search

c0de3 / androguard

Automatically exported from code.google.com/p/androguard
Apache License 2.0
0 stars 0 forks source link

androsign.py Segmentation Fault #173

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
I tryed to analyze an know malware apk.
1. Used the command:
./androsign.py -i apks/malware/com.android.installer.full.apk -b 
signatures/dbandroguard -c signatures/dbconfig

Expected to see something like:
com.android.installer.full.apk : ----> "SOMETHING"

Instead it gives me:
RageagainstTheCage ERROR
Exploid ERROR
com.android.installer.full.apk :Segmentation fault (core dumped)

What version of the product are you using? On what operating system?

Androguard 1.9

Linux 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 
x86_64 x86_64 GNU/Linux

When running the command in python gdb and taking the trace with bt, it gives 
me:

#0  0x00007ffff52381d5 in entropy () from 
./elsim/elsim/elsign/libelsign/libelsign.so
#1  0x00007ffff52019e9 in entropy(_object*, _object*) () from 
./elsim/elsim/elsign/libelsign/libelsign.so
#2  0x000000000052c6d5 in PyEval_EvalFrameEx ()
#3  0x000000000052cf32 in PyEval_EvalFrameEx ()
#4  0x000000000052cf32 in PyEval_EvalFrameEx ()
#5  0x000000000052cf32 in PyEval_EvalFrameEx ()
#6  0x000000000052cf32 in PyEval_EvalFrameEx ()
#7  0x000000000052cf32 in PyEval_EvalFrameEx ()
#8  0x000000000052cf32 in PyEval_EvalFrameEx ()
#9  0x000000000052cf32 in PyEval_EvalFrameEx ()
#10 0x000000000055c594 in PyEval_EvalCodeEx ()
#11 0x00000000005b7392 in PyEval_EvalCode ()
#12 0x0000000000469663 in ?? ()
#13 0x00000000004699e3 in PyRun_FileExFlags ()
#14 0x0000000000469f1c in PyRun_SimpleFileExFlags ()
#15 0x000000000046ab81 in Py_Main ()
#16 0x00007ffff7817ec5 in __libc_start_main (main=0x46ac3f <main>, argc=8, 
argv=0x7fffffffde08, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7fffffffddf8)
    at libc-start.c:287
#17 0x000000000057497e in _start ()

but I don't know how to solve this.

Original issue reported on code.google.com by oshiro.h...@gmail.com on 20 Jan 2015 at 3:18

GoogleCodeExporter commented 8 years ago 
Debugging the code I discovered that segfault comes from similatiry.c:301 
inside entropy(). When segfault occurred size_orig was too long compared. I 
don't now what entropy exactly does, but in other times that it was called 
size_orig was always equal to strlen(c_orig) so I force size_orig to be equal 
to c_orig inside entropy. Besides i could detect that this problem was caused 
by this instruction "PyArg_ParseTuple( args, "s#", &input, &input_size );" at 
elsign.cc:1262 what seems to parse the tuple wrong, resulting in a wrong input 
size. I don't now what is the real impact of my changes but, doing what I've 
described androsign could detect malwares that were in Androguard database.

Original comment by oshiro.h...@gmail.com on 18 Mar 2015 at 6:10

GoogleCodeExporter commented 8 years ago 
In my case, i found that the problem was in uninitialized local variables 
(which is my opinion is very bad taste) here:
PyObject *entropy(PyObject *self, PyObject* args)
{
    char *input; size_t input_size;
    // FIX: char *input = NULL; size_t input_size = 0;

    int ok = PyArg_ParseTuple( args, "s#", &input, &input_size );
    if(!ok) return PyInt_FromLong(-1);

    double value = entropy( input, input_size );

    return PyFloat_FromDouble( value );
}

So, initializing them to NULL and 0 fixed the problem, seems like 
PyArg_ParseTuple doesn't allocate memory if it got a non NULL pointer. Hope it 
helps you, it helped to me :)

Original comment by krasner....@gmail.com on 11 Aug 2015 at 6:22