cbcvebase.
CVE-2014-0787
published 2014-04-12

CVE-2014-0787: Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet.

PriorityP267critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.02%
96.5th percentile
Stack-based buffer overflow in WellinTech KingSCADA before 3.1.2.13 allows remote attackers to execute arbitrary code via a crafted packet.

Affected

3 ranges
VendorProductVersion rangeFixed in
wellintechkingscada< v3.1.2.13v3.1.2.13
wellintechkingscada<= 3.1.2
wellintechkingscada

Detection & IOCsextracted from sources · hover to see the quote

port12401
otherROP gadget: pop esi / pop edi / retn @ 0x02881fbf (dbghelp.dll)
bytes
buf[0,4]=0x000004d2, buf[4,4]=0x0000007b, buf[8,4]=0x0000133c
bytes
\xe9\x4b\xfb\xff\xff (jmp $-1200 at offset 2136)
  • Monitor for large crafted TCP packets (~5000 bytes) sent to port 12401 (KingSCADA AlarmServer) containing the magic header bytes 0xd2040000 / 0x7b000000 / 0x3c130000 at offsets 0, 4, and 8 respectively — characteristic of exploit buffer construction.
  • Detect the SEH-overwrite exploit pattern: look for the near-jump stub bytes \xe9\x4b\xfb\xff\xff within a large packet to port 12401, indicating a backward JMP used to reach shellcode.
  • The vulnerability overwrites the Structured Exception Handler (SEH); alert on SEH-chain corruption events in KingSCADA processes receiving network input on port 12401.
  • Payload bad-character set for this exploit is \x00\x0a\x0d\x20; any IDS signature for the exploit payload on port 12401 should account for these bytes being absent from shellcode.
  • ·The ROP gadget address (0x02881fbf in dbghelp.dll) is specific to Windows XP SP3 EN with KingSCADA 3.1.1.4; the exploit target and return address will differ on other OS/application version combinations.
  • ·All KingSCADA versions prior to v3.1.2.13 are affected; the Metasploit module targets version 3.1.1.4 specifically but the vulnerability is present across all earlier versions.
  • ·The exploit uses EXITFUNC=process, meaning successful exploitation terminates the AlarmServer process rather than spawning a thread — this may cause service disruption detectable as an unexpected process exit.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.