CVE-2013-1311
published 2013-05-15CVE-2013-1311: Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
20.70%
97.2th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
bytes↗
\x0c\x0c\x0c\x0c
- →Exploit targets IE 8 on Windows XP SP3 exclusively; User-Agent parsing for 'MSIE 8' and 'Windows NT 5.1' is used to gate delivery of the malicious HTML page. ↗
- →Exploit triggers via DOM manipulation: createElement('s'), setting innerHTML with Unicode characters (⍼☠), appending to body, then applying a CSS first-line rule followed by CollectGarbage() — this sequence in JS is a strong behavioral indicator. ↗
- →Heap spray uses the heapLib.ie object with a 0x20000 chunk size and NOP sled of repeated 0x0c bytes (0x0c0c0c0c pivot address); detect large allocations of 0x0c-padded blocks in IE memory or network-delivered JS containing 'heapLib.ie'. ↗
- →ROP chain uses msvcrt.dll gadget at 0x77c1cafb (POP EBP / RETN) and urlmon.dll gadget at 0x781a04cb (POP ECX / PUSH ESP / RETN); presence of these addresses in memory or network shellcode is a strong indicator of this specific exploit. ↗
- →Post-exploitation uses Metasploit's 'migrate -f' as InitialAutoRunScript, meaning process migration occurs immediately after shellcode execution; monitor for unexpected process injection/migration from iexplore.exe. ↗
- →Stack pivot prepend encoder bytes \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) appear at the start of the shellcode; scan network traffic or memory for this byte sequence preceding shellcode. ↗
- ·The exploit module supports an optional JavaScript obfuscation mode (OBFUSCATE option); when enabled, static JS-pattern signatures may not match and behavioral/memory-based detection is required. ↗
- ·ROP gadget addresses (msvcrt.dll 0x77c1cafb, urlmon.dll 0x781a04cb) are specific to Windows XP SP3 versions of those DLLs; addresses will differ on other patch levels or OS versions, limiting direct address-based detection portability. ↗
- ·The module returns nil (sends HTTP 404) if the User-Agent does not match a supported target, meaning non-IE8/XP clients will not receive the exploit payload — detections relying solely on payload delivery will miss reconnaissance requests. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)
exploitdb·2013-06-07
CVE-2013-1311 Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)
Microsoft Internet Explorer - textNode Use-After-Free (MS13-037) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "MS13-037 Microsoft Internet Explorer textNode Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
where a DOM textNode pointer becomes corrupted after style computation. This pointer is then overwritten when the innerHTML property on the parent object is set.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Scott Bell ' # Vulnerability discovery & Metasp
Exploit-DB
Open-Xchange Server 6 - Multiple Vulnerabilities
exploitdb·2013-03-15·CVSS 4.3
CVE-2013-1651 [MEDIUM] Open-Xchange Server 6 - Multiple Vulnerabilities
Open-Xchange Server 6 - Multiple Vulnerabilities
---
Multiple security issues for Open-Xchange Server have been discovered and fixed. The vendor has chosen responsible full disclosure to publish security issue details. Users of the software have already been provided with patched versions.
Proof regarding authenticity can be obtained from the published release notes:
http://software.open-xchange.com/OX6/6.20/doc/Release_Notes_for_Public_Patch_Release_1310_6.20.7_Rev14_2013-02-28.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1311_6.22.0_Rev13_2013-02-28.pdf
http://software.open-xchange.com/OX6/6.22/doc/Release_Notes_for_Public_Patch_Release_1312_6.22.1_Rev14_2013-02-28.pdf
Product: Open-Xchange Server 6
Vendor: Open-Xchange GmbH
Internal refe
2013-05-15
Published