waliedassar Posted October 15, 2012 Posted October 15, 2012 (edited) If you try to FIX DUMP an executable with the IMAGE_NT_HEADERS structure overlapping the IMAGE_DOS_HEADER i.e. the e_lfanew field has a value less than or equal to 0x38 (and of course, greater than or equal to 0x2), the resulting executable is rejected by the windows PE loader.http://uploadpic.org...p?img=BdtSYOk9lThis is due to Scylla moving the IMAGE_NT_HEADERS at offset 0x40 without updating the "e_lfanew" field.This was tested with Scylla v0.7 beta 7.Best RegardsWaliedassar Edited October 15, 2012 by waliedassar
LCF-AT Posted October 15, 2012 Posted October 15, 2012 @ waliedassar Wow!You can find a lot of bugs. You seem to be the Indiana Jones of RCE. greetz
Aguila Posted October 15, 2012 Posted October 15, 2012 thank you very much waliedassar.I didn't even know that this is possible.
waliedassar Posted October 15, 2012 Author Posted October 15, 2012 thank you very much waliedassar.I didn't even know that this is possible.Files packed with Spack (by Bagie) used to have overlapped headers.
waliedassar Posted October 16, 2012 Author Posted October 16, 2012 (edited) Here is a simple executable you can use to test Scylla./>http://goo.gl/UlFVH Edited October 16, 2012 by waliedassar
Nacho_dj Posted October 17, 2012 Posted October 17, 2012 Here is a simple executable you can use to test Scylla. http://goo.gl/UlFVH Thanks for this valuable info!
Aguila Posted October 17, 2012 Posted October 17, 2012 I think this little fix is enough for this problem. Only 2 new lines in source code.Thanks for your help
vnhung Posted November 22, 2012 Posted November 22, 2012 you can upload the project source code Scylla_v0.7 beta8 thank
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now