GOM Player version 2.3.90.5360 man-in-the-middle proof of concept remote code execution exploit.
# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8
# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.
# Vulnerability Description:
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window.
# Full disclosure, developers should be more careful about software security.
# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.
# Some spaghetti and a bad code but it works :)
banner = """ 33[38;5;196m+-----------------------------------------------------------+
| GOM Player 2.3.90.5360 - Remote Code Execution |
| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) |
+-----------------------------------------------------------+ 33[0m""" +"""