Alloyproxy15 Patched [Mobile]

Prior to patch version 2.1.4, the proxy’s session replay protection logic deserialized incoming X-Alloy-Signature headers using the rmp-serde (MessagePack) crate without any bounds checking or cryptographic validation.

Pseudo-code of vulnerable function (v2.1.3 and earlier):

fn handle_replay_protection(req: &Request) -> Result<Session, Error> 
    let sig_header = req.headers().get("X-Alloy-Signature").unwrap();
    let deserialized: ReplayToken = rmp_serde::from_read_ref(sig_header.as_bytes())?;
    // No HMAC verification, no nonce window check.
    let session = session_cache.get(deserialized.session_id)?;
    Ok(session)

The flaw: The ReplayToken struct contained a field named exec_hook of type Option<String>. In debug builds, this field was intended for developer telemetry. In release builds, it was mistakenly compiled into the production binary. alloyproxy15 patched

An attacker could craft a MessagePack payload where exec_hook contains a base64-encoded Rust closure. Upon deserialization, the proxy’s garbage collector would misinterpret the closure’s pointer as a valid function, leading to arbitrary code execution in the context of the proxy process (typically root when binding to ports <1024).

The "patched" variant emerged because:

The "patched" release (often distributed via forums, GitHub gists, or file sharing sites) has these restrictions neutered.

If you are searching for a cracked version of AlloyProxy15 that still works after the patch, be aware of the severe risks: Prior to patch version 2

Recommendation: If budget is a concern, consider open‑source alternatives like scrapy‑rotating‑proxies or mitmproxy with custom rotation scripts.