Recent Posts
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- MPEG2TuneRequest 0-day
- Bad guys and sexy sploits: CVE-2009-1537
- Use the source, Luke!
- Vuln: Microsoft Excel Object Type Confusion Remote ..
-
Microsoft Excel Object Type Confusion Remote Code Execut..
- Vuln: Microsoft Excel MDXSET Record Remote Heap Buf..
-
Microsoft Excel MDXSET Record Remote Heap Buffer Overflo..
- Vuln: RETIRED: Microsoft March 2010 Advance Notific..
-
RETIRED: Microsoft March 2010 Advance Notification Multi..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Opera 9.62 URL Handler Heap Overflow
Posted on 2008-11-18 11:54:10 in PornoSecurity
Hi there, ladies and gents. it's now the Opera turn. :)
As you can see in the comments section send9 contacted me and gave me some details on a reproducible crash he founds in the url:// handler of the Opera browser. I was very busy at the time and so two weeks passed before I found some time to play with the stuff he sends to me.
It is an heap overflow and I managed to achieve code execution by overwriting a function pointer and using Heap Spraying to put shellcode in a known location. I used a slighty modified version of the heap spraying code you usually find in exploits, this one will not be detected by your antivirus :). It wasn't hard at all to write this sploit because Opera makes massive use of function pointers and the chunk overflowed is just in the middle of some useful structures. Withouth that it would be a pain to exploit this kind of vuln.
Then we, send9 and me, coordinate the disclosure of the vulnerability and the release of the exploit.
As usual you can find the exploit here, and a video demonstration here.