This vulnerability allows an attacker to execute code to the kernel (ring0) due to the difference in implementation between processors AMD and Intel. For example an operating system that it is written according to AMD specifications but runs on an Intel hardware is vulnerable. Since the attacker can execute code into the kernel it could allow him to escalate his privileges from user level to system.

Windows environments are vulnerable due to the way that the Windows User Mode Scheduler is handling system requests. This issue affects 64-bit versions of Windows 2008 and Windows 7 that are running on an Intel chip.


From an existing Meterpreter session the sysret binary needs to be uploaded first on the target system and then to execute the privilege escalation exploit by attaching it to the current process.

meterpreter > getuid
meterpreter > getpid
meterpreter > execute -H -f sysret.exe -a "-pid 2348"
Meterpreter - SysRet
Meterpreter – Privilege Escalation via Sysret



Alternatively if the user has physical access to the system or via RDP it can use the following procedure in order to escalate his privileges.

The first step is to obtain the list of running processes and their associated PID’s.

Sysret - Retrieving Processes
Sysret – Retrieving Processes

The explorer.exe is the ideal process to be used for hooking.

Sysret - Identify Process ID of explorer.exe
Sysret – Identify process ID of explorer.exe

Running the binary sysret.exe with the -pid parameter it will execute the shellcode into the kernel bypassing kernel code signing.

Sysret - Privilege Escalation
Sysret – Privilege Escalation

By checking on the command prompt again the user will elevate to SYSTEM.

Sysret - Verification of Authority
Sysret – Verification of Authority


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s