Opera svg tag classic Use-After-Free Vulnerability

Posted in Uncategorized by cons0ul on January 31, 2013

Opera 12.13 fixed one of my 0day.I posted the poc on exploit-db.com so enjoy. Bug is use after free in handling of (use tag + clippath) witch try to access freed object.Freed object is 0x78 bytes long on 32 bit machine and 0xb0 bytes on 64 bit machine.

So I used ArrayBuffer for spraying the exact same size and boom with got the eip and vtable control


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: