关联漏洞
标题:
Google Android 安全漏洞
(CVE-2024-31317)
描述:Google Android是美国谷歌(Google)公司的一套以Linux为基础的开源操作系统。 Google Android 存在安全漏洞,该漏洞源于 ZygoteProcess.java 文件的 multiple 方法存在不安全的反序列化,有可能通过 WRITE_SECURE_SETTINGS 以任何应用程序的身份实现代码执行。
描述
A command-line utility to exploit Android Zygote injection (CVE-2024-31317)
介绍
# Zygote injection toolkit
This is a Python command-line utility to easily run and backup private app data using the Android Zygote injection vulnerability (CVE-2024-31317).
To run this, you must have any device that has _not_ been updated to the [June 1, 2024 security patch](https://source.android.com/security/bulletin/2024-06-01). If you don't know whether your device is vulnerable or not, simply run the script and it will check for you.
To run it, you need to have ADB installed and USB debugging enabled.
### Installation
To install or update, simply run `pip install --upgrade git+https://github.com/Anonymous941/zygote-injection-toolkit`.
If you would like to make changes to the source code, instead clone the repository using `git clone` and run `pip install -e .`. This will install it in [development mode](https://setuptools.pypa.io/en/latest/userguide/development_mode.html).
### Usage
Make sure USB debugging is enabled and ADB is running (this can be done by running `adb start-server`, or almost any other ADB command). Then simply run `python -m zygote_injection_toolkit`. If the exploit runs successfully, you should have a reverse shell on port 1234 (on your host and the Android device), running with `system` priviledges. It will also automatically attempt to force-enable OEM unlocking.
### About the exploit
**This is not a root exploit!** It is not possible to run apps requiring root, or install any Magisk modules. If you are already rooted, then you do not need to run this exploit.
What it can do is execute arbitrary code as the `system` user. It has the ability to impersonate any app, including privileged apps, and read/write their private data (including data that cannot be backed up using `adb backup`).
Here are some use cases:
- Backing up almost all data before unlocking the bootloader, which wipes everything for security purposes
- Messing with system apps' data in order to bypass OEM restrictions
- This automatically tries to bypass carrier restrictions on bootloader unlocking, which *might* allow you to unlock the bootloader, but this is unlikely to be the only protection
- Chaining with a root exploit (outside the scope of this repository)
For more information about the exploit itself, you can refer to these two writeups: https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html, https://infosecwriteups.com/exploiting-android-zygote-injection-cve-2024-31317-d83f69265088
文件快照
[4.0K] /data/pocs/0415a656e802970d6c83bb5059f601a819b4c2f1
├── [1.0K] LICENSE
├── [ 605] pyproject.toml
├── [2.4K] README.md
└── [4.0K] zygote_injection_toolkit
├── [1.1K] exceptions.py
├── [ 0] __init__.py
├── [1.0K] IOemLockService.aidl
├── [ 428] __main__.py
├── [6.4K] parcel.py
├── [ 14K] search_selinux.py
├── [ 10K] stage1.py
└── [6.3K] stage2.py
1 directory, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。