cbcvebase.
CVE-2013-1300
published 2013-07-10

CVE-2013-1300: win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1…

PriorityP272high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.18%
95.6th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle objects in memory, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Allocation Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

filenameschlamperei.x86.dll
pathdata/exploits/cve-2013-1300/schlamperei.x86.dll
path%windir%\system32\win32k.sys
processwinlogon.exe
processnotepad.exe
  • Exploit targets Windows 7 SP0/SP1 only (build 7600 unconditionally vulnerable; build 7601 vulnerable below revision 18176 on branch 18, or below revision 22348 on other branches). Check win32k.sys file version to triage.
  • Exploit performs reflective DLL injection of schlamperei.x86.dll into a spawned notepad.exe process, then migrates payload into winlogon.exe. Monitor for notepad.exe spawning from unusual parents followed by cross-process access to winlogon.exe.
  • Kernel shellcode nulls the ACL of winlogon.exe (SYSTEM process) to allow unprivileged migration. Detect unexpected process migration or handle opens targeting winlogon.exe with PROCESS_ALL_ACCESS from low-privilege processes.
  • Post-exploitation indicator: winlogon.exe crash or instability after session exit is a behavioral artifact of this exploit's ACL nulling technique.
  • ·Exploit only supports x86 architecture; WOW64 and native x64 systems are explicitly rejected by the module.
  • ·Exploit requires an existing Meterpreter session (SessionTypes: meterpreter) and will abort if the session is already SYSTEM-level.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.