miércoles, 5 de octubre de 2011


I have taken a while and been trying to improve this one, unsuccess. But, I would like to thank to sinn3r and the rest of metasploit members who have tried to get a more reliable exploit. The poc is unstable and the crash is variable. Also I could not lead to more stable/reliable crashes. Anyway, I cannot discard the possibility of DEP bypass. Under some versions, it could be possible (controllable EAX to pivot) but unreliable/unstable. Give me a feedback if you get a poc that improves these issues :)

So far, the final result is not as nice as I wanted. Since I could not publish my ms10-090 exploit, you know, someone discovered before I could publish :) I am glad to get released this one and probably it does not come alone.

Here goes the reliability tests (click to see correctly):

Fig. 1: Reliability table.

It is important to notice that most of versions will not work at first attempt. Although it is possible and I have seen it: The crash-dialog helps here and the table above is based on it.

Crash-dialog options:

  1. Restart-speech-dial -> close opera.exe -> open opera.exe -> go to url of exploit.
  2. Restart and reopen all tabs.
  3. Do not restart -> open opera.exe.

Tests features:

  • Master Box: Windows 7 Ultimate with SP1 (English) (fully updated)
  • VM engine: Virtual Box
  • Virtual boxes: Windows XP Professional with SP3 (English) (fully updated) x 15
  • Opera: Clean installations with configuration by default
  • Browser cache: It's not cleaned
  • Number of attempts: 100
  • Number of OS restarts: 5
  • Number of url-exploit changes: 10


  • I have noticed that the reliability changes when the box is restart. So it is very possible that you will get another results.
  • This exploit was coded when the stable release was v10.61 At that time, my best results was got with v10.62 and v10.61 (not clean installation: v10.6-> v10.61)

Finally, the msf module here and here