Monday, March 19, 2012

OllyDbg Section Name Crash

This is an old yet interesting bug in OllyDbg. This bug affects OllyDbg v1.10 even with the "OllyAdvanced v1.27" option set.

Here is a screenshot of the vulnerable code.
In brief, set the name of the code section to "%*s%*s%s" and the "SizeOfCode" field to zero.

A demo can be found here.

You can follow me on Twitter @waleedassar 
Posted by walied at 10:29 AM
Labels: , , , , ,

2 comments:

  1. AnonymousApril 23, 2012 at 4:51 AM

    I came across the exact bug recently, and figured to remove the format-string section name, but how did you locate the bug?

    ReplyDelete
    Replies
    1. waliedApril 23, 2012 at 7:55 AM

      Just reversing the function responsible for parsing PE headers.

      Delete

Subscribe to: Post Comments (Atom)