exec returns EACCESS about android HOT 76 CLOSED

if you have this issue please download and install this apk

please report back your logcat after performing a scan on a target ( of tap "Start MSF RPCD" from the menu ).

thanks 😉

from android.

Doesnt work :(

Catlog:
https://www.dropbox.com/s/r5332dypavmrsss/dsploit.txt?dl=0

from android.

@mcilya yep, I just added some log statement to understand what is going wrong.

you can see them in the issue1 branch.

working on this.

from android.

ah, sorry, i need /data/data/it.evilsocket.dsploit/files/dSploitd.log

from android.

/data/data/it.evilsocket.dsploit/files/dSploitd.log
https://www.dropbox.com/s/nao6frtvr860l42/dSploitd.log?dl=0

from android.

@mcilya thanks for the log.

but you have to do some extra step.
due to the same version ( 1.2.1 ) the core binaries has not been updated.

please do the following:

1. open a terminal emulator or "adb shell" from a connected PC
2. "su"
3. rm /data/data/it.evilsocket.dsploit/files/tools/VERSION
4. start the application and lead it to "cannot start commands"
5. share dSploitd.log

or simply uninstall and re-install the app.

sorry for this inconvenience.

from android.

https://www.dropbox.com/s/vktjzsa2kvitrii/dSploitd1.log?dl=0 -log
i prefer use phone for all that operations cuz i have no computer now :)

from android.

As I bet.
Read-only filesystem...

Thanks for your time. I can finally fix this issue 😊

Working on this.

from android.

Ok, i'll wait for new version

from android.

i was wrong, Read-only filesystem does not affect execute permissions.

must probably is a selinux issue.
can you try to change the selinux mode, test cSploit, and restore it ?
just to ensure that the issue is it.

there is an app for do it, so you can work without a PC 😉

thanks in advance 😊

from android.

Still not work
SELinux -permissive:
https://www.dropbox.com/s/6r252xg5y0wh6h3/Screenshot_2014-11-05-20-14-20.png?dl=0
Catlog:
https://www.dropbox.com/s/mz3i8hybb79uflq/notwork.txt?dl=0
dSploitd.log wasnt created

from android.

it must be SELinux...
from execve manual page:

       EACCES Search  permission  is  denied on a component of the path prefix of filename or the name of a script interpreter.  (See also path_resolution(7).)

       EACCES The file or a script interpreter is not a regular file.

       EACCES Execute permission is denied for the file or a script or ELF interpreter.

       EACCES The filesystem is mounted noexec.

let study the "/system/bin/rm" case:

• path search permissions is allowed, we can stat the file.
• no script interpreter.
• it is a regular file ( tested with stat() on your device ).
• UNIX execute permissions are granted for the file ( tested with access() on your device ).
• interpreter ( "/system/bin/linker" ) must be executable and
• /system isn't mounted with noexec ( or anything on your system should not work )

so, the only reason of EACCESS is SELinux.
maybe even with permissive mode. otherwise i cannot explain it to myself.

i'm going to download various android API arm system images to test cSploit on them using the emulator. if i cannot reproduce this bug on emulator i will ask your help again.
sorry for that.

from android.

Ok, no problems :)

from android.

Tried v. 1.2.2 still not work
catlog: https://www.dropbox.com/s/y0sgp8aggrd5m60/2014-11-06-22-20-20.txt?dl=0
SELinux is permissive.

from android.

@mcilya yep, i known.
1.2.2 fixes #7 #9

i can work on this issue only when i'm home.
when i am at school my single core Thinkpad T42 ( i built it from a T42 and a T40 taken from the tip ), i cannot use qemu, it's too heavy for my T42.

i'll write you there when i release a fix to test.
thanks for your great interest in this project 😊

from android.

hang on, i'm working on it, but got root on AVD is not easy with selinux...

from android.

Good job! 😊

from android.

Need my help with testing?

from android.

sorry but i left this issue behind because i cannot find a device with the same problem to work on.

i asked to a couple of friends to try the program, thus to find a device to work on, but unluckily no one has this issue.

i'll work on it as soon as i got an affected device.
last resource is to use your device from remote, but you have to fully trust me.

from android.

@cmayer0087 why did you deleted your post? were it wrong?

i'm looking forward for your answer, i really want to fix this issue, but currently i have no way to working on it.

from android.

Yes sorry, it was terribly wrong :)
Even on the command '\x03\x01\x02which\x00env\x00' i get an EACCESS.
I can execute this manually over adb shell, even without prior su.
Maybe the "Permission denied" is fired, because the process is not allowed to replace itself.
I'm going to investigate this further

from android.

i think you are right tux-mind, seems to be an SELinux issue. On my device (Samsung Galaxy S5, Android 4.4.2) i can't deaktivate SELinux with setenforce. Mybe @mcilya is able to test this. There should be some apps in the play-store which can switch the mode.
Starting the csploitdaemon in different context breaks the communication via socket.

You can find some interesting informations about su and selinux here:
http://su.chainfire.eu/#selinux-contexts-init-shell

from android.

@cmayer0087
SElinux mode changer https://play.google.com/store/apps/details?id=com.mrbimc.selinux
Developer says that it works on kitkat.
Is knox disabled/freezed?

from android.

Yes knox was disabled. But the stock kernel don't let me set SELinux to permissive mode.
It's likely that samsung disabled changing SELinux mode.
Anyway disabling the security isn't the best solution for this issue, IMO

from android.

@cmayer0087 you're absolutely right, disabling SELinux is not a solution.

I/We have to find a solution to the problem.

my colleague told me that the stock android 5 image is available for my nexus 4,
i'm going to update my phone thus to be able to get in touch with your problem ❤️

but now i'm working on network-monitor, the part of cSploit that will monitor the network,
obviously tens/hundreds time faster rather than dSploit with Java.

thanks for your help, i really need devs/testers now.

from android.

I was able to run cSploitd unter the r:u:system_app:s0 context, so using exec or rather posix pipes by cSploitd should be permitted by SELinux. But the client can't communicate through socket due to the different contexts. I will switch the connection between client and daemon to local tcp and try if that work.

from android.

@cmayer0087 that's a great news!

thanks for all your efforts 😊

from android.

No luck until now on trying different SELinux contexts.
But i think i have found malefactor: https://github.com/gokulnatha/GT-I9500/blob/master/arch/arm/kernel/sys_arm.c#L175
fork can't be used if the binary is arranged under /data directory.

from android.

@cmayer0087 i love you 😍 , would you join the developers team ?

i'm currently out of free time, i have 3 exams this week.
i have to study like a dragon 🐉 😆

from android.

I would love to contributing to this very interesting project.
As time permits you will get some pull requests from me 😉

from android.

Sorry for spamming 😔 i had to reorganise my branches so that only the needed commit for the related issue was included.

from android.

waiting users feedback to sign it as closed.

from android.

I cant test cuz of unavailable test release ((

from android.

nightly build server is online

it will build it on 00:00 CET.

i'm considering using a webhook to build them as i push, but no free time ATM.

from android.

FYI: Failed to build just now:
/home/tools/csploit/cSploit/jni/Android.mk:50: /home/tools/csploit/cSploit/jni/c-ares/Android.mk: No such file or directory
make: *** No rule to make target `/home/tools/csploit/cSploit/jni/c-ares/Android.mk'. Stop.

from android.

@xaitax thanks for the report, pushed a fix just now.

from android.

doesnt work, tried nightly build.
Catlogs: https://www.dropbox.com/s/ehu5csdhpd6ythu/2014-11-27-19-49-11.txt?dl=0
https://www.dropbox.com/s/lxk1tywrp0vjo3n/1111.txt?dl=0

from android.

Built worked fine now. New nightly NOW available.

from android.

@xaitax thanks 😊

from android.

On start I am stuck here now though. :)

catch (System.DaemonException e) {
Logger.error(e.getMessage());
fatal = "heart attack!";
}

from android.

sorry but the fix has been made by @cmayer0087 , i have no time for check it now.

i'll work on this tomorrow.

btw i suspect that 9d31368 changed the location of the core.
probably in a non-executable location.

also remember that with nightlies you have to reinstall the app ( i have to fix this too ).

from android.

As i remember correctly the Message "heart attack" is displayed if the deamon is started, but the client cannot connect.
@xaitax Verify if the daemon runs (cSploitd) and if the File /dev/sockets/cSploit exists, please.

I noticed that the running daemon isn't restartet so you probably are running the old version. Try to kill the cSploitd process and restart cSploit or reboot your phone and start cSploit again.

from android.

Same descussion here: #33
@xaitax Would you please give us some feedback if this works for you ?

from android.

@cmayer0087 let's fix this issue on it's appropriate branch .

I made the mistake of merge your pull request into the master one.
you can merge the sdcard branch into the issue1 one if you wish.

you found why this issue happens: root cannot execve programs under the /data directory.

great job 😎

what fixes do you suggest ?

from android.

I think the easiest way is to use mount -o bind /data/data/org.csploit.android/files /sdcard/cSploit and use /sdcard/cSploit as working directory in cSploit. Creating an folder in /system seems more elegant to me if we haven't to remount the /system partition with write privileges to create a folder there.

from android.

@cmayer0087 the last solution it's fine for me, we have root privileges, use them!

btw, AFAIK android root ( / ) is a tmpfs, everything created under that will disappear in the next reboot.

my suggestion is the following:

1. mkdir "/cSploit"
2. mount -o bind /data/data/org.csploit.android/files /cSploit
3. cd /cSploit && ./cSploitd

can you test if this idea can work on your samgung device?
as I see from your kernel sources the function d_path is used for the fork restriction check.
I don't known if d_path returns /data/data/org.csploit.android/files/cSploitd or /cSploit/cSploitd, you have to test and report there the results.

feel free to delete the issue1 branch and create another one with the same name.

thanks for your precious help.
You found the problem, probably I never fixes this issue without your help 😘

from android.

btw, if you push a simple executable ( an helloworld for example ) to /data/local/tmp/ and cd /data/local/tmp/; ./helloworld as root, can you execute it ?

from android.

@tux-mind i will try this on weekend. / is mounted as readonly so the commands we need should be

1. mount -o remount,rw /
2. mkdir /cSploit
3. mount -o remount,ro /
4. mount -o bind /data/data/org.cSploit.android/files /cSploit
   ...

Execution isn't the problem. Before i moved cSploit to /sdcard, cSploitd could be sucessfully started as root user. A Helloworld-executable could be started under /data/..., too. But everytime cSploitd wants to use fork to create an child, fork is denied.

from android.

you're right 😅 we must remount rw.

according to your kernel sources also exec* syscall should be restricted for root user.

doing a quick test on the su executable with strace i see that the su shell is only a client that connect to a daemon that run commands for us. sadly supersu is closed source, may I can attach to the su daemon to see what syscall are performed, but i bet that the supersu daemon is platform specific, may differ from your.

i bet that supersu daemon does something nasty for run commands under /data.
if you can attach strace to the supersu daemon to see what trick it use, we may learn a new way of executing restricted stuff.

thanks in advance for your time 😊

from android.

@tux-mind su is installed under /system/bin/sh so it is allowed to use exec* and fork.
The kernel checks the calling process not the binary which should be executed.
I don't think supersu does some magic here, because it don't have to.

from android.

The kernel checks the calling process not the binary which should be executed.

@cmayer0087 thanks for the quick clarify, i missed the point!

i'll implement the fix in few hours.

from android.

@cmayer0087 btw fork() works for multithreaded programs ( like the core ) because fork is clone ( which is not restricted by selinux ). only execve is restricted.

i'm writing a small C program to check if the bug is present on the running device.
then java will do the rest.

from android.

can someone test this pre-release apk ?

uninstalling or delete app data is not required.

thank you in advance 😊

from android.

Still cannot start process or problems only with my phone
Catlog https://www.dropbox.com/s/cxdun06m7e7u5xn/2015-01-12-23-24-51.txt?dl=0

csploitd.log https://www.dropbox.com/s/nz0p1k2dm7mfp6p/cSploitd.log?dl=0

from android.

it didn't installed new tools...
can you clear app data or uninstall and re-install ?

i changed the app version to 1.2.4-issue1+v1 thus to make it reinstall the binaries, but it didn't work...

thanks in advance @mcilya

from android.

It says cannot start process on startup
Log https://www.dropbox.com/s/silan6zugs53x21/2015-01-13-07-40-20.txt?dl=0

Csploitd.log https://www.dropbox.com/s/nz0p1k2dm7mfp6p/cSploitd.log?dl=0

Also can provide my phone for full adb debug

from android.

Hi Tux-mind. It is the same for me. CSploit will immediately crash after I have opened it. I have a Nexus 6 which runs 5.02.

Many thanks for your great work.

from android.

@alexmanner your phone is affected by #24

from android.

@mcilya Yes, you are right, thanks for this. :-)

from android.

@alexmanner no problems 😉

from android.

@mcilya can you post /data/data/org.csploit.android/files/start_daemon.log ?

the issue hasn't been fixed...

from android.

@cmayer0087 did you test the mount solution ?

mount -o remount,rw /
mkdir /cSploit
mount -o bind /data/data/org.csploit.android/files /cSploit
mount -o remount,ro /
cd /cSploit
./cSploitd

maybe d_path kernel API still return /data/data/org.csploit.android/files/cSploitd instead of /cSploit/cSploitd .

please help me debug this issue with your device, without an affected device in my hands it's very hard to fix.

from android.

@tux-mind start_daemon.log have 0 bytes weight
screenshot of 0 bytes https://copy.com/9v1kfYusiOqbgBcN

from android.

ok, this means that issue 1 hasn't been found on your device by the known-issues program...

let me fix it...

from android.

Any ideas about it?

from android.

yeah, fork(2) it's translated to clone(2) even if the program does not use threads because the bionic libc has pthreads (badly) built in.

i'm moving the check from fork (2) to execvp(3) .

from android.

@mcilya ready.

thanks for your patience 😉

from android.

@tux-mind i have email notifications 😉
i found old start_daemon.log on /sdcard https://copy.com/0fbIkeGS9Bjf4P2O
new /data/data/org.csploit.android/files/start_daemon.log after update says issue #1 found

from android.

@mcilya does it works now ?
the mount workaround should have been applied just before starting the daemon.

from android.

still cannot start process + it starts longer
cSploitd.log says on_cmd_start: execvp: Permission denied

from android.

still cannot start process + it starts longer

lol

TOTAL FAIL XD

i need that @cmayer0087 , which have an affected device, tell me which method to use for fix this issue.

he suggested the mount solution but didn't tried it.
probably it does not work and we need to find another way.

from android.

i tried
mount -o remount,rw /
mkdir /cSploit
mount -o bind /data/data/org.csploit.android/files /cSploit
mount -o remount,ro /
cd /cSploit
./cSploitd
it doesnt work + cant rmdir /cSploit
can you say: how can i unbind /cSploit ?

from android.

So there is no way to make it work on 5.0.0 and above...

from android.

no @Rogue86 I have to finish the network-monitor, after that i will install lollipop on my Nexus 4.

once I installed lollipop on my phone i will be able to make it work on 5.0 and above.

so please wait 😁

will be great if @cmayer0087 can find out a solution for this problem.

from android.

tried 1.3.0 still cannot start process if you want i can post logcat 😉

from android.

@mcilya yep, i didn't fixed this issue with last version, you logcat is not necessary, thanks anyway for you availability 😊

this problem still here. I have to put my paws on an affected device. I have a friend whit a Galaxy S3 Zoom ( it have an HUGE camera on the back ).

I will ask him if I can play with it for a little.

from android.