bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/51131.txt
Exploit-DB 564d2ddf47 DB: 2023-03-30 
13 changes to exploits/shellcodes/ghdb

DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure

Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)

Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)

Helmet Store Showroom v1.0 - SQL Injection

Human Resource Management System 1.0 - SQL Injection (unauthenticated)

Revenue Collection System v1.0 - Remote Code Execution (RCE)

WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)

Outline V1.6.0 - Unquoted Service Path
Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)
Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow

Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)
2023-03-30 00:16:31 +00:00

43 lines
No EOL
2.8 KiB
Text
Raw Blame History

# Exploit Title: Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)
# Date: 15.11.2022
# Exploit Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.internetdownloadmanager.com/
# Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe
# Version: v.6.41 Build 3
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/0djlanUbfY4
Vulnerabiliy Description:
---------------------------------------
Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension
".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is
done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and
replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading.
This allows the attacker to execute code remotely.
It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system.
Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm".
Requirements:
---------------------------------------
The attacker and the victim must be on the same local network.
The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges!
Step by step produce:
---------------------------------------
1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that.
2 - A MITM attack is made against the target using Ettercap or Bettercap.
3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing.
4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the
same name (tut_tr.chm / the file according to which language you are using.) is placed in it.
5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished.
Advisories:
---------------------------------------
Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file
should not be run automatically, additional warning messages should be displayed for users.
Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends.
---------------------------------------
Reference in a new issue View git blame Copy permalink