[TOOL] OllyUni Plugin for OllyDbg

• Previous message: SecuriTeam: "[EXPL] TCP Reset Spoofing Generic Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Apr 2004 12:00:56 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  OllyUni Plugin for OllyDbg
------------------------------------------------------------------------

SUMMARY

DETAILS

The plugin is designed for OllyDbg. Attach OllyDbg to your target process
and set a breakpoint at the instruction you will get return address
control effectively (like the RET after a stack overflow), then execute
the program. The reason behind this is that OllyUni also looks in non-code
sections for suitable byte sequences and those could be loaded after the
program start or dynamically created.

In general, the global options are accessible via "Plugins->OllyUni". Here
you can set the UNICODE page for the character translation, the recursion
depth for UNICODE, Verbosity (you shouldn't touch this, unless you are FX)
and the forbidden characters that you can't use in your exploit.

All messages will be written to the OllyDbg log window (ALT-L). When
performing searches, make sure your log window is visible BEFORE you run
the action.

Features:
 - Finding UNICODE addressable return addresses for CALL/JMP <reg>
 - Finding ASCII addressable return addresses for CALL/JMP <reg>, specific
to the register you are looking for
 - Finding ASCII addressable return addresses for stack adjustments (POP,
ADD ESP) followed by RET
 - Setting filters on what characters you can use in the overflow for all
functions
 - Saving your results
 - Comparing results with previously saved ones and saving the diff

Finding Addresses:
Right-click in the code window (ALT-C). In the context menu, you will find
the entry "Overflow Return Address >", under which you have the three
different types of tasks. When you already performed a search you also get
here "Load address data from file and compare" as well as "Save address
data to file". If you already compared data, you get "Save compare matches
to file".

Comparing addresses:
The "compare" functionality is for finding so-called universal offsets
that work with different languages and service packs. Be careful, the
plugin allows you to compare apples and grapes (JMP EDI vs. CALL EAX). The
data files are ASCII with the 4byte addresses one per line.

ADDITIONAL INFORMATION

The information has been provided by <mailto:fx@phenoelit.de> FX of
Phenoelit.

The tool can be downloaded from: <http://www.phenoelit.de/win/>
http://www.phenoelit.de/win/

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] TCP Reset Spoofing Generic Exploit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]