Jump to content
Tuts 4 You

OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerabili


Aguila

Recommended Posts

;-------------------------------------------------------------------------;

; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability

; PoC (probably older versions affected too, not tested though.)

;

; Included shellcode shows a messagebox (WinXP SP2) and is configured for

; OllyDBG. See lines 60-105 for more details

;-------------------------------------------------------------------------;

; Usage:

; Load this DLL to your process and try to attach OllyDBG or ImpREC

; to it -> Shellcode executed > :)

;

; Shellcode gets fired also if program is run under OllyDBG.

;

; Bug discovered and PoC coded by:

; ~ Defsanguje, Defsanguje [at] gmail [dot] com [July 7 2008]

;-------------------------------------------------------------------------;

; Coded in FASM

;-------------------------------------------------------------------------;

get the whole exploit code here: http://www.milw0rm.com/exploits/6031

i think this exploit is dangerous. maybe some software will use it to avoid debugging? or probably malware will use it.

keep your eyes open ;)

Link to comment
Share on other sites

I came across the same trick a few months ago in an old SecuROM version when I was doing random testing for my tool.

I'm not sure if they used it intentionally though since it's not present in the more recent versions.

If they had realized it, they probably would have re-used this trick to death.

TiGa

Link to comment
Share on other sites

it's not OllyDbg bug :)

004914EE	   50			 PUSH EAX
004914EF 8B17 MOV EDX,DWORD PTR DS:[EDI]
004914F1 8D85 C8FAFFFF LEA EAX,DWORD PTR SS:[EBP-538]
004914F7 |. 52 PUSH EDX
004914F8 |. 51 PUSH ECX
004914F9 |. 50 PUSH EAX
004914FA |. 56 PUSH ESI
004914FB 8B15 785A4D00 MOV EDX,DWORD PTR DS:[4D5A78]
00491501 |. 52 PUSH EDX
00491502 |. FF55 E8 CALL [LOCAL.6]; DBGHELP.SymLoadModule << overflow
...
f*cking loop:
6D529AF5 8D95 C8F7FFFF LEA EDX,DWORD PTR SS:[EBP-838]
6D529AFB 2BD0 SUB EDX,EAX
6D529AFD 8A08 MOV CL,BYTE PTR DS:[EAX]
6D529AFF 880C02 MOV BYTE PTR DS:[EDX+EAX],CL << rewrite stack
6D529B02 40 INC EAX
6D529B03 84C9 TEST CL,CL << while <> 0
6D529B05 ^ 75 F6 JNZ SHORT DBGHELP.6D529AFD
6D529B07 388D C8F7FFFF CMP BYTE PTR SS:[EBP-838],CL
6D529B0D 74 67 JE SHORT DBGHELP.6D529B76

fastest way - patch olly:

004914EE JMP 004917F6

Edited by Hellsp@wn
Link to comment
Share on other sites

  • 5 months later...

Hi guys,

Sorry for bumping an old topic, but i have some questions:

If this is a MS bug, have they corrected? If not, doesn't that mean that any program that uses the DbgHelp.dll library and calls SymLoadModule is vulnerable to this exploit?

The last thing i was wondering about... The patch shown by Hellsp@wn makes Olly jump straight over the call to SymLoadModule, thus avoiding the API altogether. But what does this mean to the debugger/us? What functionality (if any) does this effect?

I guess you could probably hotfix DbgHelp.dll and repair the f*&kup, but it's something that would have to be done yourself, otherwise people would be sharing modified system binaries...

Yeah, i know that we share modified files all the time, but it would just be another way for unsuspecting people to get infected when some skiddie decides to be an ***.

HR,

Ghandi

Edited by ghandi
Link to comment
Share on other sites

>If this is a MS bug, have they corrected? If not, doesn't that mean that any program that uses the DbgHelp.dll library and calls SymLoadModule is vulnerable to this exploit?

This is fixed in Vista and all recent versions of WinDbg.

>The last thing i was wondering about... The patch shown by Hellsp@wn makes Olly jump straight over the call to SymLoadModule, thus avoiding the API altogether. But what does this mean to the debugger/us? What functionality (if any) does this effect?

That does interfere with some debugging. It's not the proper solution. The best thing is to simply replace the DLL, but there are cleaner patches available.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...