exec returns EACCESS

[tux-mind]

cannot start programs over certain devices, where exec returns EACCESS.

[tux-mind]

if you have this issue please download and install this apk

please report back your logcat after performing a scan on a target ( of tap "Start MSF RPCD" from the menu ).

thanks 😉

[ada-af]

Doesnt work :(

Catlog:
https://www.dropbox.com/s/r5332dypavmrsss/dsploit.txt?dl=0

[tux-mind]

@mcilya yep, I just added some log statement to understand what is going wrong.

you can see them in the issue1 branch.

working on this.

[tux-mind]

ah, sorry, i need /data/data/it.evilsocket.dsploit/files/dSploitd.log

[ada-af]

/data/data/it.evilsocket.dsploit/files/dSploitd.log
https://www.dropbox.com/s/nao6frtvr860l42/dSploitd.log?dl=0

[tux-mind]

@mcilya thanks for the log.

but you have to do some extra step.
due to the same version ( 1.2.1 ) the core binaries has not been updated.

please do the following:

1. open a terminal emulator or "adb shell" from a connected PC
2. "su"
3. rm /data/data/it.evilsocket.dsploit/files/tools/VERSION
4. start the application and lead it to "cannot start commands"
5. share dSploitd.log

or simply uninstall and re-install the app.

sorry for this inconvenience.

[ada-af]

https://www.dropbox.com/s/vktjzsa2kvitrii/dSploitd1.log?dl=0 -log
i prefer use phone for all that operations cuz i have no computer now :)

[tux-mind]

As I bet.
Read-only filesystem...

Thanks for your time. I can finally fix this issue 😊

Working on this.

[ada-af]

Ok, i'll wait for new version

[tux-mind]

i was wrong, Read-only filesystem does not affect execute permissions.

must probably is a selinux issue.
can you try to change the selinux mode, test cSploit, and restore it ?
just to ensure that the issue is it.

there is an app for do it, so you can work without a PC 😉

thanks in advance 😊

[ada-af]

Still not work
SELinux -permissive:
https://www.dropbox.com/s/6r252xg5y0wh6h3/Screenshot_2014-11-05-20-14-20.png?dl=0
Catlog:
https://www.dropbox.com/s/mz3i8hybb79uflq/notwork.txt?dl=0
dSploitd.log wasnt created

[tux-mind]

it must be SELinux...
from execve manual page:

       EACCES Search  permission  is  denied on a component of the path prefix of filename or the name of a script interpreter.  (See also path_resolution(7).)

       EACCES The file or a script interpreter is not a regular file.

       EACCES Execute permission is denied for the file or a script or ELF interpreter.

       EACCES The filesystem is mounted noexec.

let study the "/system/bin/rm" case:

• path search permissions is allowed, we can stat the file.
• no script interpreter.
• it is a regular file ( tested with stat() on your device ).
• UNIX execute permissions are granted for the file ( tested with access() on your device ).
• interpreter ( "/system/bin/linker" ) must be executable and
• /system isn't mounted with noexec ( or anything on your system should not work )

so, the only reason of EACCESS is SELinux.
maybe even with permissive mode. otherwise i cannot explain it to myself.

i'm going to download various android API arm system images to test cSploit on them using the emulator. if i cannot reproduce this bug on emulator i will ask your help again.
sorry for that.

[ada-af]

Ok, no problems :)

[ada-af]

Tried v. 1.2.2 still not work
catlog: https://www.dropbox.com/s/y0sgp8aggrd5m60/2014-11-06-22-20-20.txt?dl=0
SELinux is permissive.

[tux-mind]

@mcilya yep, i known.
1.2.2 fixes #7 #9

i can work on this issue only when i'm home.
when i am at school my single core Thinkpad T42 ( i built it from a T42 and a T40 taken from the tip ), i cannot use qemu, it's too heavy for my T42.

i'll write you there when i release a fix to test.
thanks for your great interest in this project 😊

[tux-mind]

hang on, i'm working on it, but got root on AVD is not easy with selinux...

[ada-af]

Good job! 😊

[ada-af]

Need my help with testing?

[tux-mind]

sorry but i left this issue behind because i cannot find a device with the same problem to work on.

i asked to a couple of friends to try the program, thus to find a device to work on, but unluckily no one has this issue.

i'll work on it as soon as i got an affected device.
last resource is to use your device from remote, but you have to fully trust me.

[tux-mind]

@cmayer0087 why did you deleted your post? were it wrong?

i'm looking forward for your answer, i really want to fix this issue, but currently i have no way to working on it.

[sir0x1]

Yes sorry, it was terribly wrong :)
Even on the command '\x03\x01\x02which\x00env\x00' i get an EACCESS.
I can execute this manually over adb shell, even without prior su.
Maybe the "Permission denied" is fired, because the process is not allowed to replace itself.
I'm going to investigate this further

[sir0x1]

i think you are right tux-mind, seems to be an SELinux issue. On my device (Samsung Galaxy S5, Android 4.4.2) i can't deaktivate SELinux with setenforce. Mybe @mcilya is able to test this. There should be some apps in the play-store which can switch the mode.
Starting the csploitdaemon in different context breaks the communication via socket.

You can find some interesting informations about su and selinux here:
http://su.chainfire.eu/#selinux-contexts-init-shell

[ada-af]

@cmayer0087
SElinux mode changer https://play.google.com/store/apps/details?id=com.mrbimc.selinux
Developer says that it works on kitkat.
Is knox disabled/freezed?

[sir0x1]

Yes knox was disabled. But the stock kernel don't let me set SELinux to permissive mode.
It's likely that samsung disabled changing SELinux mode.
Anyway disabling the security isn't the best solution for this issue, IMO

[tux-mind]

@cmayer0087 you're absolutely right, disabling SELinux is not a solution.

I/We have to find a solution to the problem.

my colleague told me that the stock android 5 image is available for my nexus 4,
i'm going to update my phone thus to be able to get in touch with your problem ❤️

but now i'm working on network-monitor, the part of cSploit that will monitor the network,
obviously tens/hundreds time faster rather than dSploit with Java.

thanks for your help, i really need devs/testers now.

[sir0x1]

I was able to run cSploitd unter the r:u:system_app:s0 context, so using exec or rather posix pipes by cSploitd should be permitted by SELinux. But the client can't communicate through socket due to the different contexts. I will switch the connection between client and daemon to local tcp and try if that work.

[tux-mind]

@cmayer0087 that's a great news!

thanks for all your efforts 😊

[Rogue86]

So there is no way to make it work on 5.0.0 and above...

[tux-mind]

no @Rogue86 I have to finish the network-monitor, after that i will install lollipop on my Nexus 4.

once I installed lollipop on my phone i will be able to make it work on 5.0 and above.

so please wait 😁

will be great if @cmayer0087 can find out a solution for this problem.

[ada-af]

tried 1.3.0 still cannot start process if you want i can post logcat 😉

[tux-mind]

@mcilya yep, i didn't fixed this issue with last version, you logcat is not necessary, thanks anyway for you availability 😊

this problem still here. I have to put my paws on an affected device. I have a friend whit a Galaxy S3 Zoom ( it have an HUGE camera on the back ).

I will ask him if I can play with it for a little.