a good foundation for further kernel exploitation via CS.\r\n\r\n\u003cp align=\"center\"\u003e\r\n    \u003cimg src=\"https://raw.githubusercontent.com/tijme/kernel-mii/master/.github/output.png\" /\u003e\r\n\u003c/p\u003e\r\n\r\n## Usage\r\n\r\nClone this repository first. Then review the code, compile from source and use it in Cobalt Strike.\r\n\r\n**Compiling**\r\n\r\n    make\r\n\r\n**Usage**\r\n\r\nLoad the `KernelMii.cna` script using the Cobalt Strike Script Manager. Then use the command below to execute the exploit.\r\n\r\n    $ kernel_mii\r\n\r\nAlternatively (and for testing purposes), you can directly run the compiled executable. This will spawn a command prompt as SYSTEM.\r\n\r\n    $ .\\KernelMii.x64.exe\r\n\r\n## Limitations\r\n\r\n* If the vulnerable driver is not installed, you need to be local admin to install it.\r\n\r\n## Todo\r\n\r\n* Load the vulnerable driver from memory instead of from disk.\r\n* Delete the vulnerable driver if it was not preinstalled.\r\n* Make the exploit stable \u0026 compatible with multiple Windows versions.\r\n\r\n## Issues\r\n\r\nIssues or new features can be reported via the [issue tracker](https://github.com/tijme/kernel-mii/issues). Please make sure your issue or feature has not yet been reported by anyone else before submitting a new one.\r\n\r\n## License\r\n\r\nCopyright (c) 2022 Tijme Gommers \u0026 Northwave Security. All rights reserved. View [LICENSE.md](https://github.com/tijme/kernel-mii/blob/master/LICENSE.md) for the full license.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftijme%2Fkernel-mii","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftijme%2Fkernel-mii","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftijme%2Fkernel-mii/lists"}