Título: Nueva generacion de antidebuggers? Publicado por: TaU en 22 Julio 2004, 22:19 pm Me he kedado asin :o al leer lo esto:
Citar [FMADV] - OllyDbg Format String Bug * Introduction: There exists a format string bug in the code that handles Debugger Messages in OllyDbg. This means any traced application can crash OllyDbg and execute machine code. * About (From the Webpage): OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is seen as an industry standard when it comes to analysing vulnerabilties on win32 and it's easy to understand makes it a must for anyone developing exploits on windows. Many people have sung the praises of OllyDbg, including some very high profile engineers and exploit developers. * Technical details: Typically OllyDbg attaches to a process and allows the user how to customize the session; wether they trace, or they breakpoint some stuff or whatever. The windows API is actually very debugger friendly and has many functions to interact with debuggers (most likely built for their own (safe) debugger WinDbg). One of these functions, OutputDebugString sends a string directly to the debugger for interpretation, which OllyDbg displays to the user via a status line along the bottom, sans a format specifier, which means the user supplied string is used as the format specifier. To reproduce this excellent bug, these steps can be taken: 1. Download Python (http://python.org) and win32com (http://starship.python.net/crew/mhammond/win32/Downloads.html). These two are _essential_ to any hacker's windows box. 2. Run 'python' so you get an interactive shell. 3. Attach to the 'python' process with OllyDbg, press 'F9' to continue execution. 4. Type 'import win32api' and press enter in the python screen. 5. Type 'win32api.OutputDebugString("%s" * 50)' to crash OllyDbg. Typically, if you have OllyDbg set as the JIT Debugger, another OllyDbg screen will pop up ;) OR 6. Type 'win32api.OutputDebugString("%8.8x" * 15)' to view whats on the stack! 7. The python process will now have died since OllyDbg died, so do the process again! If this is all too hard, or you don't believe ;) Then a screenshot for your viewing pleasure is availiable at: http://felinemenace.org/~nd/ollyfmt.png Andrewg of FelineMenace managed to create a python script to exploit this vulnerability, albeit with some shellcode problems :) * Conclusion: It certainly opens up the possibly for binaries to start owning their debuggers, in an anti-reversing sense. GDB is a huge project too, with multiple public/unpublished bugs. Because Debuggers work with the executable in a state of execution, disassemblers such as IDA could be vulnerable to a static attack of a malformed binary, much like the executable handling in the OpenBSD kernel i suppose. The possibilities are endless! However there is a definate need for disclosure of these bugs, as debuggers/disassembler are the first defense against the malicious. * Greets: TFM (Team FelineMenace), Greg + rootkit.com, people who spend their day making sure imported beer is actually imported, peach.gotdns.org. ---- http://felinemenace.org/~nd Origen (http://security.nnov.ru/search/document.asp?docid=6514) Desde luego si lo que dice es cierto habrá que ir con extremo cuidado a partir de ahora con los archivos que keramos examinar con el Olly. Lo que no acabo de entender del todo como consigue el exploit que el Olly le ejecute código arbitrario.... En fin, que piensan del asunto? Salu2 Título: Re: Nueva generacion de antidebuggers? Publicado por: TaU en 28 Julio 2004, 20:03 pm Bueno, bueno, no hablen todos a la vez... de uno en uno, please...
¬_¬ Título: Re: Nueva generacion de antidebuggers? Publicado por: el-brujo en 29 Julio 2004, 01:20 am xDDDDDD
Título: Re: Nueva generacion de antidebuggers? Publicado por: byebye en 29 Julio 2004, 01:57 am no veo pq hay que opinar, es simplemente un fallo que se tendria que solucionar en nuevas versiones.
Título: Re: Nueva generacion de antidebuggers? Publicado por: heap en 15 Febrero 2005, 05:30 am Citar OutputDebugString sends a Mira la cosa es ahi, cuando se le envia el string al debbuger y el debbuger(ollydbg) lo va a imprimir en la pantalla, necesita un specificador de fomato de string %s, al parecer no esta presente lo que abre la posibilidad a los desarrolladores de aplicacion de especificarle el especificador de formato, por ejemplo %n que escribe en la memoria, y asi redirigir la ejecucion a algun lado, hay mil cosas que pueden hacer, pero igual este bug se soluciona en 1 segundito y ademas los que desarrollan aplicaciones no van a utilizar un exploit, eso seria invertir en algo useless............a mi no me parece tan interesante ya que para llegar a explotar el bug, necesitan que el debbugeador haga ciertos pasos.....Pero bueno ahi esta tu explicacion de porque pueden correr codigo arbitrariostring directly to the debugger for interpretation, which OllyDbg displays to the user via a status line along the bottom, sans a format specifier, which means the user supplied string is used as the format specifier. |