CVE-2009-0187
published 2009-02-26CVE-2009-0187: Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and possibly other versions before 2.8.5, allows remote attackers to execute arbitrary code…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
39.98%
98.4th percentile
Stack-based buffer overflow in Orbit Downloader 2.8.2 and 2.8.3, and possibly other versions before 2.8.5, allows remote attackers to execute arbitrary code via a crafted HTTP URL with a long host name, which is not properly handled when constructing a "Connecting" log message.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orbitdownloader | orbit_downloader | — | — |
| orbitdownloader | orbit_downloader | — | — |
| orbitdownloader | orbit_downloader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff
- →Detect HTTP URLs with excessively long hostnames (>508 bytes) passed to Orbit Downloader's download() ActiveX method, which triggers the stack buffer overflow when constructing the 'Connecting' log message. ↗
- →Monitor for invocation of the Orbit Downloader ActiveX download() method from browser script (e.g., Firefox) with a string argument beginning with 'http://' followed by a hostname of 508+ random alpha characters — the exploit pattern used in both the PoC and Metasploit module. ↗
- →The Metasploit module uses AlphanumMixed encoding with bad chars \x00\x09\x0a\x0d, single-quote, backslash, and ampersand stripped; payload space is 750 bytes. Shellcode in exploit traffic will be alphanumeric-only. ↗
- →The return address 0x1008dee3 targets download.dll version 2.7.0.6 on Windows XP SP0–SP3. Presence of this address in network traffic or memory is a strong indicator of exploitation. ↗
- →The stack-adjustment prepend encoder sequence \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) appears at the start of the encoded payload and can be used as a byte-level signature in network or memory scanning. ↗
- →The recommended payload for this exploit is windows/shell_bind_tcp; monitor for unexpected bind-shell activity on Windows hosts running Orbit Downloader after browser interaction. ↗
- ·The Metasploit module's single target is Windows XP SP0–SP3 with IE 6.0 SP0–SP2 using download.dll 2.7.0.6; the return address 0x1008dee3 is specific to this DLL version and will not work reliably on other configurations. ↗
- ·The autofilter method returns false in the Metasploit module, meaning this exploit will not be automatically selected by the framework's smart targeting; it must be explicitly chosen. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Orbit Downloader - Connecting Log Creation Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2009-0187 Orbit Downloader - Connecting Log Creation Buffer Overflow (Metasploit)
Orbit Downloader - Connecting Log Creation Buffer Overflow (Metasploit)
---
##
# $Id: orbit_connecting.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Orbit Downloader Connecting Log Creation Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an
attacker serves up a malicious web site, abritrary code may be executed.
The PAYLOAD windows/shell_bind_tcp works best.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 92
Exploit-DB
Orbit Downloader 2.8.4 - 'Hostname' Remote Buffer Overflow
exploitdb·2009-02-27
CVE-2009-0187 Orbit Downloader 2.8.4 - 'Hostname' Remote Buffer Overflow
Orbit Downloader 2.8.4 - 'Hostname' Remote Buffer Overflow
---
Orbit
Vulnerability discovered by Secunia
Exploit and POC provided by: JavaGuru
Right click on link below then choose download by orbit, CALC.EXE will pop up
I got a lot of problems when trying to execute shellcode, because a lot of chars
was forbidden and I was not able to execute shellcode.
After playing a little I found out the solution.
Don't forget, open this HTML in Firefox
Check it out.
Any questions/comments: [email protected]
var tmp = "http://";
for (i=0;iRight click, then choose download with orbit');
# milw0rm.com [2009-02-27]
Metasploit
Orbit Downloader Connecting Log Creation Buffer Overflow
metasploit
Orbit Downloader Connecting Log Creation Buffer Overflow
Orbit Downloader Connecting Log Creation Buffer Overflow
This module exploits a stack buffer overflow in Orbit Downloader 2.8.4. When an attacker serves up a malicious web site, arbitrary code may be executed. The PAYLOAD windows/shell_bind_tcp works best.
No writeups or analysis indexed.
http://osvdb.org/52294http://secunia.com/advisories/33843http://secunia.com/secunia_research/2009-9/http://www.securityfocus.com/archive/1/501220/100/0/threadedhttp://www.securityfocus.com/bid/33894http://www.vupen.com/english/advisories/2009/0521https://exchange.xforce.ibmcloud.com/vulnerabilities/48932http://osvdb.org/52294http://secunia.com/advisories/33843http://secunia.com/secunia_research/2009-9/http://www.securityfocus.com/archive/1/501220/100/0/threadedhttp://www.securityfocus.com/bid/33894http://www.vupen.com/english/advisories/2009/0521https://exchange.xforce.ibmcloud.com/vulnerabilities/48932
2009-02-26
Published