cbcvebase.
CVE-2013-3184
published 2013-08-14

CVE-2013-3184: Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
58.43%
99.0th percentile
Microsoft Internet Explorer 7 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer
microsoftinternet_explorer

Detection & IOCsextracted from sources · hover to see the quote

commanddocument.execCommand('SelectAll'); document.execCommand('InsertButton');
otherX-UA-Compatible: IE=7 (IE7 document compatibility mode trigger)
othercontentEditable=true with onmove event handler
bytes
0x20302020 (heap spray target address)
  • Detect exploit trigger: HTTP response containing both 'contentEditable' set to true and an 'onmove' event handler alongside execCommand calls for 'SelectAll' and 'InsertButton' — the specific combination required to trigger the UAF.
  • Detect heap spray targeting address 0x20302020 in browser process memory — the Metasploit module sprays fake objects at this fixed address to control freed CFlatMarkupPointer memory.
  • Flag HTTP responses with Cache-Control: no-cache and Content-Type: text/html that also contain both 'InsertButton' execCommand and heap spray JavaScript patterns — characteristic of the Metasploit delivery page.
  • Monitor for mshtml.dll versions 9.0.8112.16446 through 9.0.8112.16502 loaded in iexplore.exe — these are the confirmed vulnerable version range for IE9.
  • Detect use of 'migrate -f' as InitialAutoRunScript in post-exploitation — indicates Metasploit framework delivery and automatic process migration after successful exploitation.
  • ·The Metasploit module only covers IE9 on Windows 7 SP1 with mshtml 9.0.8112.16446; IE8 exploitation requires a different trigger not implemented in this module.
  • ·The UAF object is not always CFlatMarkupPointer — other objects may be freed and reused depending on heap state, which may affect crash signatures used for detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.