cbcvebase.
CVE-2011-2217
published 2011-06-06

CVE-2011-2217: Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware…

PriorityP259critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.96%
98.5th percentile
Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.

Affected

9 ranges
VendorProductVersion rangeFixed in
tomsawyerget_extension_factory
vmwareinfrastructure
vmwarevirtual_infrastructure_client
vmwarevirtual_infrastructure_client
vmwarevmware_esxi
vmwarevmware_fusion
vmwarevmware_tools
vmwarevmware_workstation
vmwarevsphere

Detection & IOCsextracted from sources · hover to see the quote

filenametsgetxu71ex552.dll
filenametsgetx71ex552.dll
filenametsgetx71ex553.dll
other{658ED6E7-0DA1-4ADD-B2FB-095F08091118}
  • Detect instantiation of the malicious ActiveX control by its CLSID {658ED6E7-0DA1-4ADD-B2FB-095F08091118} in HTML documents or registry entries.
  • Flag presence of tsgetx71ex553.dll, tsgetx71ex552.dll, or tsgetxu71ex552.dll loaded within Internet Explorer processes as high-risk indicators of exploitation attempt.
  • The exploit targets IE 6–8 on Windows XP SP3 and IE 8 on Windows 7 SP1; alert on suspicious ActiveX instantiation from these browser/OS combinations.
  • The exploit uses msvcr71.dll ROP gadgets for DEP/ASLR bypass; detect ROP chains referencing msvcr71.dll addresses (e.g., 0x7c347f98, 0x7c37653d) in heap spray memory regions.
  • Monitor for heap spray targeting address 0x342d1ea0 (ecx value at crash), which is the sprayed heap address used by the exploit.
  • The exploit delivers a crafted HTML page with optional JavaScript obfuscation; inspect Content-Type text/html responses containing the CLSID for the Tom Sawyer ActiveX control.
  • Post-exploitation, the module runs 'migrate -f' as an auto-run script; detect iexplore.exe spawning unexpected child processes as a sign of successful exploitation.
  • ·The Metasploit module was tested against tsgetx71ex553.dll version 5.5.3.238 (Embarcadero ER/Studio XE2), not the originally reported 5.5.2.237 (VMware Infrastructure Client); ROP gadget offsets may differ across versions.
  • ·ROP chain gadget addresses are hardcoded for msvcr71.dll as shipped with Embarcadero software; they will not be valid against other versions or patched copies of msvcr71.dll.
  • ·Payload space is limited to 1024 bytes with null bytes as bad characters; larger or null-containing payloads will fail.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.