Ultimi Articoli
- MS SQL Server sp_replwritetovarbin Heap Overflow
- MS Internet Explorer XML Parsing Remote Exploit
- Opera 9.62 URL Handler Heap Overflow
- Exploiting BitTorrent
- Impossible is Nothing
- Having Fun With Windogs
- A Linksys video and an IGSuite exploit
- A Sneak Preview
- Vuln: DotNetNuke User Account Security Bypass Vulne..
-
DotNetNuke User Account Security Bypass Vulnerability ..
- Vuln: Samba Arbitrary Memory Contents Information D..
-
Samba Arbitrary Memory Contents Information Disclosure V..
- Vuln: xterm DECRQSS Remote Command Execution Vulner..
-
xterm DECRQSS Remote Command Execution Vulnerability ..
Categories
Commenti
- dunlopsy:Hey, I was sear
- dunlopsy:Hey, I was sear
- cearadin:Thanks for all
- johnniem:Keep on bloggin
- Immeriam:omygucftzalssjo
- johnny:8TEq8q Thanks f
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- Ghvwcbvn:Excellent work,
- Tnggbadm:Very Good Site
- Votarwqt:Cool site goodl
- Bbzamlcq:This site is cr
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- patrik:dewio 4tvun9wnp
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
Opera 9.62 URL Handler Heap Overflow
Posted on 2008-11-18 11:54:10 in PornoSecurity
Hi there, ladies and gents. it's now the Opera turn. :)
As you can see in the comments section send9 contacted me and gave me some details on a reproducible crash he founds in the url:// handler of the Opera browser. I was very busy at the time and so two weeks passed before I found some time to play with the stuff he sends to me.
It is an heap overflow and I managed to achieve code execution by overwriting a function pointer and using Heap Spraying to put shellcode in a known location. I used a slighty modified version of the heap spraying code you usually find in exploits, this one will not be detected by your antivirus :). It wasn't hard at all to write this sploit because Opera makes massive use of function pointers and the chunk overflowed is just in the middle of some useful structures. Withouth that it would be a pain to exploit this kind of vuln.
Then we, send9 and me, coordinate the disclosure of the vulnerability and the release of the exploit.
As usual you can find the exploit here, and a video demonstration here.
2009-01-02 23:13:47
Immeriamypeweet: omygucftzalssjojwell, hi admin adn people nice forum indeed. how's life? hope it's introduce branch ;)