cbcvebase.
CVE-2008-1602
published 2008-04-06

CVE-2008-1602: Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows remote attackers to execute arbitrary code via a long download URL, which is not…

PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.49%
99.2th percentile
Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows remote attackers to execute arbitrary code via a long download URL, which is not properly handled during Unicode conversion for a balloon notification after a download has failed.

Affected

2 ranges
VendorProductVersion rangeFixed in
orbit_downloaderorbit_downloader
orbit_downloaderorbit_downloader

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.metalink
other0x4b38 (pop/pop/ret unicode-compatible gadget in orbitdm.exe)
commandMultiByteToWideChar (insecure unicode conversion of URL string causing stack-based buffer overflow)
otherEncoderType: AlphanumUnicodeMixed with BufferRegister=EAX
hash0ab5ce309f313ed028824251c798b35c
bytes
BadChars: \x00\x09\x0a\x0b\x0c\x0d\x26\x3c
  • Detect malicious .metalink files with anomalously long URLs (approaching or exceeding 4096 bytes) opened via Orbit Downloader's 'File->Add Metalink...' option, which is the delivery vector for this exploit.
  • Look for .metalink files containing URLs padded with ~4089 bytes of alphanumeric data (4096 minus 'http://' length) — a hallmark of the exploit's payload construction.
  • Flag Orbit Downloader processes (orbitdm.exe) that trigger a balloon notification after a failed download of an extremely long URL, as the overflow occurs during Unicode conversion for that notification.
  • Inspect .metalink XML files for <url> elements whose content is a long alphanumeric string followed by '.com/...' — matching the exploit's crafted URL structure.
  • Detect AlphanumUnicodeMixed encoded shellcode in memory regions associated with orbitdm.exe, with EAX used as the buffer register — characteristic of this exploit's payload encoding.
  • ·The exploit targets Orbit Downloader versions 2.6.3 and 2.6.4 specifically; the Metasploit module labels targets as '6.4' but the CVE and NVD confirm affected versions are 2.6.3 and 2.6.4.
  • ·The ROP/SEH gadget address (0x4b38) is specific to orbitdm.exe and is only unicode-compatible; this address will differ across builds and is not ASLR-protected on the targeted platforms (Windows XP SP3 and Windows 7).
  • ·The NOP equivalent used is 0x46 (opcode for 'add [esi+0x0],al'), chosen because it is unicode-safe; standard x86 NOP (0x90) cannot be used in this unicode exploitation context.
  • ·The payload space is limited to 2000 bytes and must be AlphanumUnicodeMixed encoded; standard shellcode or encoders will not work due to the unicode conversion constraint and bad character restrictions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.