waliedassar Posted March 29, 2012 Posted March 29, 2012 In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily. In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7. Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the "GlobalAlloc" function. Finally the "_Readmemory" function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below. But wait, there is a minor issue that i need to shed some light on. The "_Readmemory" function, as its name implies, is a wrapper of the kernel32.dll "ReadProcessMemory" function. So why did this call succeed if the number of bytes to copy is that huge? the reason behind this is that the "_Readmemory" function checks to see if data at the target address is cached. If it is cached, the "memcpy" function is directly called and this is where the buffer overflow occurs. Here you can find the demo. http://ollybugs.goog...m/files/you.exe 1
mudlord Posted March 30, 2012 Posted March 30, 2012 Nice one, I take it Olly2 is patched against this attack?
waliedassar Posted March 30, 2012 Author Posted March 30, 2012 (edited) As far as i can see, v2 is not affected by this. The value (with no addition) is directly passed to the "GlobalAlloc" function as a result the function fails./>http://uploadpic.org/v.php?img=rBn8seWhfFWaliedassar Edited March 30, 2012 by waliedassar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now