Below is the PoC code for CVE-2011-1999 (MS11-081) that accompanies my blog article "Reliable Windows 7 Exploitation: A Case Study" Some notes about the PoC code: - The exploit uses a single vulnerability to both bypass ASLR and execute the payload without requiring any non-ASLR module in memory. - One tiny detail required for triggering the vulnerability has been removed, so the exploit (as given below) should not work, even on vulnerable systems. No, I won't tell you what it is. Sorry kids, this is for educational purposes only. - All offsets in the code were correct for mshtml.dll at the time this exploit code was written. As some time has passed between then and the time the vulnerability was patched, they won't be correct for many vulnerable versions of this module. Writing the exploit that doesn't rely on any hardcoded offsets is left as an exercise for the reader (more difficult, but certainly possible with the combination of the techniques used in the PoC below).