Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: OpenSSL 'ssl3_get_key_exchange()' Use-After-F..
-
OpenSSL 'ssl3_get_key_exchange()' Use-After-Free Memory ..
- Vuln: Linux Kernel Controller Area Network Protocol..
-
Linux Kernel Controller Area Network Protocol Local Priv..
- Vuln: Wireshark 0.8.20 through 1.2.8 Multiple Vulne..
-
Wireshark 0.8.20 through 1.2.8 Multiple Vulnerabilities ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Opera 9.62 URL Handler Heap Overflow
Posted on 2008-11-18 11:54:10 in PornoSecurity
Hi there, ladies and gents. it's now the Opera turn. :)
As you can see in the comments section send9 contacted me and gave me some details on a reproducible crash he founds in the url:// handler of the Opera browser. I was very busy at the time and so two weeks passed before I found some time to play with the stuff he sends to me.
It is an heap overflow and I managed to achieve code execution by overwriting a function pointer and using Heap Spraying to put shellcode in a known location. I used a slighty modified version of the heap spraying code you usually find in exploits, this one will not be detected by your antivirus :). It wasn't hard at all to write this sploit because Opera makes massive use of function pointers and the chunk overflowed is just in the middle of some useful structures. Withouth that it would be a pain to exploit this kind of vuln.
Then we, send9 and me, coordinate the disclosure of the vulnerability and the release of the exploit.
As usual you can find the exploit here, and a video demonstration here.