OllyDbg "INT3 AT" Format String Vulnerability

http://pb.specialised.info/

-> OllyDbg "INT3 AT" Format String Vulnerability"



Waiting for a POC

[nikola]

POC? Whats that? Cant it be any easier to fix this?

POC = Proof Of Concept

[TQN]

I found another bugs of OllyDbg. Wait for your ideas.

The first bug relate to Progress function and vsprintf function. Progress function is an export function of OllyDbg and used in OllyDbg PDK. Rename an EXE file with new name is %s%s%%s.exe. Open it with OllyDbg, and OllyDbg will crash at 004A74CF. The Progress function crash with parameter is:
void Progress(int promille,char *format,...);
promille = 1
format = 'Analysing %s%s%s%s$press SPACE to interrupt'.
The Progress function call _vsprintf function at 0043188E:

Code:

.text:00431881 loc_431881:                             ; CODE XREF: _Progress+5E
.text:00431881 push    esi                             ; arglist
.text:00431882 lea     eax, [ebp+format]
.text:00431888 push    eax                             ; format = 'Analysing %s%s%s%s'
.text:00431889 push    offset byte_4E3818              ; buffer
.text:0043188E call    _vsprintf

Another bug relate to long EXE file name. Rename an EXE file with a long new name (greater than 240). Open it with OllyDbg, and OllyDbg will crash.

Regards,
TQN

[MaRKuS-DJM]

Entry of routine: 4A6EBC

004A6F0F |. 80FB 25 |CMP BL,25
004A6F12 |. 75 08 |JNZ SHORT OLLYDBG.004A6F1C
004A6F14 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
004A6F16 |. 80FB 25 |CMP BL,25
004A6F19 |. 75 38 |JNZ SHORT OLLYDBG.004A6F53
25h = "%"
this routine is called from nearly everywhere. if there would be a way to fix it, olly would handle all this %s strings.

[TQN]

I agree, MaRKuS-DJM. The problem is this function. It is the _vprinter function in Borland C++/C++ Builder C Runtime Library. It is called by sprintf function (the OutputDebugString bug) and vsprintf function (above bugs). Do we have a way to fix/workaround this function by code cave patch ?

[MaRKuS-DJM]

i did a small workaround but it failed in some special cases even if OutputDebugString bug and the bug you mentioned were fixed. will go on with fixing work...

[nikola]

I think that any bug conected to OutputDebugString cant be considered a new bug. Its all very similar.

[MaRKuS-DJM]

"the bug" is just the mentioned output routine. it belongs to everything with "%s". about the long exe name, i think it is connected to GetOpenFileNameA API, but not sure, didn't look at it. would be a possibility, W32Dasm also can't handle such long path.

[taos]

yeah, you can test this too:
rename any EXE to (alt+255).exe (not in MSDOS)
Olly can not open EXE file!!! (even notepad can it) and if you try to attach the debugger to this running process then you have a error msg.

[MaRKuS-DJM]

taos: didn't have a problem opening such an exe

[taos]

attached EXE file with the error.
(it can be cos my OS is spanish and then the symbol that gets when type alt+255 maybe different from you)
try attached file.
IMPORTANT: this is not a RAR file, rename to EXE using the same name (WinRar have the same error that OLLY )

[TQN]

Attach file is a test exe file with a long filename (242). Extract it to C:\ and open it with OllyDbg. OllyDbg will crash.

[codeX]

Hi taos,

Your attached file give the file name '&#9827' on clicking the link. So i rename it as
ALT+255 , but oly simply opens it.

@TQN

I cann't extract the test.rar using winRAR. So I open it in winRAR, renames it , extracts and again renames it to your longlong .... name.
Now it simply crashes olly and at last leads to a blue screen in my poor PC.

[evlncrn8]

that all depends on the font used in the system, some fonts translate the 'high' characters properly, others do not... its an old trick, from the win9x days, where to 'hide' a folder all you had to do was put an alt+255 infront of it and program manager/file manager etc could not open it...