cbcvebase.
CVE-2013-0025
published 2013-02-13

CVE-2013-0025: Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to…

PriorityP267critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
55.77%
98.9th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SLayoutRun Use After Free Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf
registry0x77c39f92
bytes
\x81\xc4\x54\xf2\xff\xff
bytes
\x0c\x0c\x0c\x0c
  • Exploit targets IE 8 on Windows XP SP3 exclusively; User-Agent strings matching 'MSIE 8' and 'Windows NT 5.1' should be treated as high-risk in the context of this CVE.
  • Exploit delivery uses a heap spray with 0x0c0c0c0c NOP sled pattern; detect repeated 0x0c bytes in JavaScript heap allocations.
  • Exploit uses a stack-adjustment prepend encoder stub (add esp, -3500 / 0x81 0xc4 0x54 0xf2 0xff 0xff); presence of this byte sequence in shellcode is a strong indicator.
  • Exploit triggers the UAF by setting document.body.style.whiteSpace to 'pre-line' followed by CollectGarbage() to force CDoc relayout; monitor for this JS pattern in browser traffic.
  • Metasploit module uses heapLib.ie with 0x20000-byte heap blocks for spray; large numbers of 0x20000-byte allocations via heapLib in IE 8 are indicative of exploitation.
  • Exploit variant (24495) uses an iframe with a randomly named HTML file as the initial delivery vector; monitor for iframes loading randomly named .html resources from the same origin.
  • ROP chain uses msvcrt gadget at 0x77c39f92 (RETN sled) on Windows XP; presence of this address repeated in memory or network payload is a strong exploit indicator.
  • Post-exploitation default auto-run script is 'migrate -f' (Meterpreter process migration); monitor for unexpected process migration activity following iexplore.exe.
  • ·The exploit only targets IE 8 on Windows XP SP3; the 'Automatic' target mode fingerprints the victim via User-Agent before delivering the payload, so non-matching browsers receive a 404.
  • ·JavaScript obfuscation is optional (disabled by default); detections based on static JS signatures may miss obfuscated variants when OBFUSCATE is enabled.
  • ·The ROP chain is generated specifically for msvcrt on Windows XP; the gadget address 0x77c39f92 is XP-specific and will differ on other OS versions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.