cbcvebase.
CVE-2009-0187
published 2009-02-26

CVE-2009-0187: Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and possibly other versions before 2.8.5, allows remote attackers to execute arbitrary code…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.98%
98.4th percentile
Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and possibly other versions before 2.8.5, allows remote attackers to execute arbitrary code via a crafted HTTP URL with a long host name, which is not properly handled when constructing a "Connecting" log message.

Affected

3 ranges
VendorProductVersion rangeFixed in
orbitdownloaderorbit_downloader
orbitdownloaderorbit_downloader
orbitdownloaderorbit_downloader

Detection & IOCsextracted from sources · hover to see the quote

versionOrbit Downloader 2.8.2, 2.8.3, 2.8.4
other0x1008dee3
bytes
\x81\xc4\x54\xf2\xff\xff
  • Detect HTTP URLs with excessively long hostnames (>508 bytes) passed to Orbit Downloader's download() ActiveX method, which triggers the stack buffer overflow when constructing the 'Connecting' log message.
  • Monitor for invocation of the Orbit Downloader ActiveX download() method from browser script (e.g., Firefox) with a string argument beginning with 'http://' followed by a hostname of 508+ random alpha characters — the exploit pattern used in both the PoC and Metasploit module.
  • The Metasploit module uses AlphanumMixed encoding with bad chars \x00\x09\x0a\x0d, single-quote, backslash, and ampersand stripped; payload space is 750 bytes. Shellcode in exploit traffic will be alphanumeric-only.
  • The return address 0x1008dee3 targets download.dll version 2.7.0.6 on Windows XP SP0–SP3. Presence of this address in network traffic or memory is a strong indicator of exploitation.
  • The stack-adjustment prepend encoder sequence \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) appears at the start of the encoded payload and can be used as a byte-level signature in network or memory scanning.
  • The recommended payload for this exploit is windows/shell_bind_tcp; monitor for unexpected bind-shell activity on Windows hosts running Orbit Downloader after browser interaction.
  • ·The Metasploit module's single target is Windows XP SP0–SP3 with IE 6.0 SP0–SP2 using download.dll 2.7.0.6; the return address 0x1008dee3 is specific to this DLL version and will not work reliably on other configurations.
  • ·The autofilter method returns false in the Metasploit module, meaning this exploit will not be automatically selected by the framework's smart targeting; it must be explicitly chosen.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.