It is similar to, but different from the one i disclosed in the previous post. The previous one occurs when OllyDbg tries to grab .sym files, but this one occurs when it tries to grab .udd files.
Similar to .sym files, .udd files are grabbed for all loaded modules, including dynamically loaded ones, which gives us the chance to use this buffer overflow as an anti-debug method.
To exploit this buffer overflow, all you have to do is create a .dll with length of 0x102 bytes and then LoadLibrary it.
N.B. ollydbg.exe must reside in a directory with length of 0x29 bytes or more, e.g. "D:\Documents and Settings\Administrator\Desktop\odbg110".
Demo:
http://ollytlscatch.googlecode.com/files/bug.exe
Source code:
https://docs.google.com/document/d/1Vi3UO6sglpoEYMPNdA8ZXKrc7oBmR-0Bd5v0rnFGfug/edit
Update:
Another less critical bug (buffer overflow) has been found in OllyDbg v1.10. It is triggered upon exit or manually choosing the "Update .udd file now" menu option. If you need its POC, just shoot me a mail.
You can follow me on Twitter @waleedassar
To exploit this buffer overflow, all you have to do is create a .dll with length of 0x102 bytes and then LoadLibrary it.
N.B. ollydbg.exe must reside in a directory with length of 0x29 bytes or more, e.g. "D:\Documents and Settings\Administrator\Desktop\odbg110".
Demo:
http://ollytlscatch.googlecode.com/files/bug.exe
Source code:
https://docs.google.com/document/d/1Vi3UO6sglpoEYMPNdA8ZXKrc7oBmR-0Bd5v0rnFGfug/edit
Update:
Another less critical bug (buffer overflow) has been found in OllyDbg v1.10. It is triggered upon exit or manually choosing the "Update .udd file now" menu option. If you need its POC, just shoot me a mail.
You can follow me on Twitter @waleedassar
Hi, nice work
ReplyDeleteCan you provide an crackme sample which exploit these two bugs?
http://ollytlscatch.googlecode.com/files/bug.exe
ReplyDeleteJust try to use OllyDbg v1.10 to debug this file.
If your ollydbg installation folder is longer than 41 bytes, ollydbg should crash.