CVE-2011-1260
published 2011-06-16CVE-2011-1260: Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
60.85%
99.0th percentile
Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Layout Memory Corruption Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect heap spray pattern targeting address 0x0c0c0c0c — a classic IE heap spray pivot pointer used in this exploit to overwrite the freed CObjectElement vtable pointer. ↗
- →Monitor for User-Agent strings matching MSIE 7.0 or MSIE 8.0 on Windows receiving HTML responses containing heavily obfuscated JavaScript (JSObfu) with large heap spray arrays — consistent with this exploit's delivery mechanism. ↗
- →Look for HTML pages dynamically building innerHTML with sequences of object/div tags including invalid/overlapping positioned elements, which is the trigger condition for the CObjectElement use-after-free. ↗
- →For IE 8 targets, the exploit requires Java Runtime Environment (JRE) to bypass DEP — alert on IE 8 processes loading JRE DLLs in conjunction with mshtml!CObjectElement activity. ↗
- →ROP chain targets USER32.dll xchg eax,esp gadget at 0x7E45F257 on WinXP SP3 — flag stack pivot instructions at this address in memory forensics or dynamic analysis. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration occurs immediately — monitor for iexplore.exe spawning or injecting into other processes shortly after page load. ↗
- ·The exploit module references CVE-2011-1256 in its References array, but the documented vulnerability for MS11-050 CObjectElement use-after-free is CVE-2011-1260 — verify CVE mapping when using this module for attribution. ↗
- ·ROP chain addresses (kernel32!VirtualAlloc at 0x7c809ae1, ntdll!memcpy at 0x7c901db3, USER32.dll gadget at 0x7E45F257) are hardcoded for fully patched WinXP SP3 IE 8.0.6001.18702 — these will not apply to other OS/patch levels. ↗
- ·The freed CObjectElement size differs by target: 0xb0 for IE7 on XP SP3, and 0xe0 (0xdc rounded up) for IE8 on XP SP3 — heap spray sizing must match the correct target for reliable exploitation. ↗
- ·Payload bad characters include null bytes and common HTML/JS delimiters — shellcode must avoid \x00\x09\x0a\x0d and quote characters or the exploit will fail. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050) (Metasploit)
exploitdb·2011-06-17
CVE-2011-1260 Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050) (Metasploit)
Microsoft Internet Explorer - MSHTML!CObjectElement Use-After-Free (MS11-050) (Metasploit)
---
##
# $Id: ms11_050_mshtml_cobjectelement.rb 12962 2011-06-17 01:56:20Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil,
})
def initialize(info={})
super(update_info(info,
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
'Description' => %q{
This module exploits a use-after-free vulnerabili
Metasploit
MS11-050 IE mshtml!CObjectElement Use After Free
metasploit
MS11-050 IE mshtml!CObjectElement Use After Free
MS11-050 IE mshtml!CObjectElement Use After Free
This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed and attempts to call a function on it, leading to the use-after-free. Please note that for IE 8 targets, JRE (Java Runtime Environment) is required to bypass DEP (Data Execution Prevention).
http://securityreason.com/securityalert/8275https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-050https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12308http://securityreason.com/securityalert/8275https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-050https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12308
2011-06-16
Published