cbcvebase.
CVE-2013-2551
published 2013-03-11

CVE-2013-2551: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers…

PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
74.10%
99.4th percentile
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, as demonstrated by VUPEN during a Pwn2Own competition at CanSecWest 2013, aka "Internet Explorer Use After Free Vulnerability," a different vulnerability than CVE-2013-1308 and CVE-2013-1309.

Affected

5 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

domainamocy.top
urlhxxp://amocy.top/pgioeknieedfacre4rpt6nslpe-8t-ot4b1cm-5ntfmppsn3teeo6aalaaacmnrpkmmpn9eti0n-9a1blr5sepse0coi-elfrplorsepo8or0op3basa7sd1dme9fkiran4mrabecmm/asd.jpeg
urlhxxp://amocy.top/pgioeknieedfacre4rpt6nslpe-8t-ot4b1cm-5ntfmppsn3teeo6aalaaacmnrpkmmpn9eti0n-9a1blr5sepse0coi-elfrplorsepo8or0op3basa7sd1dme9fkiran4mrabecmm/rqqjllfd.html
urlhxxp://dsa.FAITHFULBUSINESSVENTURES.COM/?zniKfrGbJRvMDYA=l3SKfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWksXQ-hbbZwIW-5LGQbM8iVn9xrdBec4vwhKKumlRmLgeQFFd
domainFAITHFULBUSINESSVENTURES.COM
urlhxxp://dsa.FAITHFULBUSINESSVENTURES.COM/index.php?zniKfrGbJRvMDYA=l3SMfPrfJxzFGMSUb-nJDa9GP0XCRQLPh4SGhKrXCJ-ofSih17OIFxzsqAycFUKCqrF4Qu4Fah2h1QWScEZrmYRPFgVIove8hQLfyhSWksXQ-hbbZwIW-5LGQbM8iVn9xrdBec4vwhKKumlRmLgeQFFT6wkZjuyeV7PC7kpzXlBvEQ7bJN0sohfQDmK1JDEwi_SxUjJ8kvzFuw
hashD7AB607880B953BA5F87A693278CE14B
hash730B8E27C1BB1A3FADB9C10657E7E046
hashD3E91CC75AC06D8AF70127D3B972EF8E
hashc6014a32cc06f862ea44db720dfcf553
  • RIG EK landing page stores exploit scripts in JavaScript variables named 's', Base64-encoded; look for multiple variables all named 's' in obfuscated HTML pages containing VBScript and JavaScript payloads.
  • CVE-2013-2551 exploit in Angler EK targets IE 10; detect by monitoring for VML dashstyle.array manipulation — the exploit sets dashstyle.array.item(0x2E+0x16) to read/write memory and leaks ntdll base address via marginLeft CSS property.
  • CVE-2013-2551 exploit abuses vgx.dll VML dashstyle.array length integer overflow; monitor for abnormal VML shape rendering with large dashstyle array lengths in Internet Explorer.
  • RIG EK gate (EITest) identified by iframe URLs pointing to amocy.top with long path strings; filenames use random strings with extensions from the set: html, htm, jpeg, png, jpg, gif, js.
  • Angler EK uses 302 cushioning and domain shadowing to deliver CVE-2013-2551 IE 10 exploit; look for multi-hop 302 redirect chains terminating at a subdomain-shadowed landing page serving VML exploit content.
  • ·Many RIG EK IOCs (URLs, filenames, session parameters) are individualized per victim/session, making static URL or filename signatures unreliable for detection.
  • ·Different RIG EK campaigns may use only a single infection stage or substitute different script types (e.g. two VBScripts + one JS instead of the three-variable pattern), reducing reliability of stage-count-based detection.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.