• Welcome to Valhalla Legends Archive.
 

Predebug execution exploit. -Windows

Started by mynameistmp, May 06, 2005, 01:48 AM

Previous topic - Next topic

mynameistmp

This Australian group released some technical notes on how to use programs being loaded by a debugger as an attack vector. Interesting.

Whitepaper:

http://www.security-assessment.com/Whitepapers/PreDebug.pdf

Example code:

http://www.packetstormsecurity.nl/0504-exploits/predebug1.c
http://www.packetstormsecurity.nl/0504-exploits/predebug2.c
"This idea is so odd, it is hard to know where to begin in challenging it." - Martin Barker, British scholar

iago

I was reading about that at work yesterday.  I was surprised at how simple it actually was, although apparently it's pretty platform-specific.

Skywing was telling me a long time ago that some disassemblers (like IDA) are vulnerable like that, because they actually load the file, but others (like W32Dasm) aren't because they don't actually load it, just read it.

I wonder if this has ever been done in the real world.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*