Authentication Bypass in Android adbd Wireless ADB TLS Verification

Repository contains a single JavaScript exploit script and a README. The main file, bypass-adb.js, is a standalone Node.js exploit targeting the claimed CVE-2026-0073 in Android adbd wireless debugging. It implements low-level ADB packet construction/parsing, connects to a remote host over TCP, initiates an ADB CNXN handshake, waits for an STLS response, then upgrades the connection to TLS 1.3 using a generated client certificate. After the TLS session is established, it expects a post-TLS CNXN and then opens an ADB shell channel. The exploit supports two modes: interactive shell access and one-shot command execution via --cmd. The code uses custom ADB protocol constants (CNXN, STLS, AUTH, OPEN, OKAY, WRTE, CLSE), a large delayed ACK window, and temporary PEM files for the generated certificate/key pair. No hardcoded victim IPs or external C2 infrastructure are present; the operator provides the target host at runtime. Overall, this is an operational network exploit intended to bypass ADB wireless debugging authentication and achieve remote command execution on reachable Android devices with wireless ADB enabled.

This repository is a compact standalone exploit for CVE-2026-0073 targeting Android wireless debugging (adbd). It contains three files: a C exploit implementation (adb_bypass.c), a Dockerfile that builds a runnable container with OpenSSL and Android platform-tools, and a README explaining the vulnerability, attack flow, and usage. The main exploit logic is in adb_bypass.c. It is a native C implementation of an ADB-over-TCP/TLS authentication bypass. The program accepts a target host, optional port (default 5555), optional --cmd command, and -v for verbose output. It performs the ADB cleartext negotiation, requests STLS/TLS upgrade, generates an ephemeral EC P-256 keypair and self-signed certificate, and uses that certificate during TLS client authentication. The exploit relies on the vulnerable adbd behavior where EVP_PKEY_cmp(stored_rsa_key, peer_key) returning -1 for mismatched key types is incorrectly treated as truthy, causing authorization to succeed. After TLS is established, the code proceeds directly into post-auth ADB operations and opens a shell stream rather than sending a host CNXN that might reset the transport. Capabilities observed from the code and README: remote network exploitation against wireless adbd; TLS mutual-auth bypass using a non-RSA certificate; opening an interactive shell as the shell user; executing a single supplied command; and packaging into a Docker image for easy deployment. This is not a scanner or detector; it is an active exploit with post-exploitation shell capability. The repository does not appear to belong to a common exploit framework such as Metasploit or Nuclei. Its purpose is to provide a portable, dependency-light exploit binary that can be compiled and run on Linux systems with OpenSSL, or launched via Docker. The Dockerfile downloads Android platform-tools from Google, installs build dependencies, compiles adb_bypass.c into /usr/local/bin/adb_bypass, and sets that binary as the container entrypoint. Overall, this is an operational proof-of-concept exploit for unauthorized remote shell access to vulnerable Android devices exposing wireless debugging, provided the device has been paired previously and remains reachable on its adbd TCP port.

This repository is a small standalone Python exploit project consisting of a single executable script (`zero_click_vul.py`), a `requirements.txt` file requiring `cryptography`, and an MIT license. It is not part of a larger exploit framework. The main script presents itself as an exploit for `CVE-2026-0073`, described as an 'ADB Wireless Mutual Authentication Bypass' enabling 'Zero-Click ADB Shell Access'. The code implements low-level ADB protocol handling directly in Python, including ADB message constants (`CNXN`, `OPEN`, `OKAY`, `CLSE`, `WRTE`, `STLS`), message packing/parsing, feature negotiation, TLS-related handling, and certificate generation using the `cryptography` library. It generates a self-signed certificate with CN `adbkey`, suggesting the exploit attempts to satisfy or subvert ADB TLS mutual-auth expectations. Operationally, the script is a network exploit against Android devices exposing wireless ADB. It supports multi-target usage, including CIDR/range handling (the visible code imports `ipaddress` and references scan mode), threaded execution, verbose output, and output-file logging. In single-command mode it attempts exploitation and runs an arbitrary shell command supplied by the operator. In scan mode it first runs `id` to verify shell access, then executes a fixed set of diagnostic commands to collect device model, Android version, security patch level, kernel info, package listings, application data directory listings, and WLAN interface configuration. The exploit's main capability is remote shell command execution over ADB/TCP if the target is vulnerable. This goes beyond simple detection: it actively negotiates an ADB session, opens a shell service, executes commands, and returns output. Because the payload is operator-controlled but relatively basic shell-command execution rather than a modular framework payload system, the maturity is best classified as OPERATIONAL. Fingerprintable artifacts in the code are limited because it does not call external internet infrastructure. The primary target surface is a TCP ADB endpoint, likely defaulting to port 5555. Additional identifiable strings include the ADB feature banner advertising `tls_auth` and other capabilities, the Android path `/data/data`, and interface name `wlan0` used during post-exploitation diagnostics. Overall, the repository is purpose-built for exploiting exposed/vulnerable wireless ADB services on Android devices to obtain shell access and perform lightweight host reconnaissance.

Repository contains a single Python exploit script (adb_tls_exploit.py) plus a README. The script is a standalone operational exploit for CVE-2026-0073 against Android adbd Wireless Debugging. Its purpose is to discover reachable Android devices on the local network, negotiate an ADB-over-TLS session, bypass mutual TLS authentication by presenting a non-RSA self-signed certificate (EC or ED25519), and then open the ADB shell service for an interactive remote shell. Structure and behavior: the script defines ADB protocol constants, packet packing/parsing helpers, feature parsing, OpenSSL-backed certificate generation, optional Zeroconf/mDNS discovery, and an interactive shell handler. Discovery listens for the mDNS service _adb-tls-connect._tcp.local. and extracts IP, randomized port, and model metadata from service properties. In manual mode, the operator can directly supply IP and port. The exploit then performs a plaintext ADB CNXN handshake advertising features including tls_auth, waits for the STLS upgrade request, wraps the socket in TLS using a freshly generated self-signed certificate, and relies on the vulnerable adbd certificate comparison logic to accept the connection. After successful authentication bypass, it sends an ADB OPEN request for the shell service and multiplexes terminal I/O over the ADB channel. Capabilities: passive local-network target discovery, direct targeting by IP/port, certificate generation via openssl subprocess calls, TLS upgrade and authentication bypass, and interactive shell access. The README states the resulting shell is unprivileged (shell user). This is clearly exploit code rather than a detector, and while not part of a larger framework, it is more than a bare PoC because it automates discovery, exploitation, and shell interaction.

This repository is a small, focused exploit PoC for CVE-2026-0073 and contains only two files: a README and a single Python script, poc-cve-2026-0073.py. The README explains the vulnerability in Android's adbd TLS certificate verification logic, where EVP_PKEY_cmp(...) return values are handled incorrectly in a boolean context, allowing negative error values from mismatched key comparisons to be treated as successful authorization. The Python script is the main exploit and is a standalone operational PoC rather than a framework module. It uses the cryptography library to generate a self-signed non-RSA client certificate using either an EC or Ed25519 key. The exploit then connects to the target Android device's Wireless ADB TCP service, performs the expected ADB protocol sequence (plain TCP CNXN negotiation, A_STLS TLS upgrade, TLS handshake with client certificate presentation), and abuses the vulnerable certificate verification path in adbd to authenticate without possessing a legitimate trusted RSA ADB key. After authentication, the script opens an ADB service stream using shell:<command> and appears to support exec: as a fallback. Its purpose is to achieve remote command execution as the Android shell user and print the resulting output to the operator. The default command is id, but the operator can supply arbitrary shell commands. The script includes protocol constants, ADB packet packing/parsing helpers, certificate generation logic, TLS handling, error handling for SSL and connectivity failures, and a CLI entry point with arguments for target IP, port, command, key type, and verbose logging. There are no hardcoded external internet endpoints, C2 servers, or exfiltration destinations. The only meaningful target endpoint is the operator-supplied Android ADB TCP service, typically on port 5555. Overall, this is a genuine network-based exploit PoC for unauthorized Wireless ADB access and command execution on vulnerable Android devices.

This repository is a small standalone Python exploit project consisting of a license, a README, and a single executable script, exploit.py. The script is the clear entry point and implements a network-based exploit targeting the Android ADB daemon's Wireless Debugging feature, claiming to exploit CVE-2026-0073 via a TLS certificate authentication bypass in the STLS path. The exploit's main capabilities are offensive rather than purely diagnostic: it generates a self-signed certificate on the fly, attempts to establish a TLS-backed ADB session, performs ADB protocol messaging using standard command types (CNXN, AUTH, OPEN, OKAY, WRTE, CLSE), and then opens a remote shell channel. It supports both interactive shell access and single-command execution, with optional output capture to a local file. The README also describes subnet scanning and smart port discovery, and the visible code confirms command-line options for scanning, retries, manual port selection, verbosity, and disabling auto-port discovery. From the visible code, the exploit is implemented as a class named CVE20260073Exploit with methods for logging setup, cryptographic material generation, and runtime orchestration. The crypto initialization routine creates a self-signed certificate with CN=adb and supports a default EC P-256 key path plus an alternate ed25519 mode. The script uses Python standard networking and TLS-related modules (socket, ssl, struct, threading, time) together with cryptography for certificate generation. The main() function exposes a CLI suitable for direct operator use. Fingerprintable targets and protocol indicators include the advertised TCP scan range 30000-50000 for wireless debugging discovery, a fallback/default port of 39311 in the code, and explicit use of ADB protocol message identifiers. No hardcoded external C2, domains, or third-party callback infrastructure are present; the operator supplies the target IP or invokes local network scanning. Overall, this is an operational standalone exploit script intended to obtain remote ADB shell access over the network, not merely a detector or README-only proof of concept.

Repository contains a Bash proof-of-concept exploit script and a detailed Chinese-language technical writeup for CVE-2026-0073, an Android adbd TLS authentication bypass. The main exploit file, CVE-2026-0073-poc.sh, is a standalone Bash tool that supports two modes: a recommended 'adb connect' mode that temporarily replaces the operator's local ~/.android/adbkey material with a generated EC/EdDSA keypair and certificate, and a 'Python PoC' mode that appears to invoke a custom ADB/TLS implementation. The exploit generates a non-RSA client certificate (default curve prime256v1, with secp384r1, secp521r1, secp256k1, ed25519, and ed448 options), then connects to a target Android device over wireless ADB, default TCP/5555. The intended vulnerability is a logic bug in adbd certificate verification where EVP_PKEY_cmp() is used as a boolean; a cross-algorithm comparison between a stored RSA key and attacker EC certificate returns -1, which is treated as truthy and therefore accepted. Successful exploitation yields authenticated ADB access, enabling shell/command execution and other ADB functions. The script includes dependency checks, OpenSSL version checks, key generation, backup/restore of local ADB keys, curve listing, verbose logging, and cleanup logic. README.md provides the vulnerability rationale, affected component, exploitation prerequisites, protocol flow, vulnerable source snippet, and examples showing shell and command execution against a target device.

Repository contains a Python proof-of-concept exploit and companion network scanner for CVE-2026-0073, an Android adbd ADB-over-TCP TLS authentication bypass. The main exploit file, adb_tls_auth_bypass.py, implements low-level ADB packet framing, performs an initial cleartext ADB CNXN exchange, negotiates STLS, upgrades the socket to TLS 1.3 with an attacker-generated ephemeral EC client certificate, and then abuses the vulnerable certificate verification path to gain unauthorized ADB access. After the TLS transition, it opens the ADB shell service and either provides an interactive shell or executes a supplied command. This yields shell-user remote code execution over the network. The exploit capability is not just detection: it actively establishes a post-authentication ADB session and runs commands. The payload is basic but functional, making the repository operational rather than a mere PoC stub. The code targets Android devices exposing Wireless Debugging / ADB-over-TCP and relies on a specific target state: developer options enabled, ADB TCP reachable, and at least one previously paired RSA host key in the device trust store. The second code file, adbt_scanner.py, is an orchestrator that automates discovery and exploitation. It detects the local subnet, listens for mDNS advertisements of _adb-tls-connect._tcp, falls back to ARP sweep and TCP port scanning, probes candidate hosts for ADB/STLS behavior, and can exploit confirmed targets concurrently. It imports and reuses the exploit primitives from adb_tls_auth_bypass.py. Optional dependencies (zeroconf, scapy, netifaces) are used for discovery, with graceful fallback to system utilities such as ip and potentially nmap. Repository structure is small and focused: two Python scripts, a dependency file, a README with usage and prerequisites, and a long-form technical analysis markdown document. No evidence suggests this is part of a larger exploit framework like Metasploit or Nuclei. The included documentation consistently describes the exploit chain, target requirements, and operational modes. Overall purpose: provide both single-target exploitation and local-network discovery/exploitation of vulnerable Android adbd TLS endpoints.

This repository is a small standalone Python proof-of-concept exploit consisting of a README and one executable script, adb_tls_auth_bypass.py. It is not part of a larger exploitation framework. The script targets the Android adbd TLS authentication path described as CVE-2026-0073, where EVP_PKEY_cmp() allegedly returns -1 on key-type mismatch and that value is treated as truthy, causing unauthorized client-certificate acceptance when the device has a stored RSA ADB key and the attacker presents a non-RSA certificate. The exploit is network-based and speaks the ADB wire protocol directly. From the visible code and README, its structure includes: ADB packet framing helpers (_checksum, pack_packet, unpack_header, recv_packet, _recv_exact); ephemeral certificate generation (make_client_cert) using cryptography to create EC P-256 or Ed25519 self-signed client certificates; an ADBBypass class that handles TCP connection setup, cleartext CNXN/STLS negotiation, TLS upgrade, post-TLS CNXN handling, shell opening, command execution, and interactive shell I/O; and a main() routine that parses CLI arguments and iterates through an attempt matrix of key type and TLS version combinations. Operationally, the exploit connects to a target host and port, performs cleartext ADB negotiation, requests STLS, upgrades to TLS 1.3 or TLS 1.2, presents an ephemeral non-RSA client certificate, then if the target is vulnerable proceeds to open the ADB service string "shell:". It supports both interactive shell access and one-shot command execution via --cmd. The code also advertises fallback logic across EC/TLS 1.3, Ed25519/TLS 1.3, and EC/TLS 1.2, making it more than a minimal PoC but still a standalone operational exploit rather than a weaponized framework module. Fingerprintable target artifacts include the default ADB TCP port 5555, example wireless debugging port 37521, and the target-side file /data/misc/adb/adb_keys, which is central to the exploit precondition. The README also notes adb_known_hosts.pb as a different wireless-debugging key store that does not satisfy the bypass requirement. Overall, the repository’s purpose is to obtain unauthorized remote ADB shell access on vulnerable Android devices that expose adbd over the network and have previously stored RSA ADB authorization keys.

Repository contains a single Python proof-of-concept exploit and a README. The README documents CVE-2026-0073 as a logic flaw in Android adbd TLS client-certificate verification where non-zero EVP_PKEY_cmp results are treated as successful matches. The main script, poc-cve-2026-0073.py, is a standalone Python exploit that uses the cryptography library to generate a self-signed non-RSA client certificate (EC or Ed25519), then performs the ADB wireless protocol flow: plain TCP connection, CNXN feature advertisement including tls_auth, STLS upgrade, TLS handshake with the crafted certificate, and post-authentication ADB service opening. Its primary capability is remote authentication bypass against vulnerable wireless ADB, followed by arbitrary command execution as the Android shell user. The code appears operational rather than a mere detector: it implements ADB packet packing/parsing, TLS setup, certificate generation, command stream handling, and output retrieval. The main fingerprintable target is the remote Android ADB TCP service, typically <target_ip>:5555. No hardcoded external C2 or third-party network infrastructure is present; the exploit is directed entirely at a user-supplied target device.

Repository contains a Python exploit and a more feature-rich companion script targeting the claimed Android adbd STLS/TLS authentication bypass CVE-2026-0073. The core exploit logic is in adb_tls_auth_bypass.py: it implements raw ADB packet framing, connects to a target ADB TCP service, performs the cleartext CNXN/STLS negotiation, generates an ephemeral EC P-256 self-signed client certificate with the cryptography library, upgrades the socket to TLS, and then opens an ADB shell channel for command execution or interactive shell access. The exploit’s stated purpose is to abuse a key-type mismatch in adbd certificate verification so that an EC client key is accepted when compared against stored RSA keys. main.py is an expanded operational version of the same exploit. In addition to the same bypass and shell access flow, it exposes modules for single-command execution, automated profiling, artifact extraction, and persistence. Based on the README and visible code structure, profiling gathers device/system information, extraction pulls selected sensitive files to local disk, and persistence appends an attacker ADB public key to /data/misc/adb/adb_keys so future access can occur through normal ADB authentication. The code is standalone Python rather than part of a common exploit framework. Repository structure is small and focused: three Python scripts (main exploit, original variant, and maximized variant), a requirements.txt listing cryptography, and documentation assets under docs/ for a static showcase page. The HTML/CSS files are informational only and include external web assets unrelated to exploitation. Overall, this is an exploit repository, not a detector: its primary capability is network-based unauthorized ADB shell access over the Wireless Debugging/STLS path, with post-exploitation helpers for reconnaissance, file collection, and persistence.

This repository is a compact standalone Python proof-of-concept exploit for CVE-2026-0073 affecting Android adbd. It contains only two files: a README describing the vulnerability and testing context, and a single executable script, adb_tls_auth_bypass.py, which implements the exploit logic end-to-end. The exploit targets Android devices reachable over the local network when wireless debugging or ADB-over-TCP is enabled. The core issue described in the script is that adbd_tls_verify_cert() treats EVP_PKEY_cmp() as a boolean. If the device has a stored RSA ADB key from prior pairing, and the attacker presents a TLS client certificate with a different key type (specifically EC P-256 in this implementation), EVP_PKEY_cmp() returns -1 for key-type mismatch, which is treated as truthy, resulting in authorization bypass. Operationally, the script performs the following sequence: it opens a TCP connection to the target adbd service, sends a cleartext ADB CNXN packet, receives STLS from the device, replies with STLS, upgrades the connection to TLS 1.3 using a freshly generated self-signed EC P-256 certificate, avoids sending a host CNXN after TLS due to transport-state handling noted in comments, then opens an ADB shell service channel and either executes a provided command or attaches the user to an interactive shell. The script includes ADB packet framing helpers, TLS certificate generation, socket/TLS handling, and shell I/O routines. The exploit is not a scanner or detector; it is an active exploitation tool that provides post-bypass shell access. It is best classified as OPERATIONAL: it contains a working payload and exploitation flow, but it is a standalone script rather than a larger weaponized framework. The primary fingerprintable target is the network-exposed adbd service on TCP port 5555, with the exploit specifically depending on the target-side ADB key store at /data/misc/adb/adb_keys having previously contained an RSA key from pairing.