Skip to content

Instantly share code, notes, and snippets.

@Modder4869
Last active June 9, 2024 17:44
Show Gist options
  • Save Modder4869/bb10a1b319938a23541a3c3bd6703d35 to your computer and use it in GitHub Desktop.
Save Modder4869/bb10a1b319938a23541a3c3bd6703d35 to your computer and use it in GitHub Desktop.
import argparse
import os
import re
import lief
from adb_shell.adb_device import AdbDeviceTcp,_AdbTransactionInfo
from adb_shell.auth.sign_pythonrsa import PythonRSASigner
from adb_shell.auth.keygen import keygen
def get_device(port):
adb_device = AdbDeviceTcp('127.0.0.1', port)
adbkey = "adbkey"
if not os.path.isfile(adbkey):
keygen(adbkey)
with open(adbkey) as f:
priv = f.read()
with open(adbkey + '.pub') as f:
pub = f.read()
signer = PythonRSASigner(pub, priv)
adb_device.connect(rsa_keys=[signer], auth_timeout_s=0.1)
try:
print("attempting to get root access")
# adb_device._service(b'root', b'')
adb_device.root()
print(f"USER:{adb_device.shell('whoami')}")
except Exception as e :
print("failed to get root , run script again ? adb-shell bug??")
return False
return adb_device
def get_library_folder(adb_device, package_name):
command = f'pm dump {package_name} | grep -i legacyNativeLibraryDir | awk -F "legacyNativeLibraryDir=" \'{{print $2}}\''
result = adb_device.shell(command).strip()
legacy_native_library_dir = result
print(f"[*]Lib folder set to {legacy_native_library_dir}")
command = f'pm dump {package_name} | grep -i primaryCpuAbi | awk -F "=" \'{{print $2}}\''
result = adb_device.shell(command).strip()
print(f"[*]arch set to {result}")
arch = 'arm' if 'armeabi-v7a' in result else 'arm64'
package_name = f"{legacy_native_library_dir}/{arch}"
print(f"[*]full path to lib folder set to {package_name}")
return package_name, arch
def inject_library(adb_device, package_name, gadget_folder, target_lib):
lib_folder, arch = get_library_folder(adb_device, package_name)
script_dir = os.path.dirname(os.path.realpath(__file__))
pattern = fr'/data/app/.*{re.escape(package_name)}.*'
if not re.search(pattern, lib_folder):
print(f"failed to get path for package : {package_name} is it installed??")
return
gadget_file = os.path.join(gadget_folder, [file for file in os.listdir(gadget_folder) if f"-{arch}." in file][0])
injected_lib = os.path.join(script_dir, target_lib)
adb_device.pull(rf'{lib_folder}/{target_lib}', injected_lib)
binary = lief.parse(injected_lib)
binary.add_library("libgadget.so")
binary.write(injected_lib)
# adb_device.shell('su')
# adb_device.root(timeout_s=10)
adb_device.push(rf'{injected_lib}', rf'{lib_folder}/{target_lib}')
adb_device.push(gadget_file, rf'{lib_folder}/libgadget.so')
adb_device.push(os.path.join(gadget_folder, 'libgadget.config.so'), rf'{lib_folder}/libgadget.config.so')
adb_device.shell(f'chmod 777 {lib_folder}/libgadget.so')
adb_device.shell(f'chmod 777 {lib_folder}/libgadget.config.so')
adb_device.shell(f'chmod 777 {lib_folder}/{target_lib}')
print("Done!")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Inject a shared library into an input binary using LIEF')
parser.add_argument('--package_name', help='package name')
parser.add_argument('--gadget_folder', help='Path to the gadgets folder')
parser.add_argument('--target_lib', help='Name of injected library')
parser.add_argument('--host', default='127.0.0.1', help='ADB host (default: 127.0.0.1)')
parser.add_argument('--port', type=int, default=5555, help='ADB port (default: 5555)')
args = parser.parse_args()
device = get_device(args.port)
if device:
inject_library(device, args.package_name, args.gadget_folder, args.target_lib)
else:
print("failed to get device!")

pip install adb-shell

pip install lief

script fails on first run for some reason ? adb_shell bug check this issue

gadget folder should look like check for more info

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment