Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   You may want to remove the StrongOD plugin from Olly (https://forum.exetools.com/showthread.php?t=17959)

gabri3l 10-06-2016 02:15

You may want to remove the StrongOD plugin from Olly
 
Recent paper released by Forcepoint uses StrongOD as an example of the risks around relying on an unsupported plugin (that specifically calls home).

TLDR; They identify a vulnerability in the update file StrongOD looks for on startup and sinkhole the domain that StrongOD used to call home in order to capture the IP addresses of Olly users.

hxxps://blogs.forcepoint.com/security-labs/freeman-perils-abandonware

Sound 10-06-2016 22:54

This is a common problem of automatic updating, if the Sod update site exists! May not have this problem.

cybercoder 10-07-2016 13:36

wouldn't it be easier to just modify the plugin or block it with hosts if this is the case, i guess you could exploit this in many ways though.. i.e. malware page, ip logger, trojan..

atom0s 10-07-2016 13:48

Various versions are floating around but yes you can patch the dll to not attempt to update. One of the versions checks:
Code:

.rdata:100436C0 00000028 C http://www.cracklife.com/sod/update.txt
For the current update version. You could block the call entirely or change the url.

SMH17 10-08-2016 08:44

Firewall it and problem solved. Usually I block connection of every program in loopback mode if It doesn't require internet to work.

tusk 10-08-2016 18:59

Same here, I always use firewall on learning mode and choose for every application.
Thanks for the info Gabri3l

ZeNiX 10-11-2016 14:04

1 Attachment(s)
I remember that you can uncheck the autoupdate option.
Attachment 9056

Stingered 12-30-2017 08:02

I personally don't use this DLL, but...
 
Quote:

Originally Posted by gabri3l (Post 107344)
Recent paper released by Forcepoint uses StrongOD as an example of the risks around relying on an unsupported plugin (that specifically calls home).

TLDR; They identify a vulnerability in the update file StrongOD looks for on startup and sinkhole the domain that StrongOD used to call home in order to capture the IP addresses of Olly users.

hxxps://blogs.forcepoint.com/security-labs/freeman-perils-abandonware

...now you have forced my to stop being lazy and check all my plugins! ;)

(IOW, TY!!!)

Of course, I had a copy - just in case and checked it: StrongOD v0.4.8.892.rar

.text:1000F874 push offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"...

.text:1000F88F mov ecx, offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"...

.text:1000F8AB mov esi, offset aHttpWww_crackl ; "http://www.cracklife.com/sod/update.txt"...

.rdata:100436C0 aHttpWww_crackl db 'http://www.cracklife.com/sod/update.txt',0 ; DATA XREF: sub_1000F7B0+C4o


All times are GMT +8. The time now is 18:08.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX