waliedassar Posted March 29, 2012 Share Posted March 29, 2012 In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily. In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7. Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the "GlobalAlloc" function. Finally the "_Readmemory" function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below. But wait, there is a minor issue that i need to shed some light on. The "_Readmemory" function, as its name implies, is a wrapper of the kernel32.dll "ReadProcessMemory" function. So why did this call succeed if the number of bytes to copy is that huge? the reason behind this is that the "_Readmemory" function checks to see if data at the target address is cached. If it is cached, the "memcpy" function is directly called and this is where the buffer overflow occurs. Here you can find the demo. http://ollybugs.goog...m/files/you.exe 1 Link to comment Share on other sites More sharing options...
mudlord Posted March 30, 2012 Share Posted March 30, 2012 Nice one, I take it Olly2 is patched against this attack? Link to comment Share on other sites More sharing options...
waliedassar Posted March 30, 2012 Author Share Posted March 30, 2012 (edited) As far as i can see, v2 is not affected by this. The value (with no addition) is directly passed to the "GlobalAlloc" function as a result the function fails./>http://uploadpic.org/v.php?img=rBn8seWhfFWaliedassar Edited March 30, 2012 by waliedassar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now