Flag: Tornado! Hurricane!

Blogs >> waleedassar's Blog

Created: Thursday, March 29 2012 14:06.52 CDT Modified: Thursday, March 29 2012 14:09.26 CDT
Printer Friendly ...
OllyDbg Resource Table Parsing Integer Overflow
Author: waleedassar # Views: 3363

In this post i will quickly show you an integer overflow found in OllyDbg v1.10. This leads to a buffer overflow, which can be exploited to execute code arbitrarily.

In brief, all you have to do is set the size of Resource table to 0xFFFFFFF7.

Olly adds 0x9 to 0xFFFFFFF7, which sums up to Zero due to an integer overflow. Zero byte is then allocated by calling the "GlobalAlloc" function. Finally the "_Readmemory" function is called to copy 0xFFFFFFF7 bytes to the newly allocated memory causing a buffer overflow. See the image below.

But wait, there is a minor issue that i need to shed some light on. The "_Readmemory" function, as its name implies, is a wrapper of the kernel32.dll "ReadProcessMemory" function. So why did this call succeed if the number of bytes to copy is that huge? the reason behind this is that the "_Readmemory" function checks to see if data at the target address is cached. If it is cached, the "memcpy" function is directly called and this is where the buffer overflow occurs.

Here you can find the demo.
http://ollybugs.googlecode.com/files/you.exe




Add New Comment
Comment:









There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit