cbcvebase.
CVE-2013-1311
published 2013-05-15

CVE-2013-1311: Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
20.70%
97.2th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer Use After Free Vulnerability."

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

commandmigrate -f
other0x0c0c0c0c
other0x0c0c0c6c
other0x77c1cafb
other0x781a04cb
bytes
\x81\xc4\x54\xf2\xff\xff
bytes
\x0c\x0c\x0c\x0c
  • Exploit targets IE 8 on Windows XP SP3 exclusively; User-Agent parsing for 'MSIE 8' and 'Windows NT 5.1' is used to gate delivery of the malicious HTML page.
  • Exploit triggers via DOM manipulation: createElement('s'), setting innerHTML with Unicode characters (⍼☠), appending to body, then applying a CSS first-line rule followed by CollectGarbage() — this sequence in JS is a strong behavioral indicator.
  • Heap spray uses the heapLib.ie object with a 0x20000 chunk size and NOP sled of repeated 0x0c bytes (0x0c0c0c0c pivot address); detect large allocations of 0x0c-padded blocks in IE memory or network-delivered JS containing 'heapLib.ie'.
  • ROP chain uses msvcrt.dll gadget at 0x77c1cafb (POP EBP / RETN) and urlmon.dll gadget at 0x781a04cb (POP ECX / PUSH ESP / RETN); presence of these addresses in memory or network shellcode is a strong indicator of this specific exploit.
  • Post-exploitation uses Metasploit's 'migrate -f' as InitialAutoRunScript, meaning process migration occurs immediately after shellcode execution; monitor for unexpected process injection/migration from iexplore.exe.
  • Stack pivot prepend encoder bytes \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) appear at the start of the shellcode; scan network traffic or memory for this byte sequence preceding shellcode.
  • ·The exploit module supports an optional JavaScript obfuscation mode (OBFUSCATE option); when enabled, static JS-pattern signatures may not match and behavioral/memory-based detection is required.
  • ·ROP gadget addresses (msvcrt.dll 0x77c1cafb, urlmon.dll 0x781a04cb) are specific to Windows XP SP3 versions of those DLLs; addresses will differ on other patch levels or OS versions, limiting direct address-based detection portability.
  • ·The module returns nil (sends HTTP 404) if the User-Agent does not match a supported target, meaning non-IE8/XP clients will not receive the exploit payload — detections relying solely on payload delivery will miss reconnaissance requests.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.