While reading one of Peter Ferrie's wonderful papers, i came across an interesting OllyDbg bug. It is so interesting that i decided to analyze and write a proof of concept for it.
The bug is triggered when parsing the export table of debuggees. First, the NumberOfFunctions member of the IMAGE_EXPORT_DIRECTORY structure is extracted.
This value is then left shifted by two bits (multiplied by 0x4). So, if this value is 0x40000000, it will be truncated to zero. Finally, heap memory of this size is allocated.
Now, it is clear that an overflow will definitely occur when it comes to copying RVAs into the newly allocated memory since 0x40000000 bytes will be copied to memory of size Zero.
A POC can be found here.
You can follow me on Twitter @waleedassar
The bug is triggered when parsing the export table of debuggees. First, the NumberOfFunctions member of the IMAGE_EXPORT_DIRECTORY structure is extracted.
This value is then left shifted by two bits (multiplied by 0x4). So, if this value is 0x40000000, it will be truncated to zero. Finally, heap memory of this size is allocated.
A POC can be found here.
You can follow me on Twitter @waleedassar
