Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 05-15-2005, 01:21
sKip
 
Posts: n/a
OllyDbg "INT3 AT" Format String Vulnerability

http://pb.specialised.info/

-> OllyDbg "INT3 AT" Format String Vulnerability"



Waiting for a POC
Reply With Quote
  #2  
Old 05-15-2005, 05:32
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
POC? Whats that? Cant it be any easier to fix this?
Reply With Quote
  #3  
Old 05-15-2005, 06:14
MrAnonymous
 
Posts: n/a
POC = Proof Of Concept
Reply With Quote
  #4  
Old 05-15-2005, 11:20
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 341
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
I found another bugs of OllyDbg. Wait for your ideas.

The first bug relate to Progress function and vsprintf function. Progress function is an export function of OllyDbg and used in OllyDbg PDK. Rename an EXE file with new name is %s%s%%s.exe. Open it with OllyDbg, and OllyDbg will crash at 004A74CF. The Progress function crash with parameter is:
void Progress(int promille,char *format,...);
promille = 1
format = 'Analysing %s%s%s%s$press SPACE to interrupt'.
The Progress function call _vsprintf function at 0043188E:
Code:
.text:00431881 loc_431881:                             ; CODE XREF: _Progress+5E
.text:00431881 push    esi                             ; arglist
.text:00431882 lea     eax, [ebp+format]
.text:00431888 push    eax                             ; format = 'Analysing %s%s%s%s'
.text:00431889 push    offset byte_4E3818              ; buffer
.text:0043188E call    _vsprintf
Another bug relate to long EXE file name. Rename an EXE file with a long new name (greater than 240). Open it with OllyDbg, and OllyDbg will crash.

Regards,
TQN
Reply With Quote
  #5  
Old 05-15-2005, 17:41
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
Entry of routine: 4A6EBC

004A6F0F |. 80FB 25 |CMP BL,25
004A6F12 |. 75 08 |JNZ SHORT OLLYDBG.004A6F1C
004A6F14 |. 8A1E |MOV BL,BYTE PTR DS:[ESI]
004A6F16 |. 80FB 25 |CMP BL,25
004A6F19 |. 75 38 |JNZ SHORT OLLYDBG.004A6F53
25h = "%"
this routine is called from nearly everywhere. if there would be a way to fix it, olly would handle all this %s strings.
Reply With Quote
  #6  
Old 05-15-2005, 21:32
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 341
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
I agree, MaRKuS-DJM. The problem is this function. It is the _vprinter function in Borland C++/C++ Builder C Runtime Library. It is called by sprintf function (the OutputDebugString bug) and vsprintf function (above bugs). Do we have a way to fix/workaround this function by code cave patch ?
Reply With Quote
  #7  
Old 05-15-2005, 21:56
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
i did a small workaround but it failed in some special cases even if OutputDebugString bug and the bug you mentioned were fixed. will go on with fixing work...
Reply With Quote
  #8  
Old 05-16-2005, 00:11
nikola nikola is offline
Friend
 
Join Date: Jan 2004
Location: Your head
Posts: 115
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
nikola Reputation: 0
I think that any bug conected to OutputDebugString cant be considered a new bug. Its all very similar.
Reply With Quote
  #9  
Old 05-16-2005, 00:23
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
"the bug" is just the mentioned output routine. it belongs to everything with "%s". about the long exe name, i think it is connected to GetOpenFileNameA API, but not sure, didn't look at it. would be a possibility, W32Dasm also can't handle such long path.
Reply With Quote
  #10  
Old 05-16-2005, 00:57
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
yeah, you can test this too:
rename any EXE to (alt+255).exe (not in MSDOS)
Olly can not open EXE file!!! (even notepad can it) and if you try to attach the debugger to this running process then you have a error msg.
Reply With Quote
  #11  
Old 05-16-2005, 01:49
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
taos: didn't have a problem opening such an exe
Reply With Quote
  #12  
Old 05-16-2005, 02:24
taos's Avatar
taos taos is offline
The Art Of Silence
 
Join Date: Aug 2004
Location: In front of my screen
Posts: 580
Rept. Given: 65
Rept. Rcvd 54 Times in 19 Posts
Thanks Given: 69
Thanks Rcvd at 133 Times in 36 Posts
taos Reputation: 54
attached EXE file with the error.
(it can be cos my OS is spanish and then the symbol that gets when type alt+255 maybe different from you)
try attached file.
IMPORTANT: this is not a RAR file, rename to EXE using the same name (WinRar have the same error that OLLY )
Attached Files
File Type: rar ♣.rar (19.6 KB, 20 views)

Last edited by taos; 05-16-2005 at 02:28.
Reply With Quote
  #13  
Old 05-16-2005, 13:32
TQN TQN is offline
VIP
 
Join Date: Apr 2003
Location: Vietnam
Posts: 341
Rept. Given: 142
Rept. Rcvd 20 Times in 12 Posts
Thanks Given: 166
Thanks Rcvd at 129 Times in 42 Posts
TQN Reputation: 20
Attach file is a test exe file with a long filename (242). Extract it to C:\ and open it with OllyDbg. OllyDbg will crash.
Attached Files
File Type: rar test.rar (24.6 KB, 14 views)
Reply With Quote
  #14  
Old 05-16-2005, 15:10
codeX codeX is offline
{RES} Cracker
 
Join Date: Dec 2004
Location: C:\WINDOWS\SYSTEM32
Posts: 163
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 1 Time in 1 Post
codeX Reputation: 0
Hi taos,

Your attached file give the file name '&#9827' on clicking the link. So i rename it as
ALT+255 , but oly simply opens it.

@TQN

I cann't extract the test.rar using winRAR. So I open it in winRAR, renames it , extracts and again renames it to your longlong .... name.
Now it simply crashes olly and at last leads to a blue screen in my poor PC.
Reply With Quote
  #15  
Old 12-05-2006, 18:00
evlncrn8 evlncrn8 is offline
VIP
 
Join Date: Sep 2005
Posts: 179
Rept. Given: 36
Rept. Rcvd 54 Times in 24 Posts
Thanks Given: 49
Thanks Rcvd at 117 Times in 69 Posts
evlncrn8 Reputation: 54
that all depends on the font used in the system, some fonts translate the 'high' characters properly, others do not... its an old trick, from the win9x days, where to 'hide' a folder all you had to do was put an alt+255 infront of it and program manager/file manager etc could not open it...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
When use "vendor defined encryption routines", how to set daemon related part? bridgeic General Discussion 6 01-22-2015 11:35
Wlscgen: Are "Vendor Id" and "Developer Id" different ? Numega Softice General Discussion 6 02-12-2007 18:12
IDA 4.7 Debugger Format String Vulnerability infern0 General Discussion 0 03-17-2005 18:19


All times are GMT +8. The time now is 16:46.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )