CVE-2009-0184
published 2009-02-03CVE-2009-0184: Multiple buffer overflows in the torrent parsing implementation in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allow remote attackers to…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
27.80%
97.8th percentile
Multiple buffer overflows in the torrent parsing implementation in Free Download Manager (FDM) 2.5 Build 758 and 3.0 Build 844 allow remote attackers to execute arbitrary code via (1) a long file name within a torrent file, (2) a long tracker URL in a torrent file, or (3) a long comment in a torrent file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| free_download_manager | free_download_manager | — | — |
| free_download_manager | free_download_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18↗
urlhttp://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18↗
- →Exploit triggers a stack buffer overflow via a specially crafted .torrent file with a name field padded to 10004+ bytes of alphanumeric data followed by a SEH overwrite payload; detect abnormally large 'name', 'announce' (tracker URL), or 'comment' fields in bencoded torrent files. ↗
- →The exploit uses a SEH-based overwrite (EXITFUNC=seh) with a pop/pop/ret gadget in msvcp60.dll; monitor for SEH chain corruption pointing into msvcp60.dll address space (0x76051372 or 0x7605112c) when FDM processes a .torrent file. ↗
- →Payload encoder is restricted to AlphanumUpper characters with bad chars \x00, \x2c, \x5c; shellcode in malicious torrent files will appear as purely uppercase alphanumeric encoded data. ↗
- →The malicious torrent file is a valid bencoded dictionary with an 'info' key containing an oversized 'name' value; inspect .torrent files opened by FDM for 'name' field lengths exceeding normal bounds (e.g., >10000 bytes). ↗
- →Stack adjustment of -3500 bytes is used in the exploit payload; this large negative stack pivot may be detectable via dynamic analysis or memory forensics of FDM process stack frames. ↗
- ·The pop/pop/ret ROP gadget address differs between the two published exploit versions (0x7605112c vs 0x76051372), both attributed to msvcp60.dll; the exact address is version/patch-level dependent and may vary across Windows installations. ↗
- ·The exploit targets Free Download Manager 3.0 Build 844 specifically; versions 2.5 Build 758 are also listed as vulnerable by NVD but the Metasploit module only provides a target profile for Build 844. ↗
- ·Payload space is limited to 1024 bytes with NOP generation disabled; staged or large payloads will not fit and require a stager approach. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2009-0184 Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)
Free Download Manager 3.0 Build 844 - Torrent Parsing Buffer Overflow (Metasploit)
---
##
# $Id: fdm_torrent.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Free Download Manager Torrent Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Free Download Manager
3.0 Build 844. Arbitrary code execution could occur when parsing a
specially crafted torrent file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'SkD ',
'jduck',
],
'Version' => '$Revision: 10477 $',
'Reference
Exploit-DB
Free Download Manager - '.Torrent' File Parsing Multiple Buffer Overflow Vulnerabilities (Metasploit)
exploitdb·2009-11-11
CVE-2009-0184 Free Download Manager - '.Torrent' File Parsing Multiple Buffer Overflow Vulnerabilities (Metasploit)
Free Download Manager - '.Torrent' File Parsing Multiple Buffer Overflow Vulnerabilities (Metasploit)
---
##
# $Id: fdm_torrent.rb 7455 2009-11-10 21:52:17Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Free Download Manager Torrent Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Free Download Manager
3.0 Build 844. Arbitrary code execution could occur when parsing a
specially crafted torrent file.
},
'License' => MSF_LICENSE,
'Author' => 'jduck',
'Version' => '$Revision: 7455 $',
'Re
Metasploit
Free Download Manager Torrent Parsing Buffer Overflow
metasploit
Free Download Manager Torrent Parsing Buffer Overflow
Free Download Manager Torrent Parsing Buffer Overflow
This module exploits a stack buffer overflow in Free Download Manager 3.0 Build 844. Arbitrary code execution could occur when parsing a specially crafted torrent file.
No writeups or analysis indexed.
http://secunia.com/advisories/33524http://secunia.com/secunia_research/2009-5/http://www.securityfocus.com/archive/1/500605/100/0/threadedhttp://www.securityfocus.com/bid/33555http://www.vupen.com/english/advisories/2009/0302http://secunia.com/advisories/33524http://secunia.com/secunia_research/2009-5/http://www.securityfocus.com/archive/1/500605/100/0/threadedhttp://www.securityfocus.com/bid/33555http://www.vupen.com/english/advisories/2009/0302
2009-02-03
Published