Jump to content
Tuts 4 You

OllyDbg Resource Table Parsing Integer Overflow


waliedassar

Recommended Posts

waliedassar

In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily.

In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7.

Untitled.png

Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the "GlobalAlloc" function. Finally the "_Readmemory" function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below.

resource_overflow.png

But wait, there is a minor issue that i need to shed some light on. The "_Readmemory" function, as its name implies, is a wrapper of the kernel32.dll "ReadProcessMemory" function. So why did this call succeed if the number of bytes to copy is that huge? the reason behind this is that the "_Readmemory" function checks to see if data at the target address is cached. If it is cached, the "memcpy" function is directly called and this is where the buffer overflow occurs.

overrrrr.png

Here you can find the demo.

http://ollybugs.goog...m/files/you.exe

  • Like 1
Link to comment
waliedassar

As far as i can see, v2 is not affected by this. The value (with no addition) is directly passed to the "GlobalAlloc" function as a result the function fails.


/>http://uploadpic.org/v.php?img=rBn8seWhfF

Waliedassar

Edited by waliedassar
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...