cbcvebase.
CVE-2010-2309
published 2010-06-16

CVE-2010-2309: Buffer overflow in the web server for EvoLogical EvoCam 3.6.6 and 3.6.7 allows remote attackers to execute arbitrary code via a long GET request.

PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.84%
98.8th percentile
Buffer overflow in the web server for EvoLogical EvoCam 3.6.6 and 3.6.7 allows remote attackers to execute arbitrary code via a long GET request.

Affected

2 ranges
VendorProductVersion rangeFixed in
evologicalevocam
evologicalevocam

Detection & IOCsextracted from sources · hover to see the quote

port8080
port8080
commandGET <1560+ byte buffer> HTTP/1.0
bytes
\xdb\xd2\x29\xc9\xb1\x27\xbf\xb1\xd5\xb6\xd3\xd9\x74\x24\xf4\x5a\x83\xea\xfc\x31\x7a\x14\x03\x7a\xa5\x37\x43\xe2\x05\x2e\xfc\x45\xd5\x11\xad\x17\x65\xf0\x80\x18\x8a\x71\x64\x19\x94\x75\x10\xdf\xc6\x27\x70\x88\xe6\xc5\x65\x14\x6f\x2a\xef\xb4\x3c\xfb\xa2\x04\xaa\xce\xc3\x17\x4d\x83\x95\x85\x21\x49\xd7\xaa\x33\xd0\xb5\xf8\xe5\xbe\x89\xe3\xc4\xbf\x98\x4f\x5f\x78\x6d\xab\xdc\x6c\x8f\x08\xb1\x25\xc3\x3e\x6f\x07\x63\x4c\xcc\x14\x9f\xb2\xa7\xeb\x51\x75\x17\x5c\xc2\x25\x27\x67\x2f\x45\xd7\x08\x93\x6b\xa2\x21\x5c\x31\x81\xb2\x1f\x4c\x19\xc7\x08\x80\xd9\x77\x5f\xcd\xf6\x04\xf7\x79\x27\x89\x6e\x14\xbe\xae\x21\xb8\x93\x60\x72\x03\xde\x01\x43\xb4\xb0\x88\x47\x64\x60\xd8\xd7\xd5\x30\xd9\x1a\x55\x01\x26\xf4\x06\x21\x6b\x75\xac
  • Exploit triggers via an oversized HTTP GET request; for EvoCam 3.6.6 the overflow offset is 1560 bytes, for 3.6.7 it is 1308 bytes. Detect anomalously long GET request URIs to port 8080 targeting EvoCam.
  • The exploit sends a raw HTTP/1.0 GET request with no Host header and a payload-filled URI; pattern-match on 'GET ' followed by >1300 bytes of non-path data before ' HTTP/1.0'.
  • ROP chain uses dyld addresses (0x8fe*) as gadgets; memory forensics or crash dumps showing EIP/RET targets in the 0x8fe00000–0x8fe70000 range on OS X 10.5.8 are indicative of exploitation.
  • Metasploit module bad characters for payload encoding are \x00\xff\x09\x0a\x0b\x0c\x0d\x20; IDS signatures should flag GET request bodies containing long runs of bytes that avoid these values.
  • The exec-from-heap stub begins with a fixed 4-byte fragment \x90\x58\x61\xc3 (nop/pop eax/popa/ret) immediately followed by the setjmp address 0x8fe1cf38; this byte sequence in a GET URI body is a strong exploit indicator.
  • Reverse shell callback expected on victim port 4444 after successful exploitation; monitor for unexpected outbound or inbound connections on TCP/4444 from the EvoCam host process.
  • ·EvoCam 3.6.8 patches the vulnerability; detections and mitigations are only relevant for versions 3.6.6 and 3.6.7 (and possibly earlier).
  • ·CVE-2010-2309 is also referenced by a separate UFO: Alien Invasion IRC client exploit (EDB-16864); ensure detections are scoped to the EvoCam HTTP vector (port 8080 GET overflow) and not confused with the IRC vector (port 6667).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.