This project contains several post-exploitation tools for Android exploits that allow for arbitrary code execution as system user (uid 1000).
It is designed for Android 14 specifically on a Samsung S21 Ultra. It uses tons of reflection to manipulate/call private fields & methods which is guaranteed to break on other Android versions.
Most features require code injection into system_server (or write access to the package cache), which is harder to accomplish than just code execution in regular system apps.
This project is based on michalbednarski/AbxOverflow, which exploits an issue within the package installer service allowing us to inject custom data into the package cache in /data/system/packages.xml (CVE-2024-34740).
This enables us to register new 'fake' system apps for any shared UID. If we choose a shared UID such as android.uid.system, we can then inject code into existing processes running within that shared user by setting the android:process attribute in the manifest for components.
By additionally setting the process name of our component to system, we can effectively inject and execute Java code within system_server and manipulate existing structures using reflection.
- Make any app debuggable temporarily
- Disable certificate pinning
- Access private app data (needs an addon app)
- Disable Android permission checking system-wide (for packages and UIDs)
- Launches my Shizuku fork (with system user support) as the system app on start up
- Integrated Java reflection browser UI to explore and modify system service internals
- Edit resources for any app on the fly using my FabricatedOverlayManager
- Start/stop Samsung DEX on an internal screen (can be connected to using
scrcpy --display-id=2) - Seamlessly switch between system processes that have different SELinux contexts (system_server, com.android.settings, etc.)
- Inject signatures for any other shared UIDs (allows to install this app into SystemUI, phone process, bluetooth process, etc.)
- Change installation sources (circumvent Play Store's sideload checks)
- Toggle multi-user support (Samsung only)
- Expose system files to regular apps using a DocumentsProvider
- Simple integrated shell
If you want to use the CVE-2024-34740 exploit to install the toolbox app, follow these steps:
- Compile the
droppedapksubproject (select build target 'System' or just run './gradlew :assembleSystemDebug')- This should happen automatically during build time: Sign the APK using the
abxdroppedapk.keystorecontained in this repo (use password:abxdroppedapk)
- This should happen automatically during build time: Sign the APK using the
- Copy the signed APK into
app/src/main/assets/droppedapk-release.apk - Compile the
appsubproject - Install & execute the instructions within that exploit app
The toolbox will be installed as the system user. Updates for the injected app can be installed normally without redoing the exploit.
You can inject this app into other UIDs separately.
For example, to inject into android.uid.phone (UID 1001):
- Open the toolbox app injected as the system user
- Go to 'Inject into shared UID' and select UID 'Phone', enter the package name
com.example.abxoverflow.droppedapk.phoneand confirm - Compile the
droppedapksubproject & install the APK (select build target 'Phone' or just run./gradlew :installPhoneDebug)- (The APK must be signed using the keystore
abxdroppedapk.keystore)
- (The APK must be signed using the keystore
For other UIDs, check build.gradle.