Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

OllyDbg / Immunity Debugger Crash

🗓️ 29 Jul 2013 00:00:00Reported by Dark-PuzzleType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

OllyDbg / Immunity Debugger - Crash POC affecting both debuggers by crashing with "modify register" command during LEA instruction

Code
`;Title : OllyDbg/Immunity Debugger - Crash POC  
;Researcher : Souhail Hammou (Dark-Puzzle)  
;Research Team : http://itsecurity.ma  
;Facebook : http://www.facebook.com/dark.puzzle.sec  
;Date : 29/07/2013  
;==================================================================  
.386  
.model flat,stdcall  
option casemap:none  
include /masm32/include/masm32.inc  
include /masm32/include/kernel32.inc  
includelib /masm32/lib/masm32.lib  
includelib /masm32/lib/kernel32.lib  
;==================================================================  
  
;Details and Analysis :  
;Pictures : 1.jpg : http://oi44.tinypic.com/dytanq.jpg  
; 2.jpg : http://oi42.tinypic.com/2md0uvm.jpg  
  
;This bug affects both OllyDbg and Immunity Debugger, a user can crash the debugger using one of the "pane" functionalities. The pane actually helps the reverser  
;in order to locate where jumps were taken from or where they will lead, it will also display the memory addresses and display the ASCII format of what it holds if  
;it's a printable string of course when the instruction containing that memory address is clicked.  
;What we will be looking at is the "modify register" command that will help you modify a register value directly from the pane.  
  
;Let's fully demonstrate the issue by debugging an x86 ASM little program "MASM Syntax".  
.data  
welcome db "Hello...",0  
bye db "Bye",0  
.data?  
whatever db 10 dup(?)  
.code  
test_me :  
invoke StdOut, addr welcome  
mov eax, 00403000h ;demonstrating mov instruction  
lea ecx, bye ;demonstrating lea instruction   
invoke StdOut, addr bye  
invoke StdIn, addr whatever,10  
invoke ExitProcess,0  
end test_me  
;Now let's see how the debugger is disassembling the targets' instructions :   
;0040100A |. B8 00304000 MOV EAX,test.00403000 ; ASCII "Hello..."  
;0040100F |. 8D0D 09304000 LEA ECX,DWORD PTR DS:[403009] ; 00403009 is pointing to ASCII "Bye"   
  
;Now without stepping into the MOV instruction , try just to click on it and you'll see the following in the pane :  
; 00403000=test.00403000 (ASCII "Hello...")  
  
;Select this line and click the right button , now click on "modify register" which will open a box indicating that you are about to edit the value of EAX register  
;Without stepping again, select the LEA instruction you will see in the pane this :  
; Address=00403009, (ASCII "Bye")  
;Click the right button on that line again, and select "Modify Register" ... Boom !! Crash !  
;The difference between MOV and LEA is that when dealing with MOV the debugger will edit the value of the register which the instruction is moved to.  
;But when dealing with LEA instruction the debugger will just crash.  
;===========================================================  
;Quick Crash Analysis :  
;===========================================================  
  
;When the user will click "modify register" in the case of a LEA instruction , Olly/Immunity debugger will try to print "Modify reg"   
;using this set of instructions:  
;004302B9 . 8B1C95 A475650>MOV EBX,DWORD PTR DS:[EDX*4+6575A4] ; | Important Instruction !  
;----Cut----  
;----Cut----  
;004309DA > 8B049D 48D25E0>MOV EAX,DWORD PTR DS:[EBX*4+5ED248] ; | Important Instruction !  
;004309E1 . 8DB424 C609000>LEA ESI,DWORD PTR SS:[ESP+9C6] ; |  
;004309E8 . 31FF XOR EDI,EDI ; |  
;004309EA . C74424 04 0E48>MOV DWORD PTR SS:[ESP+4],Immunity.0060480E ; |ASCII "Modify %s"  
;004309F2 . 893424 MOV DWORD PTR SS:[ESP],ESI ; |  
;004309F5 . 894424 08 MOV DWORD PTR SS:[ESP+8],EAX ; |  
;004309F9 . E8 12501A00 CALL <JMP.&ntdll.sprintf> ; \sprintf  
  
;Actually when dealing with a MOV instruction. at address 004302B9 , [EBX*4+6575A4] will hold a small value that indicates the placement of the targeted register string   
;in memory that will be multiplied by 4 and added to memory address 005ED248.  
;But when Dealing with a LEA instructions [EBX*4+6575A4] will hold the memory address of the element shown in the pane, in our case 00403009 which equals 4206601 in decimal .  
;So when trying to detect which register is dealed with (at 004309DA) , the debugger will face an address that is out of memory range (inexistant) 4206601*4+5ED248 in my case.  
;And it will simply CRASH.  
  
;Best Regards,  
;Souhail Hammou.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jul 2013 00:00Current
7.4High risk
Vulners AI Score7.4
ollydbgimmunity debuggercrashpocresearchersouhail hammoudark-puzzleresearch teamitsecurity.madebuggingpanemodify registerx86 asmmov instructionlea instructionasciimemory addressesreversingsecurity analysismemory address editingdebugging tools
22