Jump to content
Tuts 4 You

OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerabili

Aguila

By Aguila
in Malware Reverse Engineering

 Share

Recommended Posts

Aguila

Aguila

Posted
Posted
;-------------------------------------------------------------------------;

; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability

; PoC (probably older versions affected too, not tested though.)

;

; Included shellcode shows a messagebox (WinXP SP2) and is configured for

; OllyDBG. See lines 60-105 for more details

;-------------------------------------------------------------------------;

; Usage:

; Load this DLL to your process and try to attach OllyDBG or ImpREC

; to it -> Shellcode executed > :)

;

; Shellcode gets fired also if program is run under OllyDBG.

;

; Bug discovered and PoC coded by:

; ~ Defsanguje, Defsanguje [at] gmail [dot] com [July 7 2008]

;-------------------------------------------------------------------------;

; Coded in FASM

;-------------------------------------------------------------------------;

get the whole exploit code here: http://www.milw0rm.com/exploits/6031

i think this exploit is dangerous. maybe some software will use it to avoid debugging? or probably malware will use it.

keep your eyes open ;)

KOrUPt

KOrUPt

Posted
Posted
More info on ARTeam forum:

http://forums.accessroot.com/index.php?showtopic=7278

TiGa already pointed out that it doesnt affect ChimpREC ;)

Good to hear Loki :P .

This sounds dangerous if exploited with malicous intent, it's fairly simple so I wonder if someone came across it accidenty or were auditing :rolleyes: ...

Thanks for the heads up.

KOrUPt.

TiGa

TiGa

Posted
Posted

I came across the same trick a few months ago in an old SecuROM version when I was doing random testing for my tool.

I'm not sure if they used it intentionally though since it's not present in the more recent versions.

If they had realized it, they probably would have re-used this trick to death.

TiGa

Killboy

Killboy

Posted
Posted

Anyone tested this with Olly 2 ?

Hellsp@wn

Hellsp@wn

Posted
Posted (edited)

it's not OllyDbg bug :)

004914EE	   50			 PUSH EAX
004914EF	   8B17		   MOV EDX,DWORD PTR DS:[EDI]
004914F1	   8D85 C8FAFFFF  LEA EAX,DWORD PTR SS:[EBP-538]
004914F7   |.  52			 PUSH EDX
004914F8   |.  51			 PUSH ECX
004914F9   |.  50			 PUSH EAX
004914FA   |.  56			 PUSH ESI
004914FB	   8B15 785A4D00  MOV EDX,DWORD PTR DS:[4D5A78]
00491501   |.  52			 PUSH EDX
00491502   |.  FF55 E8		CALL [LOCAL.6]; DBGHELP.SymLoadModule << overflow
...
f*cking loop:
6D529AF5	 8D95 C8F7FFFF	LEA EDX,DWORD PTR SS:[EBP-838]
6D529AFB	 2BD0			 SUB EDX,EAX
6D529AFD	 8A08			 MOV CL,BYTE PTR DS:[EAX]
6D529AFF	 880C02		   MOV BYTE PTR DS:[EDX+EAX],CL << rewrite stack
6D529B02	 40			   INC EAX
6D529B03	 84C9			 TEST CL,CL << while <> 0
6D529B05   ^ 75 F6			JNZ SHORT DBGHELP.6D529AFD
6D529B07	 388D C8F7FFFF	CMP BYTE PTR SS:[EBP-838],CL
6D529B0D	 74 67			JE SHORT DBGHELP.6D529B76

fastest way - patch olly:

004914EE JMP 004917F6

Edited by Hellsp@wn
  • 5 months later...
ghandi

ghandi

Posted
Posted (edited)

Hi guys,

Sorry for bumping an old topic, but i have some questions:

If this is a MS bug, have they corrected? If not, doesn't that mean that any program that uses the DbgHelp.dll library and calls SymLoadModule is vulnerable to this exploit?

The last thing i was wondering about... The patch shown by Hellsp@wn makes Olly jump straight over the call to SymLoadModule, thus avoiding the API altogether. But what does this mean to the debugger/us? What functionality (if any) does this effect?

I guess you could probably hotfix DbgHelp.dll and repair the f*&kup, but it's something that would have to be done yourself, otherwise people would be sharing modified system binaries...

Yeah, i know that we share modified files all the time, but it would just be another way for unsuspecting people to get infected when some skiddie decides to be an ***.

HR,

Ghandi

Edited by ghandi
Fungus

Fungus

Posted
Posted

I use latest dbghelp.dll from Windows Debugging tools always... also the symbol loaders and vista psapi.dll.

=]

Peter Ferrie

Peter Ferrie

Posted
Posted

>If this is a MS bug, have they corrected? If not, doesn't that mean that any program that uses the DbgHelp.dll library and calls SymLoadModule is vulnerable to this exploit?

This is fixed in Vista and all recent versions of WinDbg.

>The last thing i was wondering about... The patch shown by Hellsp@wn makes Olly jump straight over the call to SymLoadModule, thus avoiding the API altogether. But what does this mean to the debugger/us? What functionality (if any) does this effect?

That does interfere with some debugging. It's not the proper solution. The best thing is to simply replace the DLL, but there are cleaner patches available.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...