search

airbus-seclab / android_emuroot

Android_Emuroot is a Python script that allows granting root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API Playstore, to help reverse engineers to go deeper into their investigations.
GNU General Public License v2.0
121 stars 24 forks source link

GDB "find" crashes emulator #2

Open xdavidhu opened 4 years ago

xdavidhu commented 4 years ago

Hi, and thank you for the tool, looks really promising.

I've encountered an issue that when I start the script, it crashes the emulator when the GDB "find" command executes.

In the emulator console, I get this error message:

Warning: flatview_read_continue has iterated 128 times.
First addr: 0xc0000000. Last addr: 0xc00001fc.
First mr: 0x108eae210 ((none)). Last mr: 0x108eae210 ((none))

Things I've tried:

1. Different versions: I tried multiple Android versions (from the supported list) but no success.

2. Executing the find manually: When manually connecting to the remote GDB, and executing the find 0xc0000000, +0x40000000, "MAGICNAME", it crashes the same way.

3. Changing the start of the search: I tried changing 0xc0000000 to 0x0, and that run successfully, and did find one promising addreess which looks like a task_struct (has 2 same pointers at addr-8 and addr-4), but it points to a cred struct which is just full of 0x00, so its probably not the real one.

Is there any way to fix this issue and get the script working? Is this an issue with the emulator/local config?

Thanks, David

agantet commented 4 years ago

Hi, Annoyed that you cannot use the script yet... This bug does not tell us anything. Could you please give us more info (emulator config, android_emuroot options used, etc.) so that we are able to reproduce? By "emulator console", do you mean the output of "adb logcat" ?

xdavidhu commented 4 years ago

By "emulator console" I mean the output of emulator -avd my_avd -qemu -s.

No matter what android_emuroot options I use, the crash always happens on this line. When the find GDB command gets executed, the whole emulator crashes.

Example: python3 android_emuroot.py -t 400 single --magic-name MAGICNAME

android_emuroot.py output:

2020-07-17 19:22:30 INFO: [+] Entering single function process name is MAGICNAME
2020-07-17 19:22:30 INFO: [+] Check if MAGICNAME is running
2020-07-17 19:22:30 WARNING: [+] OK. MAGICNAME is running
2020-07-17 19:22:30 INFO:  [+] Start the GDB controller and attach it to the remote target
2020-07-17 19:22:30 INFO:  [+] GDB additional timeout value is 400
2020-07-17 19:22:31 INFO:  [+] GDB server reached. Continue
2020-07-17 19:22:31 INFO:  [+] Get address aligned whose process name is: [MAGICNAME]
2020-07-17 19:22:31 INFO:  [+] This step can take a while (GDB timeout: 400sec). Please wait...
Traceback (most recent call last):
  File "android_emuroot.py", line 406, in <module>
    options.mode_function(options)
  File "android_emuroot.py", line 271, in single_mode
    magic = gdbsc.get_process_task_struct(options.magic_name)
  File "android_emuroot.py", line 221, in get_process_task_struct
    addresses = self.find(process)
  File "android_emuroot.py", line 176, in find
    if m.get('payload') != None and m.get('payload')[:-2].startswith('0x'):
TypeError: unhashable type: 'slice'

emulator output:

➜  ~ emulator -avd vmplay -qemu -s

Warning: flatview_read_continue has iterated 128 times.
First addr: 0xc0000000. Last addr: 0xc00001fc.
First mr: 0x10994b210 ((none)). Last mr: 0x10994b210 ((none))
Screenshot 2020-07-17 at 19 26 27

My AVD config.ini:

AvdId = vmplay
PlayStore.enabled = true
abi.type = x86
avd.ini.displayname = vmplay
avd.ini.encoding = UTF-8
disk.dataPartition.size = 6442450944
fastboot.chosenSnapshotFile =
fastboot.forceChosenSnapshotBoot = no
fastboot.forceColdBoot = yes
fastboot.forceFastBoot = no
hw.accelerometer = yes
hw.arc = false
hw.audioInput = yes
hw.battery = yes
hw.camera.back = virtualscene
hw.camera.front = emulated
hw.cpu.arch = x86
hw.cpu.ncore = 4
hw.dPad = no
hw.device.hash2 = MD5:041eb4f348dec9fd18091e32004fae73
hw.device.manufacturer = Google
hw.device.name = Nexus 5
hw.gps = yes
hw.gpu.enabled = yes
hw.gpu.mode = auto
hw.initialOrientation = Portrait
hw.keyboard = yes
hw.lcd.density = 480
hw.lcd.height = 1920
hw.lcd.width = 1080
hw.mainKeys = no
hw.ramSize = 1536
hw.sdCard = yes
hw.sensors.orientation = yes
hw.sensors.proximity = yes
hw.trackBall = no
image.sysdir.1 = system-images/android-24/google_apis_playstore/x86/
runtime.network.latency = none
runtime.network.speed = full
sdcard.size = 512M
showDeviceFrame = yes
skin.dynamic = yes
skin.name = nexus_5
skin.path = /Users/xdavid/Library/Android/sdk/skins/nexus_5
tag.display = Google Play
tag.id = google_apis_playstore
vm.heapSize = 128

From your slides/demos, I saw that your emulator has 4 GB of memory. I thought maybe that causes the issue, but changing to hw.ramSize = 4000 also crashes the same way.

Thank you for your help!

agantet commented 4 years ago

Hi, Unfortunately, we were not able to reproduce your bug. According to the info you have given, it seems like it is not a bug related to emuroot. We hope you will find another gdb/machine configuration that will work for you.

NicolaiSoeborg commented 3 years ago

I get the same error. I think it is due to this change added in pygdbmi==0.9.0.0: "Stop buffering output" (and/or due to the bug being fixed here: https://github.com/cs01/pygdbmi/pull/49).

I solved it using: python3 -m pip install 'pygdbmi<0.9.0.0'

cs01 commented 3 years ago

I get the same error. I think it is due to this change added in pygdbmi==0.9.0.0: "Stop buffering output" (and/or due to the bug being fixed here: cs01/pygdbmi#49).

I solved it using: python3 -m pip install 'pygdbmi<0.9.0.0'

Hi I am the pygdbmi maintainer. I just released v0.10.0.1 with https://github.com/cs01/pygdbmi/pull/56. Hopefully it fixes the issue you were hitting. Sorry for the inconvenience.