cbcvebase.
CVE-2011-1249
published 2011-06-16

CVE-2011-1249: The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008…

PriorityP275high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.49%
94.3th percentile
The Ancillary Function Driver (AFD) in afd.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftwindows_server_2008

Detection & IOCsextracted from sources · hover to see the quote

filenameafd.sys
ip127.0.0.1
port135
otherIOCTL 0x12007
  • Monitor for DeviceIoControl calls to afd.sys using IOCTL code 0x12007 from user-mode processes, especially when the output buffer target is the HalDispatchTable address — this is the kernel overwrite primitive used by the exploit.
  • Alert on processes calling ZwAllocateVirtualMemory to allocate memory at or near address 0x00000000 (NULL page), which is used to place shellcode for the kernel exploit.
  • Look for the exploit binary MS11-046.exe on disk or in process listings; it is the compiled form of the public PoC for this vulnerability.
  • The exploit uses token-stealing shellcode: monitor for kernel-mode reads/writes to EPROCESS.Token offsets (e.g. 0xC8 on XP SP3, 0xF8 on Windows 7) combined with process token replacement targeting PID 4 (SYSTEM).
  • ·The PoC exploit (EDB-18755) connects to port 135 on 127.0.0.1 as a loopback socket target; the DEFAULT_ADDR and DEFAULT_PORT are hardcoded defaults and may be changed in weaponized variants.
  • ·The full exploit (EDB-40564) only supports x86 targets; 64-bit systems are detected and rejected at runtime, so detections targeting this specific PoC should focus on 32-bit process execution.
  • ·The shellcode NOP sled in EDB-18755 contains an INT3 breakpoint (0xCC) and is explicitly described as a PoC stub; real-world weaponized versions will substitute functional token-stealing shellcode.

CVSS provenance

nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.