OllyDbg / Immunity debugger crash proof of concept denial of service exploit.
675d2824b19af798e908b299af4c63101ca4f8e7734c1c02006fdc9bf019156e
;Title : OllyDbg/Immunity Debugger - Crash POC
;Researcher : Souhail Hammou (Dark-Puzzle)
;Research Team : http://itsecurity.ma
;Facebook : http://www.facebook.com/dark.puzzle.sec
;Date : 29/07/2013
;==================================================================
.386
.model flat,stdcall
option casemap:none
include /masm32/include/masm32.inc
include /masm32/include/kernel32.inc
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/kernel32.lib
;==================================================================
;Details and Analysis :
;Pictures : 1.jpg : http://oi44.tinypic.com/dytanq.jpg
; 2.jpg : http://oi42.tinypic.com/2md0uvm.jpg
;This bug affects both OllyDbg and Immunity Debugger, a user can crash the debugger using one of the "pane" functionalities. The pane actually helps the reverser
;in order to locate where jumps were taken from or where they will lead, it will also display the memory addresses and display the ASCII format of what it holds if
;it's a printable string of course when the instruction containing that memory address is clicked.
;What we will be looking at is the "modify register" command that will help you modify a register value directly from the pane.
;Let's fully demonstrate the issue by debugging an x86 ASM little program "MASM Syntax".
.data
welcome db "Hello...",0
bye db "Bye",0
.data?
whatever db 10 dup(?)
.code
test_me :
invoke StdOut, addr welcome
mov eax, 00403000h ;demonstrating mov instruction
lea ecx, bye ;demonstrating lea instruction
invoke StdOut, addr bye
invoke StdIn, addr whatever,10
invoke ExitProcess,0
end test_me
;Now let's see how the debugger is disassembling the targets' instructions :
;0040100A |. B8 00304000 MOV EAX,test.00403000 ; ASCII "Hello..."
;0040100F |. 8D0D 09304000 LEA ECX,DWORD PTR DS:[403009] ; 00403009 is pointing to ASCII "Bye"
;Now without stepping into the MOV instruction , try just to click on it and you'll see the following in the pane :
; 00403000=test.00403000 (ASCII "Hello...")
;Select this line and click the right button , now click on "modify register" which will open a box indicating that you are about to edit the value of EAX register
;Without stepping again, select the LEA instruction you will see in the pane this :
; Address=00403009, (ASCII "Bye")
;Click the right button on that line again, and select "Modify Register" ... Boom !! Crash !
;The difference between MOV and LEA is that when dealing with MOV the debugger will edit the value of the register which the instruction is moved to.
;But when dealing with LEA instruction the debugger will just crash.
;===========================================================
;Quick Crash Analysis :
;===========================================================
;When the user will click "modify register" in the case of a LEA instruction , Olly/Immunity debugger will try to print "Modify reg"
;using this set of instructions:
;004302B9 . 8B1C95 A475650>MOV EBX,DWORD PTR DS:[EDX*4+6575A4] ; | Important Instruction !
;----Cut----
;----Cut----
;004309DA > 8B049D 48D25E0>MOV EAX,DWORD PTR DS:[EBX*4+5ED248] ; | Important Instruction !
;004309E1 . 8DB424 C609000>LEA ESI,DWORD PTR SS:[ESP+9C6] ; |
;004309E8 . 31FF XOR EDI,EDI ; |
;004309EA . C74424 04 0E48>MOV DWORD PTR SS:[ESP+4],Immunity.0060480E ; |ASCII "Modify %s"
;004309F2 . 893424 MOV DWORD PTR SS:[ESP],ESI ; |
;004309F5 . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; |
;004309F9 . E8 12501A00 CALL <JMP.&ntdll.sprintf> ; \sprintf
;Actually when dealing with a MOV instruction. at address 004302B9 , [EBX*4+6575A4] will hold a small value that indicates the placement of the targeted register string
;in memory that will be multiplied by 4 and added to memory address 005ED248.
;But when Dealing with a LEA instructions [EBX*4+6575A4] will hold the memory address of the element shown in the pane, in our case 00403009 which equals 4206601 in decimal .
;So when trying to detect which register is dealed with (at 004309DA) , the debugger will face an address that is out of memory range (inexistant) 4206601*4+5ED248 in my case.
;And it will simply CRASH.
;Best Regards,
;Souhail Hammou.