Opera Web Browser 12.11 – Crash (PoC)

• Exploit Database
• 56 阅读

• 作者： coolkaveh
  日期： 2012-12-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23107/

• Title:Opera Web Browser 12.11 WriteAV Vulnerability
  Version:12.11 Build 1661 and 12.12
  Date :2012-12-03
  Vendor :http://www.opera.com/
  Impact :High
  Contact:coolkaveh [at] rocketmail.com
  Twitter:@coolkaveh
  tested :windows XP SP3
  Author :coolkaveh
  #####################################################################################################################
  Opera is a web browser and Internet suite developed by Opera Software with over 270 million users worldwide.
  The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail 
  Messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is 
  Offered free of charge for personal computers and mobile phones.
  #####################################################################################################################
  Bug :
  ----
  Heap corruption during the handling of the Gif files
  context-dependent
  Successful exploits can allow attackers to execute arbitrary code
  ---- 
  ######################################################################################################################
  (f00.704): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
  eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010283
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Opera\Opera.dll - 
  Opera!OpSetLaunchMan+0xb69f5:
  67237c8b 880emov byte ptr [esi],clds:0023:0417ffff=??
  0:000>!exploitable -v
  eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048
  eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010283
  Opera!OpSetLaunchMan+0xb69f5:
  67237c8b 880emov byte ptr [esi],clds:0023:0417ffff=??
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\WINMM.dll - 
  Exception Faulting Address: 0x417ffff
  First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  Exception Sub-Type: Write Access Violation
  
  Exception Hash (Major/Minor): 0x63712c74.0x0c14230f
  
  Stack Trace:
  Opera!OpSetLaunchMan+0xb69f5
  Opera!OpSetLaunchMan+0xb66fc
  Opera!OpSetLaunchMan+0xb644a
  Opera!OpSetLaunchMan+0x38f4d
  Opera!OpSetLaunchMan+0x1b7b3
  Opera!OpSetLaunchMan+0x20a498
  Opera!OpSetLaunchMan+0x1fb4e3
  Opera!OpSetLaunchMan+0x1fb5d5
  Opera!OpSetLaunchMan+0x16d0c1
  ntdll!RtlRemoveVectoredExceptionHandler+0x2a2
  ntdll!RtlAllocateHeap+0x117
  Opera!OpSetLaunchMan+0x1503b9
  ntdll!RtlRemoveVectoredExceptionHandler+0x823
  ntdll!RtlFreeHeap+0x130
  WINMM!timeGetTime+0x2c
  Instruction Address: 0x0000000067237c8b
  
  Description: User Mode Write AV
  Short Description: WriteAV
  Exploitability Classification: EXPLOITABLE
  Recommended Bug Title: Exploitable - User Mode Write AV starting at Opera!OpSetLaunchMan+0x00000000000b69f5 (Hash=0x63712c74.0x0c14230f)
  
  User mode write access violations that are not near NULL are exploitable.
  ################################################################################
  Proof of concept included. 
  http://www21.zippyshare.com/v/83302158/file.html 
  Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23107.zip