-
-
OllyDbg Format String Vulnerability
-
发表于: 2005-5-16 14:17 3554
-
Vulnerable Systems:
* OllyDbg version 1.10
Vulnerability takes place when module (with special crafted file name) executes int 3 instruction (trap to debugger).
Disassembler Snippets:
Here is the vulnerable code:
.text:0042FBE0 lea eax, [ebp+buffer]
.text:0042FBE6 push eax ; format string
.text:0042FBE7 mov edx, [ebp+var_28]
.text:0042FBEA push edx
.text:0042FBEB call sub_42E100 ; _vsprintf->
;___vprinter
When format is an ASCII string like: "INT3 command at <module_name>.addr", Attacker can place a format string chars inside "<module_name>" (part of format buffer) and cause Olly to overwrite arbitrary data.
NOTE: Even with "IGNORE INT3 BREAKS" option checked, OllyDbg is still vulnerable. Attacker can also load some special crafted module (with special crafted name) while debugging, to make the attack more stealthy.
* OllyDbg version 1.10
Vulnerability takes place when module (with special crafted file name) executes int 3 instruction (trap to debugger).
Disassembler Snippets:
Here is the vulnerable code:
.text:0042FBE0 lea eax, [ebp+buffer]
.text:0042FBE6 push eax ; format string
.text:0042FBE7 mov edx, [ebp+var_28]
.text:0042FBEA push edx
.text:0042FBEB call sub_42E100 ; _vsprintf->
;___vprinter
When format is an ASCII string like: "INT3 command at <module_name>.addr", Attacker can place a format string chars inside "<module_name>" (part of format buffer) and cause Olly to overwrite arbitrary data.
NOTE: Even with "IGNORE INT3 BREAKS" option checked, OllyDbg is still vulnerable. Attacker can also load some special crafted module (with special crafted name) while debugging, to make the attack more stealthy.
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
他的文章
看原图
赞赏
雪币:
留言: