## https://sploitus.com/exploit?id=3BC08E52-24BC-5B92-8378-03F07C284006
# CVE-2024-33352 โ BlueStacks Local Privilege Escalation via VM Backdooring
## Overview
| Field | Value |
|---|---|
| CVE ID | CVE-2024-33352 |
| Affected Product | BlueStacks for Windows |
| Affected Versions | "C:\"
|
v
2. Install malicious APK into BlueStacks
|
v
3. BlueStacks starts (by attacker or background autostart)
|
v
4. Android VM boots โ BOOT_COMPLETED broadcast fires
|
v
5. BootReceiver โ Exploit.installBackdoor()
|
v
6. Enumerate /mnt/windows/BstSharedFolder/Users/*
Write payload.bat โ each user's Windows Startup folder
|
v
7. Victim (admin) logs in โ payload.bat executes with victim's privileges
```
---
## Repository Structure
```
CVE-2024-33352/
โโโ app/ # Malicious Android APK (Kotlin)
โ โโโ build.gradle
โ โโโ proguard-rules.pro
โ โโโ src/main/
โ โโโ AndroidManifest.xml
โ โโโ java/com/exploit/cve2024/
โ โ โโโ BootReceiver.kt # BOOT_COMPLETED handler
โ โ โโโ Exploit.kt # Payload dropper logic
โ โโโ res/values/strings.xml
โโโ checker/
โ โโโ check_bluestacks.py # Checks if host is vulnerable
โโโ poc/
โ โโโ patch_config.py # Patches/restores Nougat32.bstk
โโโ build.gradle
โโโ gradle.properties
โโโ settings.gradle
```
---
## Components
### `app/` โ Android APK
The APK registers a `BroadcastReceiver` for `android.intent.action.BOOT_COMPLETED`. On Android VM boot, it calls `Exploit.installBackdoor()` which:
1. Resolves the expanded shared folder at `/mnt/windows/BstSharedFolder/Users/`
2. Enumerates all non-system user directories
3. Writes `payload.bat` into each user's Windows Startup directory:
```
AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\payload.bat
```
The default payload launches `calc.exe` as a benign proof-of-concept.
### `checker/check_bluestacks.py`
Runs on Windows. Checks:
- BlueStacks version against the patched threshold
- ACL misconfiguration on `C:\ProgramData\BlueStacks_nxt\`
- Practical write access (file creation test)
- Whether the VM config `hostPath` has already been tampered with
```
python checker/check_bluestacks.py
```
### `poc/patch_config.py`
Modifies `Nougat32.bstk` to expand the shared folder to `C:\`. Creates a timestamped backup before patching. Can also restore from backup.
```
python poc/patch_config.py read
python poc/patch_config.py patch
python poc/patch_config.py patch "C:\\"
python poc/patch_config.py restore Nougat32.bstk.bak_20240501_120000
```
---
## Building the APK
Requirements: Android Studio or Gradle + Android SDK.
```bash
./gradlew assembleRelease
```
Output APK: `app/build/outputs/apk/release/app-release-unsigned.apk`
Install into BlueStacks:
```bash
adb connect 127.0.0.1:5555
adb install app/build/outputs/apk/release/app-release-unsigned.apk
```
---
## Reproduction Steps
1. On the vulnerable Windows host, run `checker/check_bluestacks.py` to confirm exposure.
2. Run `poc/patch_config.py patch` to expand the shared folder to `C:\`.
3. Build the APK and install it into BlueStacks via ADB.
4. Start BlueStacks (or wait for autostart). The Android VM boots and the exploit fires.
5. Log in as a second Windows user. `payload.bat` will execute on login.
---
## Mitigation
- **Update BlueStacks** to version `10.40.1000.502` or later.
- Restrict ACLs on `C:\ProgramData\BlueStacks_nxt\` to deny write access for `BUILTIN\Users`:
```
icacls "C:\ProgramData\BlueStacks_nxt" /remove:g "BUILTIN\Users" /t
```
---
## Disclaimer
This repository is for **security research, CTF, and authorized penetration testing only**. Do not use against systems you do not own or have explicit written permission to test.
---
## References
- [CVE Record โ cve.org](https://vulners.com/cve/CVE-2024-33352)
- [SecurityOnline writeup](https://securityonline.info/cve-2024-33352-bluestacks-vulnerability-puts-millions-of-gamers-at-risk/)
- Original researcher: mmiszczyk