cbcvebase.
CVE-2011-1996
published 2011-10-12

CVE-2011-1996: Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a…

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
60.46%
99.0th percentile
Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Option Element Remote Code Execution Vulnerability."

Affected

3 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

bytes
%u0a14%u0c0c
bytes
0c0c0a14
  • Exploit targets IE 6–8 via a malicious HTML page; look for heap spray patterns using the 0x0c0c0c0c NOP sled and fake object pointer 0x0c0c0a14 in JavaScript unescape() calls within HTML responses.
  • Heap spray uses a 0x20000-byte heap object allocation loop; detect large repeated unescape() blocks with \x0c\x0c\x0c\x0c NOP sleds in JavaScript served as text/html to IE user-agents.
  • The exploit uses ROP chains via msvcrt (targeting XP) or JRE (targeting Vista/7); monitor for msvcrt-based ROP gadgets ('xchg eax, esp') in memory corruption exploits against iexplore.exe.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript; post-exploitation process migration from iexplore.exe to another process is a behavioral indicator of successful exploitation.
  • The exploit HTML page contains a specific JavaScript structure with a 'ivan()' function that manipulates Option elements; signature-based detection can key on this function name combined with unescape heap spray patterns.
  • Optional JavaScript obfuscation (OBFUSCATE option) may be enabled; analysts should apply JS deobfuscation before pattern matching on heap spray or fake object pointer values.
  • ·The exploit only supports IE 8 on Windows XP SP3, Windows Vista, and Windows 7; other IE/OS combinations will receive a 404 response from the Metasploit handler.
  • ·The StackAdjustment of -3500 is baked into the payload configuration; this is specific to the Metasploit module's shellcode staging and may differ in custom exploits in the wild.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.