CVE-2011-1249
published 2011-06-16CVE-2011-1249: The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008…
PriorityP275high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.49%
94.3th percentile
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for DeviceIoControl calls to afd.sys using IOCTL code 0x12007 from user-mode processes, especially when the output buffer target is the HalDispatchTable address — this is the kernel overwrite primitive used by the exploit. ↗
- →Alert on processes calling ZwAllocateVirtualMemory to allocate memory at or near address 0x00000000 (NULL page), which is used to place shellcode for the kernel exploit. ↗
- →Look for the exploit binary MS11-046.exe on disk or in process listings; it is the compiled form of the public PoC for this vulnerability. ↗
- →The exploit uses token-stealing shellcode: monitor for kernel-mode reads/writes to EPROCESS.Token offsets (e.g. 0xC8 on XP SP3, 0xF8 on Windows 7) combined with process token replacement targeting PID 4 (SYSTEM). ↗
- ·The PoC exploit (EDB-18755) connects to port 135 on 127.0.0.1 as a loopback socket target; the DEFAULT_ADDR and DEFAULT_PORT are hardcoded defaults and may be changed in weaponized variants. ↗
- ·The full exploit (EDB-40564) only supports x86 targets; 64-bit systems are detected and rejected at runtime, so detections targeting this specific PoC should focus on 32-bit process execution. ↗
- ·The shellcode NOP sled in EDB-18755 contains an INT3 breakpoint (0xCC) and is explicitly described as a PoC stub; real-world weaponized versions will substitute functional token-stealing shellcode. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xh73-pg9j-32r3: The Ancillary Function Driver (AFD) in afd
ghsa_unreviewed·2022-05-13
CVE-2011-1249 [HIGH] GHSA-xh73-pg9j-32r3: The Ancillary Function Driver (AFD) in afd
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
VulnCheck
Ancillary Function Driver Elevation of Privilege Vulnerability
vulncheck·2011·CVSS 7.2
CVE-2011-1249 [HIGH] Ancillary Function Driver Elevation of Privilege Vulnerability
Ancillary Function Driver Elevation of Privilege Vulnerability
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-046
Exploit PoC: https://vulncheck.com/xdb/286463
No detection rules found.
Exploit-DB
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
exploitdb·2016-10-18
CVE-2011-1249 Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)
---
/*
################################################################
# Exploit Title: Windows x86 (all versions) AFD privilege escalation (MS11-046)
# Date: 2016-10-16
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP Pro SP2 x64
# Windows Server 2003 SP2 x86
# Windows Server 2003 SP2 x64
# Windows Server 2003 SP2 Itanium-based Systems
# Windows Vista SP1 x86
# Windows Vista SP2 x86
# Windows Vista SP1 x64
# Windows Vista SP2 x64
# Windows Server 2008 x86
# Windows Server 2008 SP2 x86
# Windows Server 2008 x64
# Windows Server 2008 SP2 x64
# Windows Server 2008 Itanium-based Systems
# Windows Server 2008 SP2 Itanium-based Systems
# Windows 7 x86
# Windows 7 SP1 x86
# Wi
Exploit-DB
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046)
exploitdb·2012-04-19
CVE-2011-1249 Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046)
Microsoft Windows - 'afd.sys' Local Kernel (PoC) (MS11-046)
---
/*
MS11-046 Was a Zero day found in the wild , reported to MS by
Steven Adair from the Shadowserver Foundation and Chris S .
Ronnie Johndas wrote the writeup dissecting a malware with this exploit .
I Rahul Sasi(fb1h2s) just made the POC exploit available .
Reference: ms8-66, ms6-49
Too lazy to add the shellcode , you could steel this one, it should work .
http://www.whitecell.org/list.php?id=50
The shell code to acheive privilage esclation as per the article used the following steps
http://www.exploit-db.com/docs/18712.pdf
.
1) Use PslookupProcessId get system token
2) Replace it with the current process token, and we are system
*/
#define SystemModuleInformation 11
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LE
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-046https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12731https://www.exploit-db.com/exploits/40564/https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-046https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12731https://www.exploit-db.com/exploits/40564/
2011-06-16
Published
Exploited in the wild