Share
## https://sploitus.com/exploit?id=3BC08E52-24BC-5B92-8378-03F07C284006
# CVE-2024-33352 โ€” BlueStacks Local Privilege Escalation via VM Backdooring

## Overview

| Field | Value |
|---|---|
| CVE ID | CVE-2024-33352 |
| Affected Product | BlueStacks for Windows |
| Affected Versions |  "C:\"
        |
        v
2. Install malicious APK into BlueStacks
        |
        v
3. BlueStacks starts (by attacker or background autostart)
        |
        v
4. Android VM boots โ†’ BOOT_COMPLETED broadcast fires
        |
        v
5. BootReceiver โ†’ Exploit.installBackdoor()
        |
        v
6. Enumerate /mnt/windows/BstSharedFolder/Users/*
   Write payload.bat โ†’ each user's Windows Startup folder
        |
        v
7. Victim (admin) logs in โ†’ payload.bat executes with victim's privileges
```

---

## Repository Structure

```
CVE-2024-33352/
โ”œโ”€โ”€ app/                                    # Malicious Android APK (Kotlin)
โ”‚   โ”œโ”€โ”€ build.gradle
โ”‚   โ”œโ”€โ”€ proguard-rules.pro
โ”‚   โ””โ”€โ”€ src/main/
โ”‚       โ”œโ”€โ”€ AndroidManifest.xml
โ”‚       โ”œโ”€โ”€ java/com/exploit/cve2024/
โ”‚       โ”‚   โ”œโ”€โ”€ BootReceiver.kt             # BOOT_COMPLETED handler
โ”‚       โ”‚   โ””โ”€โ”€ Exploit.kt                  # Payload dropper logic
โ”‚       โ””โ”€โ”€ res/values/strings.xml
โ”œโ”€โ”€ checker/
โ”‚   โ””โ”€โ”€ check_bluestacks.py                 # Checks if host is vulnerable
โ”œโ”€โ”€ poc/
โ”‚   โ””โ”€โ”€ patch_config.py                     # Patches/restores Nougat32.bstk
โ”œโ”€โ”€ build.gradle
โ”œโ”€โ”€ gradle.properties
โ””โ”€โ”€ settings.gradle
```

---

## Components

### `app/` โ€” Android APK

The APK registers a `BroadcastReceiver` for `android.intent.action.BOOT_COMPLETED`. On Android VM boot, it calls `Exploit.installBackdoor()` which:

1. Resolves the expanded shared folder at `/mnt/windows/BstSharedFolder/Users/`
2. Enumerates all non-system user directories
3. Writes `payload.bat` into each user's Windows Startup directory:
   ```
   AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
   ```

The default payload launches `calc.exe` as a benign proof-of-concept.

### `checker/check_bluestacks.py`

Runs on Windows. Checks:
- BlueStacks version against the patched threshold
- ACL misconfiguration on `C:\ProgramData\BlueStacks_nxt\`
- Practical write access (file creation test)
- Whether the VM config `hostPath` has already been tampered with

```
python checker/check_bluestacks.py
```

### `poc/patch_config.py`

Modifies `Nougat32.bstk` to expand the shared folder to `C:\`. Creates a timestamped backup before patching. Can also restore from backup.

```
python poc/patch_config.py read
python poc/patch_config.py patch
python poc/patch_config.py patch "C:\\"
python poc/patch_config.py restore Nougat32.bstk.bak_20240501_120000
```

---

## Building the APK

Requirements: Android Studio or Gradle + Android SDK.

```bash
./gradlew assembleRelease
```

Output APK: `app/build/outputs/apk/release/app-release-unsigned.apk`

Install into BlueStacks:
```bash
adb connect 127.0.0.1:5555
adb install app/build/outputs/apk/release/app-release-unsigned.apk
```

---

## Reproduction Steps

1. On the vulnerable Windows host, run `checker/check_bluestacks.py` to confirm exposure.
2. Run `poc/patch_config.py patch` to expand the shared folder to `C:\`.
3. Build the APK and install it into BlueStacks via ADB.
4. Start BlueStacks (or wait for autostart). The Android VM boots and the exploit fires.
5. Log in as a second Windows user. `payload.bat` will execute on login.

---

## Mitigation

- **Update BlueStacks** to version `10.40.1000.502` or later.
- Restrict ACLs on `C:\ProgramData\BlueStacks_nxt\` to deny write access for `BUILTIN\Users`:
  ```
  icacls "C:\ProgramData\BlueStacks_nxt" /remove:g "BUILTIN\Users" /t
  ```

---

## Disclaimer

This repository is for **security research, CTF, and authorized penetration testing only**. Do not use against systems you do not own or have explicit written permission to test.

---

## References

- [CVE Record โ€” cve.org](https://vulners.com/cve/CVE-2024-33352)
- [SecurityOnline writeup](https://securityonline.info/cve-2024-33352-bluestacks-vulnerability-puts-millions-of-gamers-at-risk/)
- Original researcher: mmiszczyk