Rapid7 VulnDB

MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation

Back to Search

MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation



Due to a problem with isolating window broadcast messages in the Windows kernel, an attacker can broadcast commands from a lower Integrity Level process to a higher Integrity Level process, thereby effecting a privilege escalation. This issue affects Windows Vista, 7, 8, Server 2008, Server 2008 R2, Server 2012, and RT. Note that spawning a command prompt with the shortcut key combination Win+Shift+# does not work in Vista, so the attacker will have to check if the user is already running a command prompt and set SPAWN_PROMPT false. Three exploit techniques are available with this module. The WEB technique will execute a powershell encoded payload from a Web location. The FILE technique will drop an executable to the file system, set it to medium integrity and execute it. The TYPE technique will attempt to execute a powershell encoded payload directly from the command line, but may take some time to complete.


  • Tavis Ormandy
  • Axel Souchet
  • Ben Campbell <eat_meatballs@hotmail.co.uk>





Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/local/ms13_005_hwnd_broadcast
msf exploit(ms13_005_hwnd_broadcast) > show targets
msf exploit(ms13_005_hwnd_broadcast) > set TARGET < target-id >
msf exploit(ms13_005_hwnd_broadcast) > show options
    ...show and set options...
msf exploit(ms13_005_hwnd_broadcast) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security