cbcvebase.
CVE-2011-1260
published 2011-06-16

CVE-2011-1260: Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object…

PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
60.85%
99.0th percentile
Microsoft Internet Explorer 8 and 9 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, aka "Layout Memory Corruption Vulnerability."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

other0x0c0c0c0c
other0x7E45F257
other0x7c809ae1
other0x7c901db3
processmshtml!CObjectElement
  • Detect heap spray pattern targeting address 0x0c0c0c0c — a classic IE heap spray pivot pointer used in this exploit to overwrite the freed CObjectElement vtable pointer.
  • Monitor for User-Agent strings matching MSIE 7.0 or MSIE 8.0 on Windows receiving HTML responses containing heavily obfuscated JavaScript (JSObfu) with large heap spray arrays — consistent with this exploit's delivery mechanism.
  • Look for HTML pages dynamically building innerHTML with sequences of object/div tags including invalid/overlapping positioned elements, which is the trigger condition for the CObjectElement use-after-free.
  • For IE 8 targets, the exploit requires Java Runtime Environment (JRE) to bypass DEP — alert on IE 8 processes loading JRE DLLs in conjunction with mshtml!CObjectElement activity.
  • ROP chain targets USER32.dll xchg eax,esp gadget at 0x7E45F257 on WinXP SP3 — flag stack pivot instructions at this address in memory forensics or dynamic analysis.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration occurs immediately — monitor for iexplore.exe spawning or injecting into other processes shortly after page load.
  • ·The exploit module references CVE-2011-1256 in its References array, but the documented vulnerability for MS11-050 CObjectElement use-after-free is CVE-2011-1260 — verify CVE mapping when using this module for attribution.
  • ·ROP chain addresses (kernel32!VirtualAlloc at 0x7c809ae1, ntdll!memcpy at 0x7c901db3, USER32.dll gadget at 0x7E45F257) are hardcoded for fully patched WinXP SP3 IE 8.0.6001.18702 — these will not apply to other OS/patch levels.
  • ·The freed CObjectElement size differs by target: 0xb0 for IE7 on XP SP3, and 0xe0 (0xdc rounded up) for IE8 on XP SP3 — heap spray sizing must match the correct target for reliable exploitation.
  • ·Payload bad characters include null bytes and common HTML/JS delimiters — shellcode must avoid \x00\x09\x0a\x0d and quote characters or the exploit will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.