CVE-2008-1602
published 2008-04-06CVE-2008-1602: Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows remote attackers to execute arbitrary code via a long download URL, which is not…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.49%
99.2th percentile
Stack-based buffer overflow in Orbit downloader 2.6.3 and 2.6.4 allows remote attackers to execute arbitrary code via a long download URL, which is not properly handled during Unicode conversion for a balloon notification after a download has failed.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orbit_downloader | orbit_downloader | — | — |
| orbit_downloader | orbit_downloader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandMultiByteToWideChar (insecure unicode conversion of URL string causing stack-based buffer overflow)↗
bytes↗
BadChars: \x00\x09\x0a\x0b\x0c\x0d\x26\x3c
- →Detect malicious .metalink files with anomalously long URLs (approaching or exceeding 4096 bytes) opened via Orbit Downloader's 'File->Add Metalink...' option, which is the delivery vector for this exploit. ↗
- →Look for .metalink files containing URLs padded with ~4089 bytes of alphanumeric data (4096 minus 'http://' length) — a hallmark of the exploit's payload construction. ↗
- →Flag Orbit Downloader processes (orbitdm.exe) that trigger a balloon notification after a failed download of an extremely long URL, as the overflow occurs during Unicode conversion for that notification. ↗
- →Inspect .metalink XML files for <url> elements whose content is a long alphanumeric string followed by '.com/...' — matching the exploit's crafted URL structure. ↗
- →Detect AlphanumUnicodeMixed encoded shellcode in memory regions associated with orbitdm.exe, with EAX used as the buffer register — characteristic of this exploit's payload encoding. ↗
- ·The exploit targets Orbit Downloader versions 2.6.3 and 2.6.4 specifically; the Metasploit module labels targets as '6.4' but the CVE and NVD confirm affected versions are 2.6.3 and 2.6.4. ↗
- ·The ROP/SEH gadget address (0x4b38) is specific to orbitdm.exe and is only unicode-compatible; this address will differ across builds and is not ASLR-protected on the targeted platforms (Windows XP SP3 and Windows 7). ↗
- ·The NOP equivalent used is 0x46 (opcode for 'add [esi+0x0],al'), chosen because it is unicode-safe; standard x86 NOP (0x90) cannot be used in this unicode exploitation context. ↗
- ·The payload space is limited to 2000 bytes and must be AlphanumUnicodeMixed encoded; standard shellcode or encoders will not work due to the unicode conversion constraint and bad character restrictions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)
exploitdb·2012-02-23
CVE-2008-1602 Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)
Orbit Downloader - URL Unicode Conversion Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Orbit Downloader URL Unicode Conversion Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Orbit Downloader.
The vulnerability is due to Orbit converting an URL ascii string to unicode
in a insecure way with MultiByteToWideChar.
The vulnerability is exploited with a specially crafted metalink file that
should be opened with Orbit through the "File->Add Metalink..." option.
},
'License' => MSF_LIC
Metasploit
Orbit Downloader URL Unicode Conversion Overflow
metasploit
Orbit Downloader URL Unicode Conversion Overflow
Orbit Downloader URL Unicode Conversion Overflow
This module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting a URL ascii string to unicode in an insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the "File->Add Metalink..." option.
No writeups or analysis indexed.
http://secunia.com/advisories/29669http://securityreason.com/securityalert/3798http://www.coresecurity.com/?action=item&id=2211http://www.securityfocus.com/archive/1/490458/100/0/threadedhttp://www.securityfocus.com/bid/28541http://www.vupen.com/english/advisories/2008/1101https://exchange.xforce.ibmcloud.com/vulnerabilities/41649http://secunia.com/advisories/29669http://securityreason.com/securityalert/3798http://www.coresecurity.com/?action=item&id=2211http://www.securityfocus.com/archive/1/490458/100/0/threadedhttp://www.securityfocus.com/bid/28541http://www.vupen.com/english/advisories/2008/1101https://exchange.xforce.ibmcloud.com/vulnerabilities/41649
2008-04-06
Published