{"id":28,"date":"2009-01-30T00:00:36","date_gmt":"2009-01-29T23:00:36","guid":{"rendered":"http:\/\/blog.rewolf.pl\/blog\/?p=28"},"modified":"2015-05-25T19:02:15","modified_gmt":"2015-05-25T17:02:15","slug":"old-dbghelp-and-an-old-exploit","status":"publish","type":"post","link":"http:\/\/blog.rewolf.pl\/blog\/?p=28","title":{"rendered":"Old dbghelp and an old exploit&#8230;"},"content":{"rendered":"<p><strong>Post moved from OpenRCE, original date: Friday, January 30 2009<\/strong><\/p>\n<p style=\"text-align: justify;\">Recently I&#8217;ve came across some &#8220;strange&#8221; problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I&#8217;ve figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of <strong>dbghelp.dll (5.1.3590.0)<\/strong>.<!--more--> I&#8217;ve asked google if &#8220;she&#8221; (or &#8220;he&#8221;, who knows) knows something about this bug, and that was a good choice. I&#8217;ve found a discussion on tuts4you forum:<\/p>\n<p>hxxp:\/\/forum.tuts4you.com\/index.php?showtopic=16445<\/p>\n<p>and a link to an exploit on milw0rm:<\/p>\n<p><a href=\"http:\/\/www.milw0rm.com\/exploits\/6031\">http:\/\/www.milw0rm.com\/exploits\/6031<\/a><\/p>\n<p style=\"text-align: justify;\">As you can read, it was related to &#8220;export name buffer overflow vulnerability&#8221;. My problem was different, but debugging OllyDbg lead me to the call to <em>SymLoadModule<\/em> at the same place like in the mentioned exploit. Further debugging revealed that my problem is related to the wrong use of <em>_splitpath<\/em> function from <strong>msvcrt.dll<\/strong>. Calling tree looks like this:<br \/>\n<code><br \/>\nSymLoadModule (exported)<br \/>\n-&gt; SymLoadModule64 (exported)<br \/>\n-&gt; SymLoadModuleEx (exported)<br \/>\n-&gt; InternalLoadModule<br \/>\n-&gt; load<br \/>\n-&gt; GetDebugData<br \/>\n-&gt; FileNameIsPdb<br \/>\n-&gt; msvcrt.splitpath<br \/>\n<\/code><\/p>\n<p>function <em>FileNameIsPdb<\/em> has a local variable:<br \/>\n<code><br \/>\nchar _str_extension[20];<br \/>\n<\/code><\/p>\n<p style=\"text-align: justify;\">which is passed to the <em>splitpath<\/em>, and if our prepared file extension is longer than 20 bytes it overwrites values on the stack, next 8 bytes overwrite some local variables, and finaly next 4 bytes overwrites the return address:<br \/>\n<code><br \/>\nextension: \".dll1234567890qwertyuiopasdfxxxx\"<br \/>\n<\/code><\/p>\n<p style=\"text-align: justify;\">it is not enough to crash OllyDbg though (for exploiting it should be sufficient), because there is SEH that can deal with this stack corruption. I figured out that overwriting another 26 bytes should crash OllyDbg, so the file extension should look like this:<br \/>\n<code><br \/>\n\"sample.dll1234567890qwertyuiopasdfxxxxlzxcvbnmQWERTYUIOPASDFGHJK\"<br \/>\n<\/code><\/p>\n<p style=\"text-align: justify;\">If someone has not updated <strong>dbghelp.dll<\/strong> in the olly directory, we can use this method as a simple anti-debug. We don&#8217;t need to rename executable to such form, we can dump a sample dll (with malformed extension) on the disk during the execution of the program, and just load it with <em>LoadLibrary<\/em> function. Development of an exploit could prove to be problematic because of limitations of charset that can be used to craft filename.<\/p>\n<p><strong>This bug cannot be applied to newer versions of dbghelp.dll<\/strong>.<\/p>\n<p><em>Original paper at:<\/em> <a href=\"http:\/\/rewolf.pl\/stuff\/rewolf_dbghelp.txt\">http:\/\/rewolf.pl\/stuff\/rewolf_dbghelp.txt<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Post moved from OpenRCE, original date: Friday, January 30 2009 Recently I&#8217;ve came across some &#8220;strange&#8221; problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I&#8217;ve figured out that the problem lays in the extension of the loaded file. In fact, the problem [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6,3],"tags":[],"_links":{"self":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/28"}],"collection":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28"}],"version-history":[{"count":8,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions"}],"predecessor-version":[{"id":1266,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=\/wp\/v2\/posts\/28\/revisions\/1266"}],"wp:attachment":[{"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/blog.rewolf.pl\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}