Jump to content


- - - - -

OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerabili

Started by Aguila, Jul 08 2008 11:03 PM

  • Please log in to reply
8 replies to this topic

#1 Aguila

Aguila

    Addict

  • (Full Member)
  • 278 posts
  • Gender:Male

Posted 08 July 2008 - 11:03 PM

Quote

;-------------------------------------------------------------------------;
; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability
; PoC (probably older versions affected too, not tested though.)        
;
; Included shellcode shows a messagebox (WinXP SP2) and is configured for
; OllyDBG. See lines 60-105 for more details
;-------------------------------------------------------------------------;
; Usage:
; Load this DLL to your process and try to attach OllyDBG or ImpREC
; to it -> Shellcode executed > :)
;
; Shellcode gets fired also if program is run under OllyDBG.
;
; Bug discovered and PoC coded by:
; ~ Defsanguje, Defsanguje [at] gmail [dot] com             [July 7 2008]
;-------------------------------------------------------------------------;
; Coded in FASM
;-------------------------------------------------------------------------;

get the whole exploit code here: http://www.milw0rm.com/exploits/6031


i think this exploit is dangerous. maybe some software will use it to avoid debugging? or probably malware will use it.
keep your eyes open  ;)

#2 Loki

Loki

    In the Shadows :)

  • (Team Member+)
  • 3,592 posts
  • Gender:Male
  • Location:Behind you
  • Interests:Stuff. Lots and lots of stuff.

Posted 09 July 2008 - 07:46 AM

More info on ARTeam forum:
http://forums.access...?showtopic=7278

TiGa already pointed out that it doesnt affect ChimpREC ;)
Posted Image

If there's anyone near when we collide we throw them in the middle... they can pick sides. As the plans turn into compromise, the promises all turn to lies, the spite builds up and it can't get through, passive me agressive you. I know i nag, i moan i know... but with a plan like this it's way too slow. In the time it took to get this there i could have made this work, but all i had was the hope that pieces would take shape and we could watch them all fall into place.

#3 KOrUPt

KOrUPt

    Ex-TeamICU

  • (Full Member)
  • 39 posts
  • Gender:Male
  • Location:OEP ;)
  • Interests:Computer Security, Coding, Windows Kernel Development, Reversing.

Posted 09 July 2008 - 04:31 PM

View PostLoki, on Jul 9 2008, 08:46 AM, said:

More info on ARTeam forum:
http://forums.access...?showtopic=7278

TiGa already pointed out that it doesnt affect ChimpREC ;)
Good to hear Loki :P .

This sounds dangerous if exploited with malicous intent, it's fairly simple so I wonder if someone came across it accidenty or were auditing  :rolleyes: ...

Thanks for the heads up.

KOrUPt.
Posted Image

"The glass isn't half empty, or half full. It's just twice as large as it needs to be. That's your code."

#4 TiGa

TiGa

    Member

  • (Full Member)
  • 78 posts

Posted 10 July 2008 - 12:05 AM

I came across the same trick a few months ago in an old SecuROM version when I was doing random testing for my tool.
I'm not sure if they used it intentionally though since it's not present in the more recent versions.
If they had realized it, they probably would have re-used this trick to death.

TiGa
http://video.reverse-engineering.net

#5 Killboy

Killboy

    Dixie Mafia

  • (Team Member)
  • 2,017 posts
  • Gender:Male

Posted 10 July 2008 - 08:46 AM

Anyone tested this with Olly 2 ?
(°)>

#6 Hellsp@wn

Hellsp@wn

    Member

  • (Full Member)
  • 48 posts
  • Gender:Male
  • Location:From Moscow

Posted 10 July 2008 - 06:27 PM

it's not OllyDbg bug :) 

004914EE	   50			 PUSH EAX
004914EF	   8B17		   MOV EDX,DWORD PTR DS:[EDI]
004914F1	   8D85 C8FAFFFF  LEA EAX,DWORD PTR SS:[EBP-538]
004914F7   |.  52			 PUSH EDX
004914F8   |.  51			 PUSH ECX
004914F9   |.  50			 PUSH EAX
004914FA   |.  56			 PUSH ESI
004914FB	   8B15 785A4D00  MOV EDX,DWORD PTR DS:[4D5A78]
00491501   |.  52			 PUSH EDX
00491502   |.  FF55 E8		CALL [LOCAL.6]; DBGHELP.SymLoadModule << overflow
...
f*cking loop:
6D529AF5	 8D95 C8F7FFFF	LEA EDX,DWORD PTR SS:[EBP-838]
6D529AFB	 2BD0			 SUB EDX,EAX
6D529AFD	 8A08			 MOV CL,BYTE PTR DS:[EAX]
6D529AFF	 880C02		   MOV BYTE PTR DS:[EDX+EAX],CL << rewrite stack
6D529B02	 40			   INC EAX
6D529B03	 84C9			 TEST CL,CL << while <> 0
6D529B05   ^ 75 F6			JNZ SHORT DBGHELP.6D529AFD
6D529B07	 388D C8F7FFFF	CMP BYTE PTR SS:[EBP-838],CL
6D529B0D	 74 67			JE SHORT DBGHELP.6D529B76

fastest way - patch olly:
004914EE       JMP 004917F6

Edited by Hellsp@wn, 10 July 2008 - 06:30 PM.

- Proud to be Russian ---

#7 ghandi

ghandi

    Addict

  • (Full Member)
  • 488 posts
  • Gender:Male

Posted 17 December 2008 - 07:02 AM

Hi guys,

Sorry for bumping an old topic, but i have some questions:

If this is a MS bug, have they corrected? If not, doesn't that mean that any program that uses the DbgHelp.dll library and calls SymLoadModule is vulnerable to this exploit?

The last thing i was wondering about... The patch shown by Hellsp@wn makes Olly jump straight over the call to SymLoadModule, thus avoiding the API altogether. But what does this mean to the debugger/us? What functionality (if any) does this effect?

I guess you could probably hotfix DbgHelp.dll and repair the f*&kup, but it's something that would have to be done yourself, otherwise people would be sharing modified system binaries...

Yeah, i know that we share modified files all the time, but it would just be another way for unsuspecting people to get infected when some skiddie decides to be an ***.

HR,
Ghandi

Edited by ghandi, 17 December 2008 - 07:02 AM.

#8 Fungus

Fungus

    Reverser

  • (Team Member)
  • 1,324 posts
  • Gender:Male
  • Location:Strongbaddia

Posted 17 December 2008 - 10:24 AM

I use latest dbghelp.dll from Windows Debugging tools always... also the symbol loaders and vista psapi.dll.

=]

#9 Peter Ferrie

Peter Ferrie

    just some random guy

  • (Full Member)
  • 122 posts
  • Gender:Male

Posted 17 December 2008 - 07:56 PM

>If this is a MS bug, have they corrected? If not, doesn't that mean that any program that uses the DbgHelp.dll library and calls SymLoadModule is vulnerable to this exploit?

This is fixed in Vista and all recent versions of WinDbg.

>The last thing i was wondering about... The patch shown by Hellsp@wn makes Olly jump straight over the call to SymLoadModule, thus avoiding the API altogether. But what does this mean to the debugger/us? What functionality (if any) does this effect?

That does interfere with some debugging.  It's not the proper solution.  The best thing is to simply replace the DLL, but there are cleaner patches available.
Back to Malicious Software Research


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Tuts 4 You
  2. Professional Engineering
  3. Malicious Software Research
  4. Privacy Policy
  5. The Board Rules ·