cbcvebase.
CVE-2013-3881
published 2013-10-09

CVE-2013-3881: win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted…

PriorityP271high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.84%
96.3th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted application, aka "Win32k NULL Page Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/cve-2013-3881/cve-2013-3881.x86.dll
filenamecve-2013-3881.x86.dll
  • Monitor for reflective DLL injection into processes (e.g., notepad.exe) from a Meterpreter session; the exploit injects cve-2013-3881.x86.dll reflectively into a spawned or existing process.
  • Detect privilege escalation attempts via win32k.sys NULL pointer dereference triggered by TrackPopupMenuEx; look for low-privilege processes spawning threads in other processes with PROCESS_ALL_ACCESS.
  • Alert on new threads created in remote processes immediately following DLL injection, consistent with exploit execution pattern: inject DLL, inject payload, then create remote thread at exploit entry point.
  • The exploit targets only ARCH_X86 (32-bit) on Windows 7 SP0/SP1; flag unexpected 32-bit process creation or injection activity on these OS versions as high-priority.
  • The exploit uses EXITFUNC=thread; look for shellcode thread exit patterns (ExitThread rather than ExitProcess) following privilege escalation in win32k.sys context.
  • ·The Metasploit module requires an existing Meterpreter session (local privilege escalation only); it is not a remote exploit. Detection should focus on post-exploitation activity rather than initial access.
  • ·The exploit payload space is limited to 4096 bytes with NOPs disabled; payloads larger than this will not function, which may help distinguish this exploit from others.
  • ·The module has only been tested and confirmed working on Windows 7 SP0 and SP1 (x86); behavior on other targets (e.g., Server 2008 R2) is unverified by the module author.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.