NOTE: As i found few days before the bug was found few months ago - not by me:) hehe
	   anyway i decided to describe more technical stuff so have phun.	

     OllyDbg Format String Buffer Overflow
     by Piotr Bania <bania.piotr@gmail.com>
     http://pb.specialised.info 
    
	
     Severity: 		High / Medium - code execution.
     Version affected:  Probably all versions, tested on
			v1.10.

	

     I. BACKGROUND

     "OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. 
     Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable."


     II. DESCRIPTION

     Vulnerability takes place when special crafted message is send to debugger (so 
     called output debug string exceptions/events) while file is debugged.

     Here is the vulnerable code:

   
     .text:0042E124                 push    ebx             ; arglist
     .text:0042E125                 mov     eax, [ebp+format]
     .text:0042E128                 push    eax             ; format
     .text:0042E129                 lea     edx, [ebp+buffer]
     .text:0042E12F                 push    edx             ; buffer
     .text:0042E130                 call    _vsprintf


     Attacker can place a format string chars inside "format" buffor and cause
     _vsprintf to overwrite arbitary data.


     III. IMPACT

     This vulnerability after successful exploitation can allow the 
     attacker to run arbitrary code in context of current user.
     Of course if the exploitation was not successful OllyDbg will fault
     and loose all debugged data.


     IV. POC CODE

     POC code was released for this issue.