cbcvebase.
CVE-2009-0184
published 2009-02-03

CVE-2009-0184: Multiple buffer overflows in the torrent parsing implementation in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allow remote attackers to…

PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.80%
97.8th percentile
Multiple buffer overflows in the torrent parsing implementation in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allow remote attackers to execute arbitrary code via (1) a long file name within a torrent file, (2) a long tracker URL in a torrent file, or (3) a long comment in a torrent file.

Affected

2 ranges
VendorProductVersion rangeFixed in
free_download_managerfree_download_manager
free_download_managerfree_download_manager

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.torrent
registry0x7605112c
registry0x76051372
urlhttp://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18
urlhttp://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18
urlhttp://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl
  • Exploit triggers a stack buffer overflow via a specially crafted .torrent file with a name field padded to 10004+ bytes of alphanumeric data followed by a SEH overwrite payload; detect abnormally large 'name', 'announce' (tracker URL), or 'comment' fields in bencoded torrent files.
  • The exploit uses a SEH-based overwrite (EXITFUNC=seh) with a pop/pop/ret gadget in msvcp60.dll; monitor for SEH chain corruption pointing into msvcp60.dll address space (0x76051372 or 0x7605112c) when FDM processes a .torrent file.
  • Payload encoder is restricted to AlphanumUpper characters with bad chars \x00, \x2c, \x5c; shellcode in malicious torrent files will appear as purely uppercase alphanumeric encoded data.
  • The malicious torrent file is a valid bencoded dictionary with an 'info' key containing an oversized 'name' value; inspect .torrent files opened by FDM for 'name' field lengths exceeding normal bounds (e.g., >10000 bytes).
  • Stack adjustment of -3500 bytes is used in the exploit payload; this large negative stack pivot may be detectable via dynamic analysis or memory forensics of FDM process stack frames.
  • ·The pop/pop/ret ROP gadget address differs between the two published exploit versions (0x7605112c vs 0x76051372), both attributed to msvcp60.dll; the exact address is version/patch-level dependent and may vary across Windows installations.
  • ·The exploit targets Free Download Manager 3.0 Build 844 specifically; versions 2.5 Build 758 are also listed as vulnerable by NVD but the Metasploit module only provides a target profile for Build 844.
  • ·Payload space is limited to 1024 bytes with NOP generation disabled; staged or large payloads will not fit and require a stager approach.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.