OllyDbg long process Module debug Vulnerability

2005-03-20T00:00:00
ID SECURITYVULNS:DOC:8116
Type securityvulns
Reporter Securityvulns
Modified 2005-03-20T00:00:00

Description

Vendor: Oleh Yuschuk

Application: OllyDbg http://home.t-online.de/home/Ollydbg/

Introduction: OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.

Affected Versions: 1.10 (final version) and prior versions.

Overview: In OllyDbg, if a target process loads modules that contains long name (greater than around 200 bytes), OllyDbg will be crashed.

This hole can be used for an anti-debug method for OllyDbg.

Vendor Status: No vendor response.

Discovery: ATmaCA atmaca@atmacasoft.com www.atmacasoft.com www.spyinstructors.com Credit to Kozan

POC: Debug this program with OllyDbg, when the program runs, a folder that named "olly hole" will be created on desktop and a long named dll will be created in this folder. then it will load this and finally olly debug will be crashed.

http://www.atmacasoft.com/exp/OllyHole.exe