walied
April 10th, 2012, 18:34
In this post i will be discussing another bug that i found in OllyDbg. The idea came to my mind while debugging link.exe shipped with Microsoft Visual Studio 2008.
Debugging link.exe, i was amazed to see that the maximum number of sections that a PE file can hold is 0xFEFF sections (as assumed by link.exe) not 96 (0x60, hex). In the beginning, i thought that i have an old PE/COFF documentation or that it is a mistake since the documentation says "the Windows loader limits the number of sections to 96".
http://2.bp.blogspot.com/-bUsfvOHTZIU/T4Rl3cqRBKI/AAAAAAAAAec/69RsrPqsiJc/s1600/max.jpg
By creating a PE file with 97 sections, i found out that the 96-section limit applies to Windows XP but not to Windows 7, 64-bit.
http://4.bp.blogspot.com/-GRBxH_MFpD4/T4RnE5OfD9I/AAAAAAAAAek/cnCLK6rhFEQ/s1600/97sec.jpg
http://4.bp.blogspot.com/-7Ue48oZ8Ctw/T4RnKlFYR4I/AAAAAAAAAes/B2SWZLmQyVk/s1600/97sec2.jpg
I quickly asked myself "How will Olly Handle that?!!!".
Quickly opened Olly to debug another instance of it and went to the PE parsing code. See the image below.
http://4.bp.blogspot.com/-7ymq9InUoXY/T4Sg0ZjPztI/AAAAAAAAAe0/RiooSkKBAsg/s1600/vuln1.jpg
As you can see in the image above, Olly takes 0x1FFF (8191, decimal) as the maximum number of sections. That's Cool!!
The C code looks something like this. See the image below.
http://4.bp.blogspot.com/-WKi31GmsuCg/T4TBhrrDyzI/AAAAAAAAAfM/Hv9CLf0KjVU/s1600/kolo.jpg
As you can see, if we give it an executable with 0x2000 (8192, decimal) sections or more, Olly will crash.
http://3.bp.blogspot.com/-gu6I3HurSHI/T4Si2gnk_-I/AAAAAAAAAfE/lqpiU0G1QVw/s1600/crash.jpg
Here you can find a Proof Of Concept.
http://ollytlscatch.googlecode.com/files/2000sections.exe
Material in this post has been tried on Windows 7, Wow64 and OllyDbg v1.10. I will be glad if someone gives it a shot on Windows 7, 32 bit or Windows Vista.
You can follow me on Twitter @waleedassar
Debugging link.exe, i was amazed to see that the maximum number of sections that a PE file can hold is 0xFEFF sections (as assumed by link.exe) not 96 (0x60, hex). In the beginning, i thought that i have an old PE/COFF documentation or that it is a mistake since the documentation says "the Windows loader limits the number of sections to 96".
http://2.bp.blogspot.com/-bUsfvOHTZIU/T4Rl3cqRBKI/AAAAAAAAAec/69RsrPqsiJc/s1600/max.jpg
By creating a PE file with 97 sections, i found out that the 96-section limit applies to Windows XP but not to Windows 7, 64-bit.
http://4.bp.blogspot.com/-GRBxH_MFpD4/T4RnE5OfD9I/AAAAAAAAAek/cnCLK6rhFEQ/s1600/97sec.jpg
http://4.bp.blogspot.com/-7Ue48oZ8Ctw/T4RnKlFYR4I/AAAAAAAAAes/B2SWZLmQyVk/s1600/97sec2.jpg
I quickly asked myself "How will Olly Handle that?!!!".
Quickly opened Olly to debug another instance of it and went to the PE parsing code. See the image below.
http://4.bp.blogspot.com/-7ymq9InUoXY/T4Sg0ZjPztI/AAAAAAAAAe0/RiooSkKBAsg/s1600/vuln1.jpg
As you can see in the image above, Olly takes 0x1FFF (8191, decimal) as the maximum number of sections. That's Cool!!
The C code looks something like this. See the image below.
http://4.bp.blogspot.com/-WKi31GmsuCg/T4TBhrrDyzI/AAAAAAAAAfM/Hv9CLf0KjVU/s1600/kolo.jpg
As you can see, if we give it an executable with 0x2000 (8192, decimal) sections or more, Olly will crash.
http://3.bp.blogspot.com/-gu6I3HurSHI/T4Si2gnk_-I/AAAAAAAAAfE/lqpiU0G1QVw/s1600/crash.jpg
Here you can find a Proof Of Concept.
http://ollytlscatch.googlecode.com/files/2000sections.exe
Material in this post has been tried on Windows 7, Wow64 and OllyDbg v1.10. I will be glad if someone gives it a shot on Windows 7, 32 bit or Windows Vista.
You can follow me on Twitter @waleedassar