CVE-2013-0008

Windows Vista/7/8, Server 2008/2012, RT - Privilege Escalation via Win32k Window Broadcast

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-0008. PoCs published by Metasploit, 0vercl0k, Tavis Ormandy, Axel Souchet, Ben Campbell, including Metasploit module exploits/windows/local/ms13_005_hwnd_broadcast.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-0008, a Windows kernel vulnerability that allows low-integrity processes to broadcast messages to higher-integrity command prompts, enabling privilege escalation. It uses techniques like spawning a medium-integrity command prompt via Win+Shift+# and broadcasting commands to execute payloads.

Description

win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT does not properly handle window broadcast messages, which allows local users to gain privileges via a crafted application, aka "Win32k Improper Message Handling Vulnerability."

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocalwindows
https://www.exploit-db.com/exploits/27296

This Metasploit module exploits CVE-2013-0008, a Windows kernel vulnerability that allows low-integrity processes to broadcast messages to higher-integrity command prompts, enabling privilege escalation. It uses techniques like spawning a medium-integrity command prompt via Win+Shift+# and broadcasting commands to execute payloads.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Racy
Target: Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT
No auth needed
Prerequisites: Low integrity process execution context · User interaction absence (to avoid UI corruption)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC
by 0vercl0k · textdoswindows
https://www.exploit-db.com/exploits/24485

This exploit leverages CVE-2013-0008 to drive a Medium Integrity Level (IL) cmd.exe from a Low IL process via message broadcasting. It uses SendMessage with HWND_BROADCAST to inject commands into a privileged cmd.exe spawned by explorer.exe.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT
No auth needed
Prerequisites: Low IL process execution context · User interaction to trigger Win+Shift+7 shortcut
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Tavis Ormandy, Axel Souchet, Ben Campbell · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_005_hwnd_broadcast.rb

This Metasploit module exploits CVE-2013-0008 (MS13-005) to escalate privileges from low to medium integrity on Windows systems by broadcasting commands via HWND_BROADCAST. It supports multiple techniques (WEB, FILE, TYPE) for payload delivery.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, RT
No auth needed
Prerequisites: Low integrity process execution context · Access to a vulnerable Windows system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA13-008A.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16326
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/24485
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/57135

Scores

EPSS 0.1709
EPSS Percentile 96.7%

Details

CWE
CWE-264
Status published
Products (7)
microsoft/windows_7 (4 CPE variants)
microsoft/windows_8 (2 CPE variants)
microsoft/windows_rt
microsoft/windows_server_2008 (3 CPE variants)
microsoft/windows_server_2008 r2 (2 CPE variants)
microsoft/windows_server_2012
microsoft/windows_vista
Published Jan 09, 2013
Tracked Since Feb 18, 2026