cbcvebase.
CVE-2012-4711
published 2013-02-15

CVE-2012-4711: Buffer overflow in kingMess.exe 65.20.2003.10300 in WellinTech KingView 6.52, kingMess.exe 65.20.2003.10400 in KingView 6.53, and kingMess.exe 65.50.2011.18049…

PriorityP270critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.49%
99.1th percentile
Buffer overflow in kingMess.exe 65.20.2003.10300 in WellinTech KingView 6.52, kingMess.exe 65.20.2003.10400 in KingView 6.53, and kingMess.exe 65.50.2011.18049 in KingView 6.55 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted packet.

Affected

3 ranges
VendorProductVersion rangeFixed in
wellintechkingview
wellintechkingview
wellintechkingview

Detection & IOCsextracted from sources · hover to see the quote

filenamekingMess.exe
filenamemsf.kvl
filename.kvl
bytes
\xdd\x07\x03\x00\x03\x00\x0d\x00\x0c\x00\x31\x00\x38\x00\xd4\x01
bytes
\x81\xc4\x54\xf2\xff\xff
  • The exploit targets KingMess.exe via a malformed .kvl (log) file opened through the 'Browse Log Files' option; monitor for KingMess.exe opening .kvl files from untrusted/network locations.
  • The exploit payload uses a stack adjustment prepend encoder (add esp, -3500 / 0x81 0xc4 0x54 0xf2 0xff 0xff); scan for this byte sequence at the start of shellcode in .kvl files or network traffic.
  • The exploit uses a fixed ROP/return address 0x77c35459 (push esp; ret in msvcrt.dll on Windows XP SP3); presence of this address in memory or file content associated with KingMess.exe is a strong indicator of exploitation.
  • The malicious .kvl file starts with a version string '6.00' padded to 0x90 bytes, followed by a fixed 16-byte entry header; this structure can be used as a file-based detection signature.
  • The vulnerability is triggered remotely via a specially crafted packet to KingView/KingMess; monitor network traffic to KingView-associated ports for anomalous or oversized packets targeting KingMess.exe.
  • Bad characters for the payload are null byte, LF, and CR (\x00\x0a\x0d); these are excluded from shellcode, which can help tune IDS signatures to avoid false negatives on encoded payloads.
  • ·The Metasploit module's ROP gadget (0x77c35459 in msvcrt.dll) and offset (295) are specific to Windows XP SP3; exploitation on other OS versions would require different offsets/return addresses.
  • ·The exploit payload space is limited to 1408 bytes with NOP generation disabled; payloads larger than this will not fit and the exploit will fail, which may affect detection of non-Metasploit variants.
  • ·The EXITFUNC is set to 'process', meaning successful exploitation will terminate the KingMess.exe process after payload execution; unexpected KingMess.exe crashes may indicate exploitation attempts.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.