<<< Date Index >>>     <<< Thread Index >>>

[FMADV] Format String Bug in OllyDbg 1.10



* [FMADV] - OllyDbg Format String Bug

* Introduction:
There exists a format string bug in the code that handles Debugger 
Messages in OllyDbg. This means any traced application can crash OllyDbg 
and execute machine code.

* About (From the Webpage):
OllyDbg is a 32-bit assembler level analysing debugger for Microsoft 
Windows. Emphasis on binary code analysis makes it particularly useful in 
cases where source is unavailable.
 
OllyDbg is seen as an industry standard when it comes to analysing 
vulnerabilties on win32 and it's easy to understand makes it a must for 
anyone developing exploits on windows. Many people have sung the praises 
of OllyDbg, including some very high profile engineers and exploit 
developers.
 
* Technical details:
Typically OllyDbg attaches to a process and allows the user how to 
customize the session; wether they trace, or they breakpoint some stuff or 
whatever. The windows API is actually very debugger friendly and has many 
functions to interact with debuggers (most likely built for their own 
(safe) debugger WinDbg). One of these functions, OutputDebugString sends a 
string directly to the debugger for interpretation, which OllyDbg displays to 
the user via a status line along the bottom, sans a format specifier, 
which means the user supplied string is used as the format specifier.

To reproduce this excellent bug, these steps can be taken:

1. Download Python (http://python.org) and win32com 
(http://starship.python.net/crew/mhammond/win32/Downloads.html). These 
two are _essential_ to any hacker's windows box.

2. Run 'python' so you get an interactive shell.

3. Attach to the 'python' process with OllyDbg, press 'F9' to continue 
execution.

4. Type 'import win32api' and press enter in the python screen.

5. Type 'win32api.OutputDebugString("%s" * 50)' to crash OllyDbg. 
Typically, if you have OllyDbg set as the JIT Debugger, another OllyDbg 
screen will pop up ;) OR

6. Type 'win32api.OutputDebugString("%8.8x" * 15)' to view whats on the 
stack!

7. The python process will now have died since OllyDbg died, so do the 
process again!
 
If this is all too hard, or you don't believe ;) Then a screenshot for 
your viewing pleasure is availiable at:
http://felinemenace.org/~nd/ollyfmt.png

Andrewg of FelineMenace managed to create a python script to exploit this 
vulnerability, albeit with some shellcode problems :)
 
* Conclusion:
It certainly opens up the possibly for binaries to start owning their 
debuggers, in an anti-reversing sense. GDB is a huge project too, with 
multiple public/unpublished bugs. Because Debuggers work with the 
executable in a state of execution, disassemblers such as IDA could be 
vulnerable to a static attack of a malformed binary, much like the  
executable handling in the OpenBSD kernel i suppose. The possibilities are 
endless! However there is a definate need for disclosure of these bugs, as 
debuggers/disassembler are the first defense against the malicious.
 
* Greets:
TFM (Team FelineMenace), Greg + rootkit.com, people who spend their day 
making sure imported beer is actually imported, peach.gotdns.org.

----
http://felinemenace.org/~nd