cbcvebase.
CVE-2009-0183
published 2009-02-03

CVE-2009-0183: Stack-based buffer overflow in Remote Control Server in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allows remote attackers to execute…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
66.53%
99.2th percentile
Stack-based buffer overflow in Remote Control Server in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allows remote attackers to execute arbitrary code via a long Authorization header in an HTTP request.

Affected

2 ranges
VendorProductVersion rangeFixed in
free_download_managerfree_download_manager
free_download_managerfree_download_manager

Detection & IOCsextracted from sources · hover to see the quote

processfdmwi.exe
bytes
\x81\xc4\xff\xef\xff\xff\x44
  • Detect exploitation attempts by inspecting HTTP requests for an oversized Authorization header (>1012 bytes) sent to the FDM Remote Control Server (default port 80). The header value will be Base64-encoded and abnormally long.
  • Fingerprint the FDM Remote Control Server by matching the HTTP banner/body against the pattern 'FDM Remote control server' or 'Free Download Manager' (case-insensitive) to identify exposed targets.
  • The PoC sends a buffer of 3000 'D' characters in the Authorization header. Look for HTTP requests containing Authorization headers with long repeated-character sequences (e.g., 'DDDD...') as a crash/DoS indicator.
  • The Metasploit module prepends a stack-adjustment stub (\x81\xc4\xff\xef\xff\xff\x44) before the payload encoder. Scan Authorization header content decoded from Base64 for this byte sequence.
  • The exploit targets the extra URL path /compdlds.req on the FDM Remote Control Server. Monitor for HTTP requests to this path as a sign of reconnaissance or exploitation.
  • ·The Metasploit module hard-codes a single return address target (0x0040ae0f in fdmwi.exe) valid only for FDM 2.5 Build 758; the PoC also covers FDM 3.0 Build 844 but no separate RET address is provided for that build.
  • ·The payload bad characters exclude \x0d and \x0a (CR/LF), which are HTTP header delimiters; any shellcode used must avoid these bytes.
  • ·The exploit payload space is limited to 600 bytes; shellcode exceeding this size will not fit within the overflow buffer.
  • ·EXITFUNC is set to 'thread', meaning the exploit terminates only the handler thread rather than the whole process, which affects post-exploitation stability assumptions.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.