cbcvebase.
CVE-2010-0688
published 2010-03-19

CVE-2010-0688: Stack-based buffer overflow in Orbital Viewer 1.04 allows user-assisted remote attackers to execute arbitrary code via a crafted (1) .orb or (2) .ov file.

PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.90%
98.4th percentile
Stack-based buffer overflow in Orbital Viewer 1.04 allows user-assisted remote attackers to execute arbitrary code via a crafted (1) .orb or (2) .ov file.

Affected

1 ranges
VendorProductVersion rangeFixed in
orbitalsorbital_viewer

Detection & IOCsextracted from sources · hover to see the quote

filenamemr_me-owns-orbital.orb
filenameexploit.ov
filenamemsf.orb
registry0x004032a2
bytes
OrbitalFileV1.0
bytes
OrbitalFileV1.0
bytes
\x50\x82\x45
bytes
\x0b\x0b\x27\x00
bytes
\xeb\xf9\x90\x90
bytes
\xeb\xf9\xff\xff
bytes
\xe9\xc8\xf9\xff\xff
bytes
\xe9\x52\xfe\xff\xff
  • Malicious .orb or .ov files begin with the magic header 'OrbitalFileV1.0' followed by CR/LF or LF. Files exploiting CVE-2010-0688 contain this header followed by a large (~5045–6060 byte) buffer of padding, NOP sleds, and shellcode before SEH overwrite bytes.
  • The overflow is triggered via fscanf reading into a fixed-size stack buffer with no bounds checking when parsing .ORB files. Look for abnormally large single-line content (thousands of bytes) in .orb/.ov files after the OrbitalFileV1.0 header.
  • SEH-based exploitation: monitor for SEH chain overwrites in ov.exe process. Known PPR gadget addresses used: 0x004032a2 (Metasploit module) and partial overwrite 0x??4582 50 from ov.exe.
  • Bad characters for payload encoding in this exploit are: \x00\x09\x0a\x0d\x20 — any shellcode in a malicious .orb file will avoid these bytes.
  • Reverse shell payload in exploit connects back on port 4444 from victim to attacker IP 192.168.2.10; bind shell listens on port 4444 on victim (RHOST=192.168.2.55). Network detection should alert on unexpected outbound connections from ov.exe.
  • ·The partial SEH overwrite address (\x50\x82\x45) from exploit 11581 is a 3-byte partial overwrite specific to ov.exe on Windows XP SP3 and may differ across builds/service packs.
  • ·The PPR gadget at 0x00457C03 used in exploit 13940 is labeled 'universal' but is specific to ov.exe on Windows XP SP2.
  • ·The Metasploit module PPR gadget 0x004032a2 is specific to ov.exe version 1.0.0.2 on Windows XP SP3; different versions of ov.exe will require different return addresses.
  • ·Payload space is limited to 2048 bytes in the Metasploit module due to the fixed-size stack buffer constraint.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.