This repo contains a proof-of-concept for πŸ“±πŸš€πŸ‘‘βš‘, a deserialization vuln for local escalation of privilege to system_server in Android 10. This proof-of-concept only activates a privileged intent.

Overview

CVE-2020-0082-PoC

This repo contains a proof-of-concept for πŸ“± πŸš€ πŸ‘‘ ⚑ , a deserialization vuln for local escalation of privilege to system_server in Android 10. This proof-of-concept only activates a privileged intent.

In ExternalVibration of ExternalVibration.java, there is a possible activation of an arbitrary intent due to unsafe deserialization. This could lead to local escalation of privilege to system_server with no additional execution privileges needed. User interaction is not needed for exploitation.
Product: Android
Versions: Android-10
Android ID: A-140417434

diff --git a/core/java/android/os/ExternalVibration.java b/core/java/android/os/ExternalVibration.java
index 37ca868..041d21f 100644
--- a/core/java/android/os/ExternalVibration.java
+++ b/core/java/android/os/ExternalVibration.java
@@ -157,7 +157,6 @@
         out.writeInt(mUid);
         out.writeString(mPkg);
         writeAudioAttributes(mAttrs, out, flags);
-        out.writeParcelable(mAttrs, flags);
         out.writeStrongBinder(mController.asBinder());
         out.writeStrongBinder(mToken);
     }

This project is made for educational and ethical testing purposes only. Exploiting targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

References

EvilParcel Exploitation
A-140417434
CVE-2020-0082

You might also like...

CVE-2021-44228 (Log4Shell) Proof of Concept

CVE-2021-44228 (Log4Shell) Proof of Concept

CVE-2021-44228 (Log4Shell) Proof of Concept Apache Log4j2 =2.14.1 JNDI features used in configuration, log messages, and parameters do not protect ag

Mar 18, 2022

Log4Shell Zero-Day Exploit Proof of Concept

Log4Shell Zero-Day Exploit Proof of Concept

Log4Shell Zero-Day Exploit if attacker manage to log this string ${jndi:ldap://someaddresshere/param1=value1} to log4j it somehow loads the class/java

Oct 9, 2022

Slueth(Zipkin) λ₯Ό ν†΅ν•œ SQS Message Tracing POC(Proof of concept) μž…λ‹ˆλ‹€.

Slueth(Zipkin) λ₯Ό ν†΅ν•œ SQS Message Tracing POC(Proof of concept) μž…λ‹ˆλ‹€.

Sleuth AWS SQS POC ν•΄λ‹Ή ν”„λ‘œμ νŠΈλŠ” Slueth(Zipkin) λ₯Ό ν†΅ν•œ λ©”μ‹œμ§€ 좔적 POC(Proof of concept) μž…λ‹ˆλ‹€. Rest API λ₯Ό 톡해 POST μš”μ²­μ„ λ°›μœΌλ©΄, λ©”μ‹œμ§€λ₯Ό λ°œν–‰/μ†ŒλΉ„ ν•©λ‹ˆλ‹€. 이 κ³Όμ •μ—μ„œ μœ μ§€λ˜λŠ” TraceId λ₯Ό 확인

Nov 29, 2022

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4J-RCE-Proof-Of-Concept (CVE-2021-44228) This is a proof of concept of the log4j rce. Here are some links for the CVE-2021-44228: https://www.lunas

Dec 2, 2022

Public proof-of-concept obfuscator using the MapleIR framework designed by cts & bibl

Public proof-of-concept obfuscator using the MapleIR framework designed by cts & bibl

Skidfuscator: Obfuscation like never seen before. Join the discord: https://discord.gg/QJC9g8fBU9 πŸ•΅οΈ What is Skidfuscator? Skidfuscator is a proof of

Jan 5, 2023

Stops double clicks from impacting a player's knockback by only allowing the attack packet to be processed only once per tick per player

Stops double clicks from impacting a player's knockback by only allowing the attack packet to be processed only once per tick per player. It also moves the damage tick check to execute as soon as possible.

Oct 28, 2022

A Java serialization/deserialization library to convert Java Objects into JSON and back

Gson Gson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to a

Jan 8, 2023

Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions = 2.7.6 With Different Gadgets

The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Da

Apr 24, 2022

Flutter plugin to listen to the process text intent stream.

Flutter plugin to listen to the process text intent stream.

Flutter Process Text Plugin Show some ❀️ and ⭐ the repo Why use Flutter Process Text? Flutter Process Text Plugin is known for : Flutter Process Text

Jul 1, 2022

Flutter plugin to listen to the process text intent stream.

Flutter plugin to listen to the process text intent stream.

Flutter Process Text Plugin Compatibility βœ… Android ❌ iOS (active issue: iOS support) Show some ❀️ and ⭐ the repo Why use Flutter Process Text? Flutte

Jul 1, 2022

Intent traffic monitoring tool.

Intent traffic monitoring tool.

XIntent An Intent traffic monitoring tool. Purpose App security testing or bug hunting. Intent IPC mechanism learning. App keep-alive behavior monitor

Dec 1, 2022

This code base is retained for historical interest only, please visit Apache Incubator Repo for latest one

Apache Kylin Apache Kylin is an open source Distributed Analytics Engine to provide SQL interface and multi-dimensional analysis (OLAP) on Hadoop supp

Dec 4, 2022

A well-designed local image and video selector for Android

A well-designed local image and video selector for Android

Matisse Matisse is a well-designed local image and video selector for Android. You can Use it in Activity or Fragment Select images including JPEG, PN

Dec 29, 2022

Android Auto Apps Downloader (AAAD) is an app for Android Phones that downloads popular Android Auto 3rd party apps and installs them in the correct way to have them in Android Auto.

Android Auto Apps Downloader (AAAD) is an app for Android Phones that downloads popular Android Auto 3rd party apps and installs them in the correct way to have them in Android Auto.

Android Auto Apps Downloader (AAAD) is an app for Android Phones that downloads popular Android Auto 3rd party apps and installs them in the correct way to have them in Android Auto.

Jan 2, 2023

This repo contains materials for the presentation.

Axon Presentation Axon is open source CQRS and Even Sourcing freamwork. In Trendyol, We have used it for 1.5 year in the production. We have approxima

Aug 28, 2022

This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduating in 2023

UEMK_PLACEMENT_2023 This repo contains all the materials for placement as well as Practical lab codes for all subjects and notes. For students graduat

Mar 5, 2022

This repository contains the code for the Runescape private server project, and this repo is soley maintained by @Avanae and @ThePolyphia and @Xeveral

Runescape: The private server project. A Runescape private server based on the 2009 era. This repository contains the code for the Runescape private s

Oct 1, 2022

Bring back Youtube Dislike for Android (View Only)

Show Youtube Dislikes Bring back Youtube Dislikes for Android This is a simple application, that parses the data from the "returnyoutubedislike.com" A

Nov 17, 2022
Owner
null
Square’s meticulous HTTP client for the JVM, Android, and GraalVM.

OkHttp See the project website for documentation and APIs. HTTP is the way modern applications network. It’s how we exchange data & media. Doing HTTP

Square 43.4k Jan 9, 2023
Android application allowing to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets on a Samsung Galaxy S20

RadioSploit 1.0 This Android application allows to sniff and inject Zigbee, Mosart and Enhanced ShockBurst packets from a Samsung Galaxy S20 smartphon

Romain Cayre 52 Nov 1, 2022
Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928

Writeup and exploit for installed app to system privilege escalation on Android 12 Beta through CVE-2021-0928, a `writeToParcel`/`createFromParcel` serialization mismatch in `OutputConfiguration`

null 52 Dec 30, 2022
STxMobile is a proof of concept of an Android app for remotely controlling the Raymarine ST2000+ tiller pilot from an Android phone.

STxMobile is a proof of concept of an Android app for remotely controlling the Raymarine ST2000+ tiller pilot from an Android phone.

Marco 8 Sep 1, 2022
This project allows the exchange of files between your local disk and a D64 image (Commodore 64 image disk) . Ce projet permet l'Γ©change de fichiers entre votre disque local et une image D64 (Image de disquette du Commodore 64).

DiskToolC64 Ce projet permet l'Γ©change de fichiers entre votre disque local et une image D64 (Image de disquette du Commodore 64). Introduction Les fi

Eddy BRIERE 3 Oct 12, 2022
A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.

LockUp An Android-based Cellebrite UFED self-defense application LockUp is an Android application that will monitor the device for signs for attempts

mbkore 300 Dec 4, 2022
A proof-of-concept Android application to detect and defeat some of the Cellebrite UFED forensic toolkit extraction techniques.

LockUp An Android-based Cellebrite UFED self-defense application LockUp is an Android application that will monitor the device for signs for attempts

levlesec 300 Dec 4, 2022
Just-In-Time Access is an AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects.

Just-In-Time Access Just-In-Time Access is an AppEngine application that lets you manage just-in-time privileged access to Google Cloud projects. Syno

Google Cloud Platform 36 Jan 3, 2023
A proof-of-concept serverless full-text search solution built with Apache Lucene and Quarkus framework.

Lucene Serverless This project demonstrates a proof-of-concept serverless full-text search solution built with Apache Lucene and Quarkus framework. βœ”οΈ

Arseny Yankovsky 38 Oct 29, 2022
log4j2 Log4Shell CVE-2021-44228 proof of concept

Log4Shell CVE-2021-44228 proof of concept Requirement Java (JDK/JRE) 8 or later version curl exploitable Simple spring boot application that serves a

Seshu Pasam 2 Dec 21, 2021