:::SPAS3C-SV-004:::FINAL DISCLOSURE AND RELIABILITY TESTS (SSD-1010101 / PART-II)

I have taken a while and been trying to improve this one, unsuccess. But, I would like to thank to sinn3r and the rest of metasploit members who have tried to get a more reliable exploit. The poc is unstable and the crash is variable. Also I could not lead to more stable/reliable crashes. Anyway, I cannot discard the possibility of DEP bypass. Under some versions, it could be possible (controllable EAX to pivot) but unreliable/unstable. Give me a feedback if you get a poc that improves these issues :)

So far, the final result is not as nice as I wanted. Since I could not publish my ms10-090 exploit, you know, someone discovered before I could publish :) I am glad to get released this one and probably it does not come alone.

Here goes the reliability tests (click to see correctly):

Fig. 1: Reliability table.

It is important to notice that most of versions will not work at first attempt. Although it is possible and I have seen it: The crash-dialog helps here and the table above is based on it.

Crash-dialog options:

1. Restart-speech-dial -> close opera.exe -> open opera.exe -> go to url of exploit.
   
2. Restart and reopen all tabs.
3. Do not restart -> open opera.exe.

Tests features:

• Master Box: Windows 7 Ultimate with SP1 (English) (fully updated)
• VM engine: Virtual Box
• Virtual boxes: Windows XP Professional with SP3 (English) (fully updated) x 15
• Opera: Clean installations with configuration by default
• Browser cache: It's not cleaned
• Number of attempts: 100
• Number of OS restarts: 5
  
• Number of url-exploit changes: 10

Notes:

• I have noticed that the reliability changes when the box is restart. So it is very possible that you will get another results.
  
• This exploit was coded when the stable release was v10.61 At that time, my best results was got with v10.62 and v10.61 (not clean installation: v10.6-> v10.61)
  

Finally, the msf module here and here