what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jul 17, 2004
Authored by Ned | Site felinemenace.org

A format string bug exists in the code that handle the Debugger Messages for OllyDbg version 1.10.

tags | advisory
SHA-256 | ea3b234c64fa58685fccf9e73ab76034b66c1ae43da07c0540c4599cf53cbb37


Change Mirror Download

* [FMADV] - OllyDbg Format String Bug

* Introduction:
There exists a format string bug in the code that handles Debugger
Messages in OllyDbg. This means any traced application can crash OllyDbg
and execute machine code.

* About (From the Webpage):
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft
Windows. Emphasis on binary code analysis makes it particularly useful in
cases where source is unavailable.

OllyDbg is seen as an industry standard when it comes to analysing
vulnerabilties on win32 and it's easy to understand makes it a must for
anyone developing exploits on windows. Many people have sung the praises
of OllyDbg, including some very high profile engineers and exploit

* Technical details:
Typically OllyDbg attaches to a process and allows the user how to
customize the session; wether they trace, or they breakpoint some stuff or
whatever. The windows API is actually very debugger friendly and has many
functions to interact with debuggers (most likely built for their own
(safe) debugger WinDbg). One of these functions, OutputDebugString sends a
string directly to the debugger for interpretation, which OllyDbg displays to
the user via a status line along the bottom, sans a format specifier,
which means the user supplied string is used as the format specifier.

To reproduce this excellent bug, these steps can be taken:

1. Download Python (http://python.org) and win32com
(http://starship.python.net/crew/mhammond/win32/Downloads.html). These
two are _essential_ to any hacker's windows box.

2. Run 'python' so you get an interactive shell.

3. Attach to the 'python' process with OllyDbg, press 'F9' to continue

4. Type 'import win32api' and press enter in the python screen.

5. Type 'win32api.OutputDebugString("%s" * 50)' to crash OllyDbg.
Typically, if you have OllyDbg set as the JIT Debugger, another OllyDbg
screen will pop up ;) OR

6. Type 'win32api.OutputDebugString("%8.8x" * 15)' to view whats on the

7. The python process will now have died since OllyDbg died, so do the
process again!

If this is all too hard, or you don't believe ;) Then a screenshot for
your viewing pleasure is availiable at:

Andrewg of FelineMenace managed to create a python script to exploit this
vulnerability, albeit with some shellcode problems :)

* Conclusion:
It certainly opens up the possibly for binaries to start owning their
debuggers, in an anti-reversing sense. GDB is a huge project too, with
multiple public/unpublished bugs. Because Debuggers work with the
executable in a state of execution, disassemblers such as IDA could be
vulnerable to a static attack of a malformed binary, much like the
executable handling in the OpenBSD kernel i suppose. The possibilities are
endless! However there is a definate need for disclosure of these bugs, as
debuggers/disassembler are the first defense against the malicious.

* Greets:
TFM (Team FelineMenace), Greg + rootkit.com, people who spend their day
making sure imported beer is actually imported, peach.gotdns.org.

Login or Register to add favorites

File Archive:

December 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    0 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By