Opera Web Browser 12.11 – Crash (PoC)

• Exploit Database
• 135 阅读

• 作者： coolkaveh
  日期： 2012-12-03
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23107/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

  Title:Opera Web Browser 12.11 WriteAV Vulnerability Version:12.11 Build 1661 and 12.12 Date :2012-12-03 Vendor :http://www.opera.com/ Impact :High Contact:coolkaveh [at] rocketmail.com Twitter:@coolkaveh tested :windows XP SP3 Author :coolkaveh ##################################################################################################################### Opera is a web browser and Internet suite developed by Opera Software with over 270 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail Messages, managing contacts, chatting on IRC, downloading files via BitTorrent, and reading web feeds. Opera is Offered free of charge for personal computers and mobile phones. ##################################################################################################################### Bug : ---- Heap corruption during the handling of the Gif files context-dependent Successful exploits can allow attackers to execute arbitrary code ---- ###################################################################################################################### (f00.704): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048 eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010283 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Opera\Opera.dll - Opera!OpSetLaunchMan+0xb69f5: 67237c8b 880emov byte ptr [esi],clds:0023:0417ffff=?? 0:000>!exploitable -v eax=00000b0b ebx=0000000b ecx=0000100b edx=042bc048 esi=0417ffff edi=00141048 eip=67237c8b esp=0012e3d8 ebp=0000001e iopl=0 nv up ei ng nz na po cy cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010283 Opera!OpSetLaunchMan+0xb69f5: 67237c8b 880emov byte ptr [esi],clds:0023:0417ffff=?? HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\WINMM.dll - Exception Faulting Address: 0x417ffff First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Write Access Violation   Exception Hash (Major/Minor): 0x63712c74.0x0c14230f   Stack Trace: Opera!OpSetLaunchMan+0xb69f5 Opera!OpSetLaunchMan+0xb66fc Opera!OpSetLaunchMan+0xb644a Opera!OpSetLaunchMan+0x38f4d Opera!OpSetLaunchMan+0x1b7b3 Opera!OpSetLaunchMan+0x20a498 Opera!OpSetLaunchMan+0x1fb4e3 Opera!OpSetLaunchMan+0x1fb5d5 Opera!OpSetLaunchMan+0x16d0c1 ntdll!RtlRemoveVectoredExceptionHandler+0x2a2 ntdll!RtlAllocateHeap+0x117 Opera!OpSetLaunchMan+0x1503b9 ntdll!RtlRemoveVectoredExceptionHandler+0x823 ntdll!RtlFreeHeap+0x130 WINMM!timeGetTime+0x2c Instruction Address: 0x0000000067237c8b   Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at Opera!OpSetLaunchMan+0x00000000000b69f5 (Hash=0x63712c74.0x0c14230f)   User mode write access violations that are not near NULL are exploitable. ################################################################################ Proof of concept included. http://www21.zippyshare.com/v/83302158/file.html Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23107.zip