DmitriyChernov
commented
4 years ago Hello! can you show console log?
Open zym-wade opened 4 years ago
DmitriyChernov
commented
4 years ago Hello! can you show console log?
DmitriyChernov
commented
4 years ago and tell me the way that you are running fuzz please
zym-wade
commented
4 years ago ============
21) method: getClient on 21 iteration; with arg types: 0() started to test.
22) method: getClient on 22 iteration; with arg types: 0() started to test.
23) method: getClient on 23 iteration; with arg types: 0() started to test.
23) method: getClient on 23 iteration; with arg types: 0() started to test.
24) method: getClient on 24 iteration; with arg types: 0() started to test.
25) method: getClient on 25 iteration; with arg types: 0() started to test.
26) method: getClient on 26 iteration; with arg types: 0() started to test.
27) method: getClient on 27 iteration; with arg types: 0() started to test.
28) method: getClient on 28 iteration; with arg types: 0() started to test.
29) method: getClient on 29 iteration; with arg types: 0() started to test.
This is the log of running logger.py, because I am running under windows, another tcpRadamsa.py I have not run, I do n’t know if this has any effect?
DmitriyChernov
commented
4 years ago yes it have effect. tcpRadamsa generates mutated input so methods with args like void fun(String arg1) will not work.
zym-wade
commented
4 years ago and tell me the way that you are running fuzz please
I only ran the logger.py script, and after opening the APP, I directly selected the FUZZ button
DmitriyChernov
commented
4 years ago try to run all python scripts before fuzz
zym-wade
commented
4 years ago This may be because my development environment is windows, so the python script cannot run. I try to get it to run under the linux virtual machine. In addition, I would like to ask, if some service methods cause the system to restart, will the fuzz test be interrupted?
DmitriyChernov
commented
4 years ago This may be because my development environment is windows, so the python script cannot run. I try to get it to run under the linux virtual machine.
yeah try it on linux, there are shell script there to run all pyton servers. also you need radamsa: https://gitlab.com/akihe/radamsa for tcpRadamsa.py
In addition, I would like to ask, if some service methods cause the system to restart, will the fuzz test be interrupted?
app will crash before it. we can't say in which state app and system can be in that moment. thats why logger was moved from android system environment to other place. this is the way to save properties of every system call.
zym-wade
commented
4 years ago This may be because my development environment is windows, so the python script cannot run. I try to get it to run under the linux virtual machine.
yeah try it on linux, there are shell script there to run all pyton servers. also you need radamsa: https://gitlab.com/akihe/radamsa for tcpRadamsa.py
In addition, I would like to ask, if some service methods cause the system to restart, will the fuzz test be interrupted?
app will crash before it. we can't say in which state app and system can be in that moment. thats why logger was moved from android system environment to other place. this is the way to save properties of every system call.
I will try it in the linux environment first, thank you very much for your answers. If I encounter any other problems, I will contact you again,thank you!
zym-wade
commented
4 years ago Hello! I am running under linux now, but tcpRadamsa.py has not received any information from the client after running. The log is as follows. Do I need to modify the IP address (192.168.0.12)?
W/System.err: java.net.ConnectException: failed to connect to /192.168.0.12 (port 4445) from /:: (port 36910): connect failed: ECONNREFUSED (Connection refused)
at libcore.io.IoBridge.connect(IoBridge.java:138)
at java.net.PlainSocketImpl.socketConnect(PlainSocketImpl.java:129)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:356)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:356)
at java.net.Socket.connect(Socket.java:616)
at java.net.Socket.connect(Socket.java:565)
at java.net.Socket.
DmitriyChernov
commented
4 years ago yep, change it on ip where tcpRadamsa works. replace here: https://github.com/DmitriyChernov/androidFuzzer/blob/master/app/src/main/java/com/example/konyash/fuzzer/generator/TCP_Client.java#L19
zym-wade
commented
4 years ago yep, change it on ip where tcpRadamsa works. replace here: https://github.com/DmitriyChernov/androidFuzzer/blob/master/app/src/main/java/com/example/konyash/fuzzer/generator/TCP_Client.java#L19
Wow, it works perfectly now. I will study the source code and try to see if it can cause the system to crash. In addition, I would like to ask, which Android versions have you caused a denial of service before?
DmitriyChernov
commented
4 years ago zym-wade
commented
4 years ago hi, I did some tests and also got some understanding of the source code. The app crashes every time I test the IActivityManager. I do n’t know why? (The logs are as follows) In addition, during the test, there will be a lot of InvocationTargetException, but no other exceptions, I would like to ask if the method called will cause DOS, will Android shut down after the exception is caught?
E/EXCEPTION: android.app.Activity CANT INSTANTIATE THIS OBJ. NO WAY. I/argType:: class android.app.Activity: null I/DEBUG: Intent { } E/DEBUG: ==========
DmitriyChernov
commented
4 years ago hi, I did some tests and also got some understanding of the source code. The app crashes every time I test the IActivityManager. I do n’t know why? (The logs are as follows)
maybe method can't be invoked directly? try to skip this one (by method name) or call it manually.
I would like to ask if the method called will cause DOS, will Android shut down after the exception is caught?
if we caught an exception it means that you provided wrong input and android CAN handle it. its ok. look for situations when system crashed or some managers crashed.
zym-wade
commented
4 years ago My previous fuzz method is to use the transact (int code, parcel data, parcel reply, int flags) interface of binder communication. In your case, the invoke function is used for reflection. Will this be a big difference?
In addition, using context information to obtain the number of system services is different from the number obtained by "adb shell service list"
DmitriyChernov
commented
4 years ago My previous fuzz method is to use the transact (int code, parcel data, parcel reply, int flags) interface of binder communication. In your case, the invoke function is used for reflection. Will this be a big difference?
i think yes cause binder can provide services different from context services.
In addition, using context information to obtain the number of system services is different from the number obtained by "adb shell service list"
ya, try another way, button "read". it reads file in format: https://github.com/DmitriyChernov/androidFuzzer/blob/master/syscalls and invokes methods from here. check this class also: https://github.com/DmitriyChernov/androidFuzzer/blob/master/app/src/main/java/com/example/konyash/fuzzer/fuzzer/AIDLFuzzer.java#L188
zym-wade
commented
4 years ago I will try to button "read".. I would like to ask how your services file is generated, because each AOSP service is different, how do you extract aidl information?
DmitriyChernov
commented
4 years ago https://github.com/opersys/raidl i've used this project
zym-wade
commented
4 years ago I have try to button "read"。After running for some time, the app will automatically flash back. This may be a segfault caused by a broken TCP connection. The log is as follows. Have you ever had this problem?
E/AndroidRuntime: FATAL EXCEPTION: main Process: com.example.konyash.fuzzer, PID: 24848 java.lang.NullPointerException: Attempt to invoke virtual method 'void java.net.Socket.close()' on a null object reference at com.example.konyash.fuzzer.generator.TCP_Client.onPostExecute(TCP_Client.java:36) at com.example.konyash.fuzzer.generator.TCP_Client.onPostExecute(TCP_Client.java:17) at android.os.AsyncTask.finish(AsyncTask.java:695) at android.os.AsyncTask.-wrap1(Unknown Source:0) at android.os.AsyncTask$InternalHandler.handleMessage(AsyncTask.java:712) at android.os.Handler.dispatchMessage(Handler.java:105) at android.os.Looper.loop(Looper.java:164) at android.app.ActivityThread.main(ActivityThread.java:6541) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.Zygote$MethodAndArgsCaller.run(Zygote.java:240) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:767) I/Process: Sending signal. PID: 24848 SIG: 9
E/TcpClient: io crash W/System.err: java.net.ConnectException: failed to connect to /192.168.126.128 (port 4445) from /:: (port 60119): connect failed: ECONNABORTED (Software caused connection abort) at libcore.io.IoBridge.connect(IoBridge.java:138) at java.net.PlainSocketImpl.socketConnect(PlainSocketImpl.java:129) at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:356) at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:356) at java.net.Socket.connect(Socket.java:616)
DmitriyChernov
commented
4 years ago no i dont faced with this. sorry
zym-wade
commented
4 years ago no i dont faced with this. sorry
Now I am stuck here and still debugging. In addition, I would like to ask, did you find some vulnerabilities in Android system services during your testing?
Hello, I am currently working on Android fuzz testing. I want to reproduce this project. The apk is already running, but it stopped running when testing the first service APP. How do I run this project correctly? Thank you!