New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add GetGo Download Manager bof exploit #9642
Conversation
GetGo Download Manager 5.3.0.2712 - Buffer Overflow https://www.exploit-db.com/exploits/44187/ [Not Tested]
Hey @Auxilus, thanks for the submission and for reaching out on our Slack! Two pieces of quick feedback, and a third, more involved item:
(Note: You should disregard that the above says "port 443", when the code is actually listening on port 80. They're referring to the port the payload will call back on.) The exploit works by setting up an HTTP listener on port 80 on the attacker's box, then having the victim visit the attacker's HTTP listener. But the exploit code here does not listen; instead it tries connects to connect to the attacker. In other words:
Since the victim is not listening on port 80, the exploit fails. So, we'll need to modify the Metasploit module to listen on port 80. To do that, I would start with swapping out Hopefully that's enough to give you a solid start. Feel free to reach out with any questions. Thanks again! |
@asoto-r7 thanks for the info, Yes I did figure that out.. I used |
I'll update the documentation asa I get the exploit to work |
@Auxilus : Hey, how's it going? Any updates? |
Somethings wrong, the software gives file not found error, I'm gonna pull up wireshark... Maybe tomorrow.. BTW the original python script works fine... |
The exploit crashes the software on windows xp but no session's opened... I don't think I can debug that, I might need some help |
Sorry we've lost momentum in this pull request. I'll take a look and see what I can figure out. Thank you. |
Hi @Auxilus (cc @asoto-r7 ), so I figured out what's wrong with it. Turns out you're just not exploiting the buffer correctly. If you send the data in the HTTP response status instead of the HTTP body, you can overflow it and gain code execution. So I rewrote the exploit for you:
However, I suspect this exploit might be the same as https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/getgodm_http_response_bof.rb, let me take a look at that.... |
@Auxilus So it turns out they are the same thing, but the current one targets an older version of the app, and requires an update. What I'll do here is update that module with you credited, and then I'll close the PR. Thanks for the submission! |
thanks @wchen-r7 much appreciated 😀 |
Release NotesThe GetGo Download Manager buffer overflow exploit now supports version 5. Documentation for the module has also been added. |
GetGo Download Manager 5.3.0.2712 - Buffer Overflow
https://www.exploit-db.com/exploits/44187/
Verification
msfconsole
use exploit/windows/smb/getgo_bof