lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 13 May 2005 15:04:16 +0200
From: Piotr Bania <>
Subject: OllyDbg "INT3 AT" Format String Vulnerability

      OllyDbg "INT3 AT" Format String Vulnerability
      by Piotr Bania <>

      Original location:
      Severity: 			High / Medium - code execution.
      Version affected:  	Probably all versions, tested on



      "OllyDbg is a 32-bit assembler level analysing debugger for
       Microsoft Windows. Emphasis on binary code analysis makes it
       particularly useful in cases where source is unavailable."


      Vulnerability takes place when module (with special crafted file
      name) executes int 3 instruction (trap to debugger).

      Here is the vulnerable code:

      .text:0042FBE0                 lea     eax, [ebp+buffer]
      .text:0042FBE6                 push    eax        ; format string
      .text:0042FBE7                 mov     edx, [ebp+var_28]
      .text:0042FBEA                 push    edx
      .text:0042FBEB                 call    sub_42E100 ; _vsprintf->

      Where format is an ascii string like: "INT3 command at

      Attacker can place a format string chars inside "<module_name>"
      (part of format buffor) and cause Olly to overwrite arbitary data.

      NOTE: Even with "IGNORE INT3 BREAKS" option checked, OllyDbg is
            still vulnerable. Attacker can also load some special crafted
            module (with special crafted name) while debugging, to make
            the attack more stealthy.


      This vulnerability after successful exploitation can allow the
      attacker to run arbitrary code in context of current user.
      Of course if the exploitation was not successful OllyDbg will fault
      and loose all debugged data.

best regards,
Piotr Bania

Piotr Bania - <> - 0xCD, 0x19
Fingerprint: 413E 51C7 912E 3D4E A62A  BFA4 1FF6 689F BE43 AC33  - Key ID: 0xBE43AC33

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists