Vulnerability & Exploit Database

Back to search

MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability

This module exploits a vulnerability found in Microsoft Internet Explorer. A use-after-free condition occurs when a CButton object is freed, but a reference is kept and used again during a page reload, an invalid memory that's controllable is used, and allows arbitrary code execution under the context of the user. Please note: This vulnerability has been exploited in the wild targeting mainly China/Taiwan/and US-based computers.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • eromang
  • mahmud ab rahman
  • juan vazquez <juan.vazquez [at]>
  • sinn3r <sinn3r [at]>
  • Peter Vreugdenhil



  • Automatic
  • IE 8 on Windows XP SP3
  • IE 8 on Windows Vista
  • IE 8 on Windows Server 2003
  • IE 8 on Windows 7


  • windows



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/browser/ie_cbutton_uaf msf exploit(ie_cbutton_uaf) > show targets ...targets... msf exploit(ie_cbutton_uaf) > set TARGET <target-id> msf exploit(ie_cbutton_uaf) > show options and set options... msf exploit(ie_cbutton_uaf) > exploit

Related Vulnerabilities