cbcvebase.
CVE-2011-0406
published 2011-01-11

CVE-2011-0406: Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
20.94%
97.2th percentile
Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.

Affected

1 ranges
VendorProductVersion rangeFixed in
wellintechkingview

Detection & IOCsextracted from sources · hover to see the quote

portTCP/777
processHistorySvr.exe
pathC:\Program Files\Kingview\HistorySvr.exe
bytes
\x90 * 1024 + \x44 * 31788 + \xeb\x14 + \x44 * 6 + \xad\xbb\xc3\x77 + \xb4\x73\xed\x77
bytes
\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9\x44\x80\xc2\x77\xFF\xD1\x90\x90
  • Monitor for large TCP connections (>32KB payload) to port 777 targeting HistorySvr.exe; the exploit sends a payload of 1024 NOP bytes followed by 31788 bytes of 0x44, which is a distinctive oversized request pattern.
  • HistorySvr.exe listens on TCP port 777 and requires NO authentication; any inbound connection to this port from an external/untrusted host should be treated as suspicious.
  • Look for heap corruption indicators in HistorySvr.exe crash telemetry: EAX=0x42424242 and ECX=0x44444444 are canary values written by the exploit to overwrite Flink/Blink heap pointers.
  • Detect exploit attempts by looking for the JMP short opcode sequence 0xEB 0x14 embedded within a large block of 0x44 bytes in a TCP/777 stream, which is the exploit's heap-overwrite pivot.
  • ·The shellcode payload in the PoC only launches calc.exe (proof-of-concept); real-world attacks would substitute arbitrary shellcode, so byte-for-byte shellcode matching alone is insufficient for detection.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.