OllyDbg "INT3 AT" Format String Vulnerability
     by Piotr Bania <bania.piotr@gmail.com>
     http://pb.specialised.info
   

     Original location:         http://pb.specialised.info/all/adv/olly-int3-adv.txt
       
     Severity:                         High / Medium - code execution.
     Version affected:          Probably all versions, tested on
                                v1.10.

       

     I. BACKGROUND

     "OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows.
     Emphasis on binary code analysis makes it particularly useful in cases where
     source is unavailable."

     II. DESCRIPTION               

     Vulnerability takes place when module (with special crafted file name) executes
     int 3 instruction (trap to debugger).

     Here is the vulnerable code:

     .text:0042FBE0                 lea     eax, [ebp+buffer]
     .text:0042FBE6                 push    eax               ; *** format ***
     .text:0042FBE7                 mov     edx, [ebp+var_28]
     .text:0042FBEA                 push    edx      
     .text:0042FBEB                 call    sub_42E100              ; _vsprintf->___vprinter

     Where format is an ascii string like: "INT3 command at <module_name>.addr".
     Attacker can place a format string chars inside "<module_name>" (part of format
     buffor) and cause Olly to overwrite arbitary data.

     NOTE: Even with "IGNORE INT3 BREAKS" option checked, OllyDbg is still vulnerable.
           Attacker can also load some special crafted module (with special crafted
           name) while debugging, to make the attack more stealthy.

     III. IMPACT

     This vulnerability after successful exploitation can allow the
     attacker to run arbitrary code in context of current user.
     Of course if the exploitation was not successful OllyDbg will fault
     and loose all debugged data.

[课程]Android-CTF解题方法汇总！