CVE-2011-1996
published 2011-10-12CVE-2011-1996: Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
60.46%
99.0th percentile
Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing a deleted object, aka "Option Element Remote Code Execution Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u0a14%u0c0c
bytes↗
0c0c0a14
- →Exploit targets IE 6–8 via a malicious HTML page; look for heap spray patterns using the 0x0c0c0c0c NOP sled and fake object pointer 0x0c0c0a14 in JavaScript unescape() calls within HTML responses. ↗
- →Heap spray uses a 0x20000-byte heap object allocation loop; detect large repeated unescape() blocks with \x0c\x0c\x0c\x0c NOP sleds in JavaScript served as text/html to IE user-agents. ↗
- →The exploit uses ROP chains via msvcrt (targeting XP) or JRE (targeting Vista/7); monitor for msvcrt-based ROP gadgets ('xchg eax, esp') in memory corruption exploits against iexplore.exe. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript; post-exploitation process migration from iexplore.exe to another process is a behavioral indicator of successful exploitation. ↗
- →The exploit HTML page contains a specific JavaScript structure with a 'ivan()' function that manipulates Option elements; signature-based detection can key on this function name combined with unescape heap spray patterns. ↗
- →Optional JavaScript obfuscation (OBFUSCATE option) may be enabled; analysts should apply JS deobfuscation before pattern matching on heap spray or fake object pointer values. ↗
- ·The exploit only supports IE 8 on Windows XP SP3, Windows Vista, and Windows 7; other IE/OS combinations will receive a 404 response from the Metasploit handler. ↗
- ·The StackAdjustment of -3500 is baked into the payload configuration; this is specific to the Metasploit module's shellcode staging and may differ in custom exploits in the wild. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - Option Element Use-After-Free (MS11-081) (Metasploit)
exploitdb·2013-01-10
CVE-2011-1996 Microsoft Internet Explorer - Option Element Use-After-Free (MS11-081) (Metasploit)
Microsoft Internet Explorer - Option Element Use-After-Free (MS11-081) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "Microsoft Internet Explorer Option Element Use-After-Free",
'Description' => %q{
This module exploits a vulnerability in Microsoft Internet Explorer. A memory
corruption may occur when the Option cache isn't updated properly, which allows
other JavaScript methods to access a deleted Option element, and results in code
execution under the context of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ivan Frat
Exploit-DB
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow
exploitdb·2011-11-02
CVE-2011-4415 Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow
Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow
---
Source: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
## Background
The Apache HTTP Server is an open-source HTTP server for modern operating systems including UNIX, Microsoft Windows, Mac OS/X and Netware. The goal of this project is to provide a secure, efficient and extensible server that provides HTTP services observing the current HTTP standards. Apache has been the most popular web server on the Internet since April of 1996.
## Problem Description
During routine testing, an integer overflow was found in apache2-mpm-worker 2.2.19 in the function ap_pregsub called from mod-setenvif. The issue affects all versions from 2.0.x to 2.0.64 and 2.2.x to 2.2.21, not depending on the mode of operation
Metasploit
MS11-081 Microsoft Internet Explorer Option Element Use-After-Free
metasploit
MS11-081 Microsoft Internet Explorer Option Element Use-After-Free
MS11-081 Microsoft Internet Explorer Option Element Use-After-Free
This module exploits a vulnerability in Microsoft Internet Explorer. A memory corruption may occur when the Option cache isn't updated properly, which allows other JavaScript methods to access a deleted Option element, and results in code execution under the context of the user.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-081https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12896https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-081https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12896
2011-10-12
Published