module
MS11-050 IE mshtml!CObjectElement Use After Free
| Disclosed | Created |
|---|---|
| Jun 16, 2011 | May 30, 2018 |
Disclosed
Jun 16, 2011
Created
May 30, 2018
Description
This module exploits a use-after-free vulnerability in Internet Explorer. The
vulnerability occurs when an invalid tag exists and other elements
overlap/cover where the object tag should be when rendered (due to their
styles/positioning). The mshtml!CObjectElement is then freed from memory because
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
a reference to the freed and attempts to call a function on it, leading
to the use-after-free.
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
to bypass DEP (Data Execution Prevention).
vulnerability occurs when an invalid tag exists and other elements
overlap/cover where the object tag should be when rendered (due to their
styles/positioning). The mshtml!CObjectElement is then freed from memory because
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
a reference to the freed and attempts to call a function on it, leading
to the use-after-free.
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
to bypass DEP (Data Execution Prevention).
Authors
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.