CVE-2013-4988
published 2013-12-13CVE-2013-4988: Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
67.00%
99.2th percentile
Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an ICO file. NOTE: some of these details are obtained from third party information.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| icofx | icofx | <= 2.5 | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
| icofx | icofx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x01\x00\x00\x6F
bytes↗
\xfe\xff\xff\xff
bytes↗
\x81\xc4\x54\xf2\xff\xff
bytes↗
\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51\x50\xFF\xD7
- →Detect malicious ICO files by inspecting the ICONDIR idCount field (bytes 4-5 of the ICO header): a value of 0x7f00 (32512) or other abnormally large image counts is a strong indicator of exploitation attempts against CVE-2013-4988. ↗
- →Detect malicious ICO files by checking for the crafted ICONDIR header magic bytes \x00\x00\x01\x00 followed by an abnormally large idCount (e.g. \x00\x6F = 111 images) at offset 4. ↗
- →The exploit triggers a stack-based buffer overflow in the loop at addresses [0x80DA74, 0x80DA93] inside IcoFX2.exe when reading ICONDIRENTRY structures; crash/exception at 0x80DA95 (MOVSX instruction) with SEH handler overwritten is a key crash signature. ↗
- →The nSEH record \xfe\xff\xff\xff (short jump backwards) followed by a SEH overwrite is a characteristic SEH-based exploit pattern in malicious ICO files targeting IcoFX. ↗
- →Stack adjustment prepend encoder \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) prepended to shellcode is a Metasploit-specific indicator in payloads delivered via malicious ICO files. ↗
- →The vulnerable function is located at 0x80D9F8 in IcoFX2.exe; process crash or exception originating from this address range during ICO file parsing indicates exploitation of CVE-2013-4988. ↗
- ·The Metasploit module targets IcoFX 2.5 on Windows 7 SP1; ROP gadget addresses are hardcoded from IcoFX2.exe 2.5.0.0 and will not be valid for other versions. ↗
- ·The JOP chain exploit (EDB-49959) targets IcoFX 2.6.0.0 on Windows 7 Ultimate x64; gadget addresses and dispatch table offsets are version-specific and will differ for other builds. ↗
- ·The PoC from Core Security was tested on Windows XP SP3 (EN); exploit reliability and gadget addresses may differ on other OS versions. ↗
- ·The vulnerability is client-side and requires user interaction; the attack vector is a user opening a specially crafted ICO file, not a network-reachable service. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
exploitdb·2021-06-07·CVSS 9.3
CVE-2013-4988 [CRITICAL] IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
---
# Exploit Title: IcoFX 2.6 - '.ico' Buffer Overflow SEH + DEP Bypass using JOP
# Date: 2020-05-20
# Exploit Author: Austin Babcock
# Vendor Homepage: https://icofx.ro/
# Software Link: https://drive.google.com/file/d/1SONzNStA_W3pAPU5IUvsYS3z0jYymEZn/view?usp=sharing
# Version: 2.6.0.0
# Tested on: Windows 7 Ultimate x64
# CVE: CVE-2013-4988
# Steps: 1. Run script 2. Open application 3. Open maliciousJOP.ico via file -> open dropdown menu
# Payload Length: 1626 bytes
#While this is an older CVE, it is very rare to have a JOP chain available for a binary which is what this exploit attempts to demonstrate.
#Gadgets were found using the JOP ROCKET tool which is available at https://github.com/Bw3ll/JOP_ROCKET
#This exploi
Exploit-DB
IcoFX - Local Stack Buffer Overflow (Metasploit)
exploitdb·2014-01-07
CVE-2013-4988 IcoFX - Local Stack Buffer Overflow (Metasploit)
IcoFX - Local Stack Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'IcoFX Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in version 2.1
of IcoFX. The vulnerability exists while parsing .ICO files, where an specially
crafted ICONDIR header, providing an arbitrary long number of images into the file,
can be used to trigger the overflow when reading the ICONDIRENTRY structures.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Marcos Accossatto', # Vulnerability discovery, poc
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-4988' ],
[ 'OSVDB', '100826' ],
[ 'B
Exploit-DB
IcoFX 2.5.0.0 - '.ico' Buffer Overflow (PoC)
exploitdb·2013-12-11·CVSS 9.3
CVE-2013-4988 [CRITICAL] IcoFX 2.5.0.0 - '.ico' Buffer Overflow (PoC)
IcoFX 2.5.0.0 - '.ico' Buffer Overflow (PoC)
---
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
IcoFX Buffer Overflow Vulnerability
PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30208.zip
1. *Advisory Information*
Title: IcoFX Buffer Overflow Vulnerability
Advisory ID: CORE-2013-1107
Advisory URL:
http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerability
Date published: 2013-12-10
Date of last update: 2013-12-10
Vendors contacted: IcoFX Software
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2013-4988
3. *Vulnerability Description*
IcoFX [1] is prone to a (client side) sec
Metasploit
IcoFX Stack Buffer Overflow
metasploit
IcoFX Stack Buffer Overflow
IcoFX Stack Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in version 2.1 of IcoFX. The vulnerability exists while parsing .ICO files, where a specially crafted ICONDIR header providing an arbitrary long number of images in the file can be used to trigger the overflow when reading the ICONDIRENTRY structures.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2013-12/0046.htmlhttp://osvdb.org/100826http://packetstormsecurity.com/files/124380/IcoFX-2.5.0.0-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/162995/IcoFX-2.6-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2013/Dec/54http://secunia.com/advisories/55964http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerabilityhttp://www.exploit-db.com/exploits/30208http://www.securityfocus.com/bid/64221https://exchange.xforce.ibmcloud.com/vulnerabilities/89611http://archives.neohapsis.com/archives/bugtraq/2013-12/0046.htmlhttp://osvdb.org/100826http://packetstormsecurity.com/files/124380/IcoFX-2.5.0.0-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/162995/IcoFX-2.6-Buffer-Overflow.htmlhttp://seclists.org/fulldisclosure/2013/Dec/54http://secunia.com/advisories/55964http://www.coresecurity.com/advisories/icofx-buffer-overflow-vulnerabilityhttp://www.exploit-db.com/exploits/30208http://www.securityfocus.com/bid/64221https://exchange.xforce.ibmcloud.com/vulnerabilities/89611
2013-12-13
Published