Flag: Tornado! Hurricane!

Blogs >> ReWolf's Blog

Created: Friday, January 30 2009 08:42.38 CST Modified: Friday, January 30 2009 08:43.40 CST
Printer Friendly ...
Old dbghelp and an old exploit...
Author: ReWolf # Views: 9963

    Recently I've came across some "strange" problems during loading some executables into OllyDbg. After loading the file, OllyDbg just crashed without any error. During a quick research I've figured out that the problem lays in the extension of the loaded file. In fact, the problem laid in the old version of dbghelp.dll (5.1.3590.0). I've asked google if "she" (or "he", who knows) knows something about this bug, and that was a good choice. I've found a discussion on tuts4you forum:

  http://forum.tuts4you.com/index.php?showtopic=16445

and a link to an exploit on milw0rm:

  http://www.milw0rm.com/exploits/6031

As you can read, it was related to "export name buffer overflow vulnerability". My problem was different, but debugging OllyDbg lead me to the call to SymLoadModule at the same place like in the mentioned exploit. Further debugging revealed that my problem is related to the wrong use of _splitpath function from msvcrt.dll. Calling tree looks like this:


SymLoadModule (exported)
  -> SymLoadModule64 (exported)
       -> SymLoadModuleEx (exported)
            -> InternalLoadModule
                 -> load
                      -> GetDebugData
                           -> FileNameIsPdb
                                -> msvcrt.splitpath


function FileNameIsPdb has a local variable:


  char _str_extension[20];


which is passed to the splitpath, and if our prepared file extension is longer than 20 bytes it overwrites values on the stack, next 8 bytes overwrite some local variables, and finaly next 4 bytes overwrites the return address:


  extension: ".dll1234567890qwertyuiopasdfxxxx"


it is not enough to crash OllyDbg though (for exploiting it should be sufficient), because there is SEH that can deal with this stack corruption. I figured out that overwriting another 26 bytes should crash OllyDbg, so the file extension should look like this:


  "sample.dll1234567890qwertyuiopasdfxxxxlzxcvbnmQWERTYUIOPASDFGHJK"


If someone has not updated dbghelp.dll in the olly directory, we can use this method as a simple anti-debug. We don't need to rename executable to such form, we can dump a sample dll (with malformed extension) on the disk during the execution of the program, and just load it with LoadLibrary function. Development of an exploit could prove to be problematic because of limitations of charset that can be used to craft filename.

This bug cannot be applied to newer versions of dbghelp.dll.

Original paper at: http://rewolf.pl/stuff/rewolf_dbghelp.txt


Blog Comments
txs Posted: Friday, January 30 2009 09:35.00 CST
Did you test this against the 2.0 ollydbg package? The older 1.1 version was vulnerable to a number of assorted issues including format string problems. I'm just curious if this was fixed in the 2.0 version (updated dbghelp.dll bundling) or if it still exists.

ReWolf Posted: Friday, January 30 2009 09:54.28 CST
It is a problem related to the old dbghelp.dll, if you have newer version, everything works ok, ollydbg here is just an example of application that can suffer from this bug. Dbghelp.dll was fixed long time ago, but many applications can still use older version ot this library.

PeterFerrie Posted: Friday, January 30 2009 10:34.58 CST
I talked about this a little bit in my second Anti-Unpacker paper.
The cause was a performance "enhancement" between Windows 2000 (where the file first appeared, not vulnerable) and Windows XP (vulnerable).  It was fixed in Windows Server 2003.  Vista is not vulnerable because it came later.
The problem is that some people chose to ship the DLL separately (OllyDbg, IDA, SoftICE, WinDbg, some others), and OllyDbg picked the vulnerable one.
The DLL is not supposed to be shipped separately.

waleedassar Posted: Saturday, June 9 2012 17:42.25 CDT
Also, the "Dbghelp.FindDebugInfoFileEx" was vulnerable. This occured when expanding/copying environment variables stuffed in its second parameter, e.g. when the executable dynamically loads a Dll in a directory named "%temp%ss%temp%ss%temp%bb%temp%jj%temp%aaa%temp%ss%temp%ww%temp%qq%temp%ss%temp%"

Affected version: 5.1.2600.5512

Luckily, OllyDbg v1.10 is shipped with Dbghelp.dll 6.x by default.



Add New Comment
Comment:









There are 31,320 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit