cbcvebase.
CVE-2013-4988
published 2013-12-13

CVE-2013-4988: Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
67.00%
99.2th percentile
Stack-based buffer overflow in IcoFX 2.5 and earlier allows remote attackers to execute arbitrary code via a long idCount value in an ICONDIR structure in an ICO file. NOTE: some of these details are obtained from third party information.

Affected

11 ranges
VendorProductVersion rangeFixed in
icofxicofx<= 2.5
icofxicofx
icofxicofx
icofxicofx
icofxicofx
icofxicofx
icofxicofx
icofxicofx
icofxicofx
icofxicofx
icofxicofx

Detection & IOCsextracted from sources · hover to see the quote

filenamemaliciousJOP.ico
filenameCORE-2013-1107-icofx-poc.ico
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/30208.zip
urlhttp://www.coresecurity.com/system/files/attachments/2013/12/CORE-2013-1107-icofx-poc.zip
commandadd esp, 0x800 # pop ebx # ret @ 0x00447296
bytes
\x00\x00\x01\x00\x00\x6F
bytes
\xfe\xff\xff\xff
bytes
\x81\xc4\x54\xf2\xff\xff
bytes
\x31\xD2\xB2\x30\x64\x8B\x12\x8B\x52\x0C\x8B\x52\x1C\x8B\x42\x08\x8B\x72\x20\x8B\x12\x80\x7E\x0C\x33\x75\xF2\x89\xC7\x03\x78\x3C\x8B\x57\x78\x01\xC2\x8B\x7A\x20\x01\xC7\x31\xED\x8B\x34\xAF\x01\xC6\x45\x81\x3E\x46\x61\x74\x61\x75\xF2\x81\x7E\x08\x45\x78\x69\x74\x75\xE9\x8B\x7A\x24\x01\xC7\x66\x8B\x2C\x6F\x8B\x7A\x1C\x01\xC7\x8B\x7C\xAF\xFC\x01\xC7\x68\x50\x21\x20\x01\x68\x78\x20\x4A\x4F\x68\x49\x63\x6F\x46\x89\xE1\xFE\x49\x0B\x31\xC0\x51\x50\xFF\xD7
  • Detect malicious ICO files by inspecting the ICONDIR idCount field (bytes 4-5 of the ICO header): a value of 0x7f00 (32512) or other abnormally large image counts is a strong indicator of exploitation attempts against CVE-2013-4988.
  • Detect malicious ICO files by checking for the crafted ICONDIR header magic bytes \x00\x00\x01\x00 followed by an abnormally large idCount (e.g. \x00\x6F = 111 images) at offset 4.
  • The exploit triggers a stack-based buffer overflow in the loop at addresses [0x80DA74, 0x80DA93] inside IcoFX2.exe when reading ICONDIRENTRY structures; crash/exception at 0x80DA95 (MOVSX instruction) with SEH handler overwritten is a key crash signature.
  • The nSEH record \xfe\xff\xff\xff (short jump backwards) followed by a SEH overwrite is a characteristic SEH-based exploit pattern in malicious ICO files targeting IcoFX.
  • Stack adjustment prepend encoder \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) prepended to shellcode is a Metasploit-specific indicator in payloads delivered via malicious ICO files.
  • The vulnerable function is located at 0x80D9F8 in IcoFX2.exe; process crash or exception originating from this address range during ICO file parsing indicates exploitation of CVE-2013-4988.
  • ·The Metasploit module targets IcoFX 2.5 on Windows 7 SP1; ROP gadget addresses are hardcoded from IcoFX2.exe 2.5.0.0 and will not be valid for other versions.
  • ·The JOP chain exploit (EDB-49959) targets IcoFX 2.6.0.0 on Windows 7 Ultimate x64; gadget addresses and dispatch table offsets are version-specific and will differ for other builds.
  • ·The PoC from Core Security was tested on Windows XP SP3 (EN); exploit reliability and gadget addresses may differ on other OS versions.
  • ·The vulnerability is client-side and requires user interaction; the attack vector is a user opening a specially crafted ICO file, not a network-reachable service.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.