exploit the possibilities

OllyDbg / Immunity Debugger Crash

OllyDbg / Immunity Debugger Crash
Posted Jul 29, 2013
Authored by Dark-Puzzle

OllyDbg / Immunity debugger crash proof of concept denial of service exploit.

tags | exploit, denial of service, proof of concept
MD5 | a9156179e9f9c0a479e08a3641d064aa

OllyDbg / Immunity Debugger Crash

Change Mirror Download
;Title             : OllyDbg/Immunity Debugger - Crash POC
;Researcher : Souhail Hammou (Dark-Puzzle)
;Research Team : http://itsecurity.ma
;Facebook : http://www.facebook.com/dark.puzzle.sec
;Date : 29/07/2013
;==================================================================
.386
.model flat,stdcall
option casemap:none
include /masm32/include/masm32.inc
include /masm32/include/kernel32.inc
includelib /masm32/lib/masm32.lib
includelib /masm32/lib/kernel32.lib
;==================================================================

;Details and Analysis :
;Pictures : 1.jpg : http://oi44.tinypic.com/dytanq.jpg
; 2.jpg : http://oi42.tinypic.com/2md0uvm.jpg

;This bug affects both OllyDbg and Immunity Debugger, a user can crash the debugger using one of the "pane" functionalities. The pane actually helps the reverser
;in order to locate where jumps were taken from or where they will lead, it will also display the memory addresses and display the ASCII format of what it holds if
;it's a printable string of course when the instruction containing that memory address is clicked.
;What we will be looking at is the "modify register" command that will help you modify a register value directly from the pane.

;Let's fully demonstrate the issue by debugging an x86 ASM little program "MASM Syntax".
.data
welcome db "Hello...",0
bye db "Bye",0
.data?
whatever db 10 dup(?)
.code
test_me :
invoke StdOut, addr welcome
mov eax, 00403000h ;demonstrating mov instruction
lea ecx, bye ;demonstrating lea instruction
invoke StdOut, addr bye
invoke StdIn, addr whatever,10
invoke ExitProcess,0
end test_me
;Now let's see how the debugger is disassembling the targets' instructions :
;0040100A |. B8 00304000 MOV EAX,test.00403000 ; ASCII "Hello..."
;0040100F |. 8D0D 09304000 LEA ECX,DWORD PTR DS:[403009] ; 00403009 is pointing to ASCII "Bye"

;Now without stepping into the MOV instruction , try just to click on it and you'll see the following in the pane :
; 00403000=test.00403000 (ASCII "Hello...")

;Select this line and click the right button , now click on "modify register" which will open a box indicating that you are about to edit the value of EAX register
;Without stepping again, select the LEA instruction you will see in the pane this :
; Address=00403009, (ASCII "Bye")
;Click the right button on that line again, and select "Modify Register" ... Boom !! Crash !
;The difference between MOV and LEA is that when dealing with MOV the debugger will edit the value of the register which the instruction is moved to.
;But when dealing with LEA instruction the debugger will just crash.
;===========================================================
;Quick Crash Analysis :
;===========================================================

;When the user will click "modify register" in the case of a LEA instruction , Olly/Immunity debugger will try to print "Modify reg"
;using this set of instructions:
;004302B9 . 8B1C95 A475650>MOV EBX,DWORD PTR DS:[EDX*4+6575A4] ; | Important Instruction !
;----Cut----
;----Cut----
;004309DA > 8B049D 48D25E0>MOV EAX,DWORD PTR DS:[EBX*4+5ED248] ; | Important Instruction !
;004309E1 . 8DB424 C609000>LEA ESI,DWORD PTR SS:[ESP+9C6] ; |
;004309E8 . 31FF XOR EDI,EDI ; |
;004309EA . C74424 04 0E48>MOV DWORD PTR SS:[ESP+4],Immunity.0060480E ; |ASCII "Modify %s"
;004309F2 . 893424 MOV DWORD PTR SS:[ESP],ESI ; |
;004309F5 . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; |
;004309F9 . E8 12501A00 CALL <JMP.&ntdll.sprintf> ; \sprintf

;Actually when dealing with a MOV instruction. at address 004302B9 , [EBX*4+6575A4] will hold a small value that indicates the placement of the targeted register string
;in memory that will be multiplied by 4 and added to memory address 005ED248.
;But when Dealing with a LEA instructions [EBX*4+6575A4] will hold the memory address of the element shown in the pane, in our case 00403009 which equals 4206601 in decimal .
;So when trying to detect which register is dealed with (at 004309DA) , the debugger will face an address that is out of memory range (inexistant) 4206601*4+5ED248 in my case.
;And it will simply CRASH.

;Best Regards,
;Souhail Hammou.

Login or Register to add favorites

File Archive:

January 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    0 Files
  • 3
    Jan 3rd
    20 Files
  • 4
    Jan 4th
    4 Files
  • 5
    Jan 5th
    37 Files
  • 6
    Jan 6th
    20 Files
  • 7
    Jan 7th
    4 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    0 Files
  • 10
    Jan 10th
    18 Files
  • 11
    Jan 11th
    8 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    31 Files
  • 14
    Jan 14th
    2 Files
  • 15
    Jan 15th
    2 Files
  • 16
    Jan 16th
    2 Files
  • 17
    Jan 17th
    18 Files
  • 18
    Jan 18th
    0 Files
  • 19
    Jan 19th
    0 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close