search

dessertlab / fantastic_beasts

The Fantastic Beasts Framework is a collection of tools for fuzzing the Android OS.
GNU General Public License v3.0
63 stars 12 forks source link

Not ready to connect the local socket #2

Open liberatorqjw opened 5 years ago

liberatorqjw commented 5 years ago

I install the app. but it occurred another error as follow: when I test the service in the device of Nexus 6p (7.1.2) I start the frida-server

./chizpurfle -service media.player

it is the error, it may be the stalker_server.so does not inject in the target process(media_server).

Welcome, I am a Chizpurfle!
8388608, 201326592, 7943488
Chizpurfle evolutionary fuzzer started
injecting server in process /system/bin/mediaserver with pid 5611
Not ready to connect the local socket (trial 1)
Not ready to connect the local socket (trial 2)
Not ready to connect the local socket (trial 3)
Not ready to connect the local socket (trial 4)
Not ready to connect the local socket (trial 5)
Not ready to connect the local socket (trial 6)
Not ready to connect the local socket (trial 7)
Not ready to connect the local socket (trial 8)
Not ready to connect the local socket (trial 9)
akiannillo commented 5 years ago

We should further investigate. I'll be grateful if you can help me in doing this.

1) What are the technical specifications of the smartphone you're using? Also the software specifications (Android API version, kernel number, ...). 2) Can you share a full list of commands you performed?

liberatorqjw commented 5 years ago

OK, I am trying to point out the key problems.

  1. the device I used is Nexus-6p, the Andorid API version is "7.1.2" kernel number is "3.10.73-g5547b00553a"
  2. I use the maps file in the folder of nexus-x5. because the "media.player" is the same as the log in the maps. the commands are as follows: 
    ./chizpurfle -service media.player
  3. can you share the script: 
    python init_scripts/create_service_pid_map.py
bash init_scripts/create_process_service_map.sh
  4. I want to ask your Nexus-x5 of kernel number and android version Thanks
akiannillo commented 5 years ago

Did you run the command as the root user (using sudo)?

liberatorqjw commented 5 years ago

Yes, I run it by the root user. these days, I tried to understand the code.

akiannillo commented 5 years ago

@liberatorqjw you can try the new branch hotfix/gradle5.3.1 It uses the new version of Gradles and I added also the init_scripts

liberatorqjw commented 5 years ago

@akiannillo thanks for your replay. I tried the new branch hotfix/gradle5.3.1. it was so easy and not error for installing process. but it still log the same error 

angler:/data/local/tmp # ./chizpurfle -service media.player                                                                                         
angler:/data/local/tmp # cat ./chizpurfle.shell                                                                                                       
Welcome, I am a Chizpurfle!
8388608, 201326592, 8187152
Chizpurfle evolutionary fuzzer started
injecting server in process mediaserver with pid 19798
injector loaded
Not ready to connect the local socket (trial 1)
Not ready to connect the local socket (trial 2)
Not ready to connect the local socket (trial 3)
Not ready to connect the local socket (trial 4)

angler:/data/local/tmp # ps -A | grep mediaserver
media        20048     1   43556   7416 binder_thread_read f2f9a3a4 S mediaserver

I review the code, and I found that the inject may not succeed. As the above log info, it inject the "mediaserver", the pid is 19798. and when i run "ps -A" to see the pid, it is 20048. so It indicates that “mediaserver” service restarted.

akiannillo commented 5 years ago

@liberatorqjw I merged the branches, so now you find it on the main branch. Can I ask you to check in the logcat if you have any selinux audit message?

liberatorqjw commented 5 years ago

@rnatella I check in the logcat, but I did not find the selinux message. Also I set the selinux as follows

angler:/data/local/tmp # setenforce 0
angler:/data/local/tmp # getenforce
Permissive

it also logcat the same errors.

a1t3r570 commented 5 years ago

@akiannillo I only test the function of opening the socket in libstalker-server.so. it seems that system_server can not create stalker_socket file, even if selinux has been closed.

`01-08 01:44:06.271 977 6576 I NativeStalkerServer: enter

01-08 01:44:06.296 977 6576 D NativeStalkerServer: ulimit unlimited 01-08 01:44:06.296 977 6576 D NativeStalkerServer: socket open (204) 01-08 01:44:06.296 977 6576 I NativeStalkerServer: binding to local socket: /data/local/tmp/stalker_socket 01-08 01:44:06.296 977 6576 F NativeStalkerServer: can't bind the local socket: Permission denied ` Is there any other steps missing (I guess system_server disables unix_socket)? I tried to inject zygote64 and the result was successful. But I can't find the reason why the permissions denied.

Looking forward to your reply.

akiannillo commented 5 years ago

@a1t3r570 have you checked in the logcat for audit messages? Probably selinux is not properly closed.

a1t3r570 commented 5 years ago 
01-08 18:30:01.155  6207  6207 I frida-server: type=1400 audit(0.0:127): avc: denied { read } for name="exe" dev="proc" ino=79913 scontext=u:r:init:s0 tcontext=u:r:logd:s0 tclass=lnk_file permissive=1
01-08 18:30:01.405 10095 10095 I system_server: type=1400 audit(0.0:128): avc: denied { open } for path="/data/local/tmp/libstalker-server.so" dev="mmcblk0p45" ino=752199 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
01-08 18:30:01.415 10095 10095 I system_server: type=1400 audit(0.0:129): avc: denied { execute } for path="/data/local/tmp/libstalker-server.so" dev="mmcblk0p45" ino=752199 scontext=u:r:system_server:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1
01-08 18:30:01.419  7744 10095 E linker  : readlink('/proc/self/fd/189') failed: Permission denied [fd=189]
01-08 18:30:01.420  7744 10095 E linker  : warning: unable to get realpath for the library "/data/local/tmp/libstalker-server.so". Will use given name.
01-08 18:30:01.435  7744 10095 I NativeStalkerServer: enter
01-08 18:30:01.461  7744 10095 D NativeStalkerServer: ulimit unlimited
01-08 18:30:01.461  7744 10095 D NativeStalkerServer: socket open (189)
01-08 18:30:01.462  7744 10095 I NativeStalkerServer: binding to local socket: /data/local/tmp/stalker_socket
01-08 18:30:01.462  7744 10095 F NativeStalkerServer: can't bind the local socket: Permission denied

@akiannillo This does have some audit messages, I just executed setenforce 0, is this the reason? If so, how do I completely shut down selinux.

akiannillo commented 5 years ago

That's the point. To the best of our knowledge, there is no way to properly shutdown SELinux in a non-debug image of Android OS. But there is a solution: supolicy tool (link).

You should create an SELinux rule for every audit you find in the LogCat. Be careful: it's an iterative process. Solve all the audit log you find, then re-execute and check for new audit.

The rule can be created transforming an audit line like this:

avc: denied { <OPERATION> } for name="exe" dev="proc" ino=79913 scontext=u:r:<SOURCE>:s0 tcontext=u:r:<TARGET>:s0 tclass=<CLASS> permissive=1

in a command like this:

supolicy --live "allow <SOURCE>  <TARGET>:<CLASS> <OPERATION>"

For example, this

avc: denied { read } for name="exe" dev="proc" ino=79913 scontext=u:r:init:s0 tcontext=u:r:logd:s0 tclass=lnk_file permissive=1

becomes this

supolicy --live "allow init logd:lnk_file read"
a1t3r570 commented 5 years ago

@akiannillo I patched the corresponding selinux permissions, but the problem still exists. Finally, I solved the problem by modifying the '/tmp' directory permission for 777, because the system_server user 'system' does not belong to the '/tmp' user group and does not have write permission.

Then there are new problems. When I try to execute "./chizpurfle -service XXX", the logcat display does execute successfully, but after a while, system_server will crash or restart. I don't know if you have encountered this problem when testing (I think it may be frida's own problem)? If so, can you tell me how you solved it? Or provide a service that tests successfully.

Thank you for your patience.

rnatella commented 5 years ago

@a1t3r570 We have also seen this problem on system_server. It is probably caused by the initial high overhead of Frida when it is loaded in a big process like the system_server. Maybe the watchdog mechanism in Android kills the system_server because it is slow to respond. I suggest to disable as many services as possible to reduce the workload of the system_server and make the crash less likely. Moreover, if you let Frida run for more time after the restart (it should be able to automatically attach again), eventually the instrumentated code will be quick enough to avoid the timeout, and the tool will start to generate tests. Other smaller processes (such as the media server) do not exhibit the problem.

akiannillo commented 5 years ago

@a1t3r570 @liberatorqjw Any update on this?

a1t3r570 commented 5 years ago

@akiannillo no,thanks for your help.

triwater commented 5 years ago

@a1t3r570 Have you resolve this issue? @rnatella I have the same problem as you, and I have tried to run Frida many times, but it seems no use...And I want to know how to disable services in Android. Thank you all