nuclei-templates/network/exposures/exposed-adb.yaml

id: exposed-adb

info:
  name: Exposed Android Debug Bridge
  author: pdteam,pikpikcu
  severity: critical
  description: An exposed Android debug bridge was discovered.
  reference:
    - https://doublepulsar.com/root-bridge-how-thousands-of-internet-connected-android-devices-now-have-no-security-and-are-b46a68cb0f20
    - https://www.hackeracademy.org/how-to-hack-android-device-with-adb-android-debugging-bridge
    - https://www.securezoo.com/2018/06/thousands-of-android-devices-leave-debug-port-5555-exposed/
  metadata:
    max-request: 1
  tags: network,adb,rce,android,exposure

tcp:
  - inputs:
      - data: "434e584e0100000100001000ea000000445b0000bcb1a7b1"  # Generated using https://github.com/projectdiscovery/network-fingerprint
        type: hex

      - data: "686f73743a3a66656174757265733d7368656c6c5f76322c636d642c737461745f76322c6c735f76322c66697865645f707573685f6d6b6469722c617065782c6162622c66697865645f707573685f73796d6c696e6b5f74696d657374616d702c6162625f657865632c72656d6f756e745f7368656c6c2c747261636b5f6170702c73656e64726563765f76322c73656e64726563765f76325f62726f746c692c73656e64726563765f76325f6c7a342c73656e64726563765f76325f7a7374642c73656e64726563765f76325f6472795f72756e5f73656e642c6f70656e73637265656e5f6d646e73"
        type: hex

    host:
      - "{{Hostname}}"
    port: 5555

    matchers:
      - type: word
        words:
          - "device"
          - "product"
        condition: and
# digest: 4a0a00473045022100b5aedee315f46b16281eab4117d8f6fa4ec23b65815bc7444c9a014d5e84f8f802200592ca27e2db4885aee91d4ccb80c2953e03d526e8a6cc53379c88b666816787:922c64590222798bb761d5b6d8e72950