CVE-2013-3881
published 2013-10-09CVE-2013-3881: win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted…
PriorityP271high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.84%
96.3th percentile
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted application, aka "Win32k NULL Page Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for reflective DLL injection into processes (e.g., notepad.exe) from a Meterpreter session; the exploit injects cve-2013-3881.x86.dll reflectively into a spawned or existing process. ↗
- →Detect privilege escalation attempts via win32k.sys NULL pointer dereference triggered by TrackPopupMenuEx; look for low-privilege processes spawning threads in other processes with PROCESS_ALL_ACCESS. ↗
- →Alert on new threads created in remote processes immediately following DLL injection, consistent with exploit execution pattern: inject DLL, inject payload, then create remote thread at exploit entry point. ↗
- →The exploit targets only ARCH_X86 (32-bit) on Windows 7 SP0/SP1; flag unexpected 32-bit process creation or injection activity on these OS versions as high-priority. ↗
- →The exploit uses EXITFUNC=thread; look for shellcode thread exit patterns (ExitThread rather than ExitProcess) following privilege escalation in win32k.sys context. ↗
- ·The Metasploit module requires an existing Meterpreter session (local privilege escalation only); it is not a remote exploit. Detection should focus on post-exploitation activity rather than initial access. ↗
- ·The exploit payload space is limited to 4096 bytes with NOPs disabled; payloads larger than this will not function, which may help distinguish this exploit from others. ↗
- ·The module has only been tested and confirmed working on Windows 7 SP0 and SP1 (x86); behavior on other targets (e.g., Server 2008 R2) is unverified by the module author. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6q9x-4h75-hr2p: win32k
ghsa_unreviewed·2022-05-13
CVE-2013-3881 [HIGH] GHSA-6q9x-4h75-hr2p: win32k
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted application, aka "Win32k NULL Page Vulnerability."
VulnCheck
Win32k NULL Page Vulnerability
vulncheck·2013·CVSS 7.2
CVE-2013-3881 [HIGH] Win32k NULL Page Vulnerability
Win32k NULL Page Vulnerability
win32k.sys in the kernel-mode drivers in Microsoft Windows 7 SP1 and Windows Server 2008 R2 SP1 allows local users to gain privileges via a crafted application, aka "Win32k NULL Page Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
No detection rules found.
Exploit-DB
Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (MS13-081) (Metasploit)
exploitdb·2014-02-11
CVE-2013-3881 Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (MS13-081) (Metasploit)
Microsoft Windows - TrackPopupMenuEx Win32k NULL Page (MS13-081) (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class Metasploit3 'Windows TrackPopupMenuEx Win32k NULL Page',
'Description' => %q{
This module exploits a vulnerability in win32k.sys where under
specific conditions TrackPopupMenuEx will pass a NULL pointer to
the MNEndMenuState procedure. This module has been tested
successfully on Windows 7 SP0 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Seth Gibson', # vulnerability discovery
'Dan Zentner', # vulnerability discovery
'Matias Soler', # vulnerability analysis
'Sp
Metasploit
Windows TrackPopupMenuEx Win32k NULL Page
metasploit
Windows TrackPopupMenuEx Win32k NULL Page
Windows TrackPopupMenuEx Win32k NULL Page
This module exploits a vulnerability in win32k.sys where under specific conditions TrackPopupMenuEx will pass a NULL pointer to the MNEndMenuState procedure. This module has been tested successfully on Windows 7 SP0 and Windows 7 SP1.
No writeups or analysis indexed.
http://www.us-cert.gov/ncas/alerts/TA13-288Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-081https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18614http://www.us-cert.gov/ncas/alerts/TA13-288Ahttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-081https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18614
2013-10-09
Published
Exploited in the wild