Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-35674 PoC — Google Android 安全漏洞

Source
https://github.com/SpiralBL0CK/Guide-and-theoretical-code-for-CVE-2023-35674
Associated Vulnerability
Title:Google Android 安全漏洞 (CVE-2023-35674)
Description:In onCreate of WindowState.java, there is a possible way to launch a background activity due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Description
Guide and theoretical code for CVE-2023-35674
Readme
# Guide-and-theoretical-code-for-CVE-2023-35674
Guide and theoretical code for CVE-2023-35674


Because android is out of my skill league please use this as a high overview from my pov on how i would exploit this cve. the code snippets are just skeletons , please help :) So first of all u can't exploit soley the CVE-2023-35674. Why ? cause CVE-2023-35674 only allows you to  launch a background activity due to a logic error. So in essence you would use this cve to launch an app in the background , and use something like CVE-2021-0307 to privillege escalation. A word of advice the only way you can fully exploit these 2 vulnerability(so in essence use the chain) is only if you android is android 11.

So now for CVE-2023-35674. The root cause is essence that virtual presentation were tought that they can only be shown on private virtual displays and that shouldn't be the cause of an app be considered foreground. So i included Presentation.java the code from google docs to start a virtual presentation and inside of it start an instart of a class(which should be replaced with a way to start an app). This will by default start the app in the background.[1]

Now onto the eop part... For CVE-2021-0307 i used this(https://blog.thalium.re/posts/leveraging-android-permissions/) as a reference.... So what more presicly? this

![poc](https://github.com/user-attachments/assets/a7bc392d-c77a-4497-8fed-526a9b3f6f83) 

So naturally i tought coding a skeleton cause again android is out of my league and i'm lazy. Such MainActivity.java was born. Now with a little bit of better understanding i think the exploit flow should be a little bit different. How ?

Well for the start app in background [1] should still be respected. Yet for eop it should be something among the image below

![exploit](https://github.com/user-attachments/assets/c1fcbb84-904e-4d92-8c29-a3f491daeeeb)

As you can see the exploit flow is identical only that instead of finishing the exploit like the eop one we finish with the app we started the exploit in background.

So generally speaking i think i described 2 ways of getting eop, tho i think only for  CVE-2023-35674 u can only get to execute code in the background . But digressing i think there are 2 ways to exploit this  CVE-2023-35674:

1. by having an apk execute in background which is the first part where u use  CVE-2023-35674 for background execution and further execute  CVE-2021-0307
2.  the approach which u elevate the apk of CVE-2023-35674 yet with user interaction which was described earlier so yeah :/

Please take everything i write here with a grain of salt, until further notice(until i find someone to collab on this who knows android exploitation....)
File Snapshot

 [4.0K]  /data/pocs/9ce7555d3b8691da105a42e04f7dd8087272d555
├── [1.5K]  activity_main.xml
├── [1.2K]  AndroidManifest.xml
├── [3.2K]  MainActivity .java
├── [ 256]  permission.xml
├── [ 20K]  Presentation.java
└── [2.6K]  README.md

0 directories, 6 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →