Late in 2013, two blogs were released describing in great technical detail the vulnerability identified as CVE-2013-3881. The vulnerability is a NULL page dereference caused by “insufficient pointer validation” in win32k!xxxTrackPopupMenuEx and was patched as part of MS13-081, which affects both Windows 7 and Windows 2008.
Both of the blogs by Endgame and Immunity were very rich in technical details on how the flaw could be reliably triggered and exploited. However, neither provided any proof of concept code that could be used to trigger the vulnerability.
Exploit, meet Metasploit
SecureState is a supporter of open source projects, specifically of ones that are relevant to security and penetration testing. As such, SecureState has released a module for the Metasploit Framework that exploits CVE-2013-3881. This module works on Windows 7 SP0 and SP1 systems which are not patched against the vulnerability. Using this module, a penetration tester with a meterpreter session running as an underprivileged user can elevate themselves to the SYSTEM account.
The new exploit has already been added to the Metasploit Framework and can be found here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms13_081_track_popup_menu.rb