MITM not working on Nexus 4/w CM 12.1 -- might be arpspoof silently crashing?

[fat-tire]

Nexus 4:
CyanogenMod 12.1

No MITM seems to work. Nothing bad in UI, just doesn't do anything.

With ga_'s assistance, i think I've narrowed it down to arpspoof crashing:

# strace arpspoof  -i wlan0 target_ip gw_ip                                      <
strace: Can't stat 'arpspoof': No such file or directory
trace ./arpspoof  -i wlan0 target_ip gw_ip                                    <
execve("./arpspoof", ["./arpspoof", "-i", "wlan0", "target_ip", "gw_ip"], [/* 23 vars */]) = 0
mprotect(0xb6f87000, 4096, PROT_READ)   = 0
set_tid_address(0xb6f88bf4)             = 21914
set_tls(0xb6f88e30, 0xb6f88e30, 0xb6f88e30, 0xb6f88c00, 0xb6f88bec) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f77000
madvise(0xb6f77000, 8192, MADV_MERGEABLE) = 0
sigaltstack({ss_sp=0xb6f77000, ss_flags=0, ss_size=8192}, NULL) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb6f76000
madvise(0xb6f76000, 4096, MADV_MERGEABLE) = 0
mprotect(0xb6f76000, 4096, PROT_READ)   = 0
mprotect(0xb6f76000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0xb6f76000, 4096, PROT_READ)   = 0
mprotect(0xb6f76000, 4096, PROT_READ|PROT_WRITE) = 0
mprotect(0xb6f76000, 4096, PROT_READ)   = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x11} ---
+++ killed by SIGSEGV +++
Segmentation fault 

The crash looks like this from the command line:

1|root@mako:/data/data/org.csploit.android/files/tools/arpspoof # ./arpspoof   
dSploit ArpSpoofer.

1|root@mako:/data/data/org.csploit.android/files/tools/arpspoof # 

That is, there is no obvious crash when you don't strace. MITM not working has been a problem for about 2 weeks. FWIW I tried setenforce 0 and it made no difference.

I should also add that logcat looks normal as far as itables stuff goes, but if you ps arpspoof it doesn't ever seem to be running.

ft

[fat-tire]

Here's a logcat of starting/stopping the Session hijacker.. nothing appears out of the ordinary for me.. but maybe someone can find something.

Also--- while starting/stopping MITM services doesn't restart arpspoof, I did see this in the logs:

W/arpspoof(21914): type=1701 audit(0.0:7528): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=u:r:sudaemon:s0 reason="memory violation" sig=11

nothing in tombstones either..

Thinking more-- was there a change in 1.0.8 w/respect to PIE executables? A flag change or something?

[tux-mind]

JNI crash:

F/libc    ( 8777): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x84 in tid 8777 (arpspoof)
I/DEBUG   (  189): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   (  189): Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys'
I/DEBUG   (  189): Revision: '11'
I/DEBUG   (  189): ABI: 'arm'
I/DEBUG   (  189): pid: 8777, tid: 8777, name: arpspoof  >>> ./arpspoof <<<
I/DEBUG   (  189): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x84
W/NativeCrashListener(  596): Couldn't find ProcessRecord for pid 8777
W/debuggerd(  189): type=1400 audit(0.0:335): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:336): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:337): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:338): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:339): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:340): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:341): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:342): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
W/debuggerd(  189): type=1400 audit(0.0:343): avc: denied { search } for name="tmp" dev="mmcblk0p23" ino=97730 scontext=u:r:debuggerd:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir
I/DEBUG   (  189):     r0 00000084  r1 b6ff9e90  r2 00000005  r3 0000000c
E/DEBUG   (  189): AM write failure (32 / Broken pipe)
I/DEBUG   (  189):     r4 bec7a76c  r5 00000011  r6 b6ff9e8c  r7 bec7a2c0
I/DEBUG   (  189):     r8 bec7a26c  r9 00000208  sl 00000011  fp b6ff9e8c
I/DEBUG   (  189):     ip 80000000  sp bec7a170  lr b6f90581  pc b6f6d9c0  cpsr a0070030
I/DEBUG   (  189): 
I/DEBUG   (  189): backtrace:
I/DEBUG   (  189):     #00 pc 000129c0  /system/lib/libc.so (__memcpy_base+59)
I/DEBUG   (  189):     #01 pc 0003557d  /system/lib/libc.so (__sfvwrite+174)
I/DEBUG   (  189):     #02 pc 0003673d  /system/lib/libc.so (__sprint+12)
I/DEBUG   (  189):     #03 pc 00037c89  /system/lib/libc.so (__vfprintf+5436)
I/DEBUG   (  189):     #04 pc 000431c3  /system/lib/libc.so (snprintf+86)
I/DEBUG   (  189):     #05 pc 0000507d  /data/local/tmp/arpspoof
I/DEBUG   (  189): 

[tux-mind]

ndk-stack output:

********** Crash dump: **********
Build fingerprint: 'google/occam/mako:5.1.1/LMY48T/2237560:user/release-keys'
pid: 8777, tid: 8777, name: arpspoof  >>> ./arpspoof <<<
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x84
Stack frame #00 pc 000129c0  /system/lib/libc.so (__memcpy_base+59)
Stack frame #01 pc 0003557d  /system/lib/libc.so (__sfvwrite+174)
Stack frame #02 pc 0003673d  /system/lib/libc.so (__sprint+12)
Stack frame #03 pc 00037c89  /system/lib/libc.so (__vfprintf+5436)
Stack frame #04 pc 000431c3  /system/lib/libc.so (snprintf+86)
Stack frame #05 pc 0000507d  /data/local/tmp/arpspoof: Routine libnet_name2addr4 at /home/max/Documenti/cSploit/android/cSploit/jni/libnet/libnet/src/libnet_resolve.c:129

[tux-mind]

bug found, working on it 😉

[fat-tire]

Great to hear it! Thanks.

[tux-mind]

sorry, I was busy.
can you share that line of the affected logcat that prints out the issued command ?

like arpspoof -i wlan0 -t 192.168.0.100 192.168.0.1.

thank you in advance 😊

[fat-tire]

Well-- strangely when I try it now, starting cSploit and various types of MITM...

$ adb logcat -C | grep -i arpspoof
D/cSploitClient( 5213): on_handler_list: id=5, have_stdin=0, have_stdout=1, name="arpspoof"

And that's it. I have no idea why it's not showing me a full line. Here is the context:

E/su      ( 5251): SU from: u0_a101
D/su      ( 5251): Checking whether app [uid:10101, pkgName: org.csploit.android] is allowed to be root
D/su      ( 5251): Privilege elevation allowed by appops
D/su      ( 5251): Allowing via appops.
D/su      ( 5251): 10101 /system/bin/app_process32 executing 0 /system/bin/sh using binary /system/bin/sh : sh
D/su      ( 5251): Waiting for pid 5252.
I/SuControllerImpl(  796): Got change
D/su      ( 5251): Finishing su operation for app [uid:10101, pkgName: org.csploit.android]
D/su      ( 5249): sending code
D/su      ( 5249): child exited
D/su      ( 5247): client exited 0
D/cSploitClient( 5213): on_handler_list: id=6, have_stdin=0, have_stdout=1, name="tcpdump"
D/cSploitClient( 5213): on_handler_list: id=1, have_stdin=1, have_stdout=1, name="raw"
D/cSploitClient( 5213): on_handler_list: id=2, have_stdin=0, have_stdout=1, name="nmap"
D/cSploitClient( 5213): on_handler_list: id=8, have_stdin=0, have_stdout=1, name="network-radar"
D/cSploitClient( 5213): on_handler_list: id=9, have_stdin=0, have_stdout=1, name="msfrpcd"
D/cSploitClient( 5213): on_handler_list: id=4, have_stdin=0, have_stdout=1, name="hydra"
D/cSploitClient( 5213): on_handler_list: id=7, have_stdin=0, have_stdout=1, name="fusemounts"
D/cSploitClient( 5213): on_handler_list: id=3, have_stdin=0, have_stdout=1, name="ettercap"
D/cSploitClient( 5213): on_handler_list: id=0, have_stdin=0, have_stdout=0, name="blind"
D/cSploitClient( 5213): on_handler_list: id=5, have_stdin=0, have_stdout=1, name="arpspoof"
I/SuControllerImpl(  796): Got change
I/CSPLOIT[services.NetworkRadar.onAutoScanChanged]( 5213): autoScan has been set to true
D/CSPLOIT[core.System.init]( 5213): initializing System...
E/CSPLOIT[net.Network.initNetworkInterface]( 5213): not valid ip: xxxx::xxxx:xxxx:xxxx:xxxx%wlan0/64
W/CSPLOIT[net.Network.initNetworkInterface]( 5213): interfaceAddress: 192.168.1.xx/24
D/CSPLOIT[tools.NMap.synScan]( 5213): synScan - -sS -P0 --privileged --send-ip --system-dns -vvv 192.168.1.xx
D/cSploitClient( 5213): parse_cmd: parsing "-sS -P0 --privileged --send-ip --system-dns -vvv 192.168.1.xx"
D/cSploitClient( 5213): parse_cmd: argument found: start=0, end=3
D/cSploitClient( 5213): parse_cmd: argument found: start=4, end=7
D/cSploitClient( 5213): parse_cmd: argument found: start=8, end=20
D/cSploitClient( 5213): parse_cmd: argument found: start=21, end=30
D/cSploitClient( 5213): parse_cmd: argument found: start=31, end=43
D/cSploitClient( 5213): parse_cmd: argument found: start=44, end=48
D/cSploitClient( 5213): parse_cmd: argument found: start=49, end=62
D/cSploitClient( 5213): parse_cmd: parsing "wlan0"
D/cSploitClient( 5213): parse_cmd: argument found: start=0, end=5
D/CSPLOIT[services.UpdateChecker.run]( 5213): Service started.
I/cSploitClient( 5213): start_command: child #1 started
D/CSPLOIT[core.ChildManager.async]( 5213): { handler='nmap', cmd='-sS -P0 --privileged --send-ip --system-dns -vvv 192.168.1.xx' } => 1
D/OpenGLRenderer( 5213): Use EGL_SWAP_BEHAVIOR_PRESERVED: true
I/cSploitClient( 5213): start_command: child #2 started
D/CSPLOIT[core.ChildManager.async]( 5213): { handler='network-radar', cmd='wlan0' } => 2
D/CSPLOIT[tools.NMap.synScan]( 5213): synScan - -sS -P0 --privileged --send-ip --system-dns -vvv 192.168.1.xx
D/cSploitClient( 5213): parse_cmd: parsing "-sS -P0 --privileged --send-ip --system-dns -vvv 192.168.1.xx"
D/cSploitClient( 5213): parse_cmd: argument found: start=0, end=3
D/cSploitClient( 5213): parse_cmd: argument found: start=4, end=7
D/cSploitClient( 5213): parse_cmd: argument found: start=8, end=20
D/cSploitClient( 5213): parse_cmd: argument found: start=21, end=30
D/cSploitClient( 5213): parse_cmd: argument found: start=31, end=43
D/cSploitClient( 5213): parse_cmd: argument found: start=44, end=48
D/cSploitClient( 5213): parse_cmd: argument found: start=49, end=62
I/cSploitClient( 5213): start_command: child #3 started
D/CSPLOIT[core.ChildManager.async]( 5213): { handler='nmap', cmd='-sS -P0 --privileged --send-ip --system-dns -vvv 192.168.1.xx' } => 3
D/CSPLOIT[net.RemoteReader.run]( 5213): RemoteReader[api.github.com] started
I/CSPLOIT[net.RemoteReader.run]( 5213): fetching 'https://api.github.com/repos/cSploit/android/releases'

Don't ask me why I masked out my local network IP. Anyway... there is no attempt that I can see to start arpspoof, and as you know, when I try to start it manually, it dies with that signal 11.

I never see it even try to start it in logcat.

[tux-mind]

yep, I need that attempt, the crash one.

D/CSPLOIT[core.ChildManager.async]( 5213): { handler='arpspoof', cmd='...' } => 3

I need to confirm that the gateway address is missing.

@gainan can you give it a look ?
I'm busy with school stuff in these days 😅

thanks you in advance guys 😊

[fat-tire]

This is all I have. There's no other line there... Nothing in tombstones either related to arpspoof.

D/cSploitClient(13636): on_handler_list: id=5, have_stdin=0, have_stdout=1, name="arpspoof"
I/CSPLOIT[services.NetworkRadar.onAutoScanChanged](13636): autoScan has been set to true
D/CSPLOIT[core.System.init](13636): initializing System...
E/CSPLOIT[net.Network.initNetworkInterface](13636): not valid ip: xxxx::xxxx:xxxx:xxxx:xxxx%wlan0/64
W/CSPLOIT[net.Network.initNetworkInterface](13636): interfaceAddress: 192.168.1.xx/24
~~

[gustavo-iniguez-goya]

in my case, without a default gw arpspoof doesn't crash, but it's not executed. I'll investigate it a bit further.

[gustavo-iniguez-goya]

The problem is here: https://github.com/cSploit/android/blob/develop/cSploit/src/main/java/org/csploit/android/plugins/mitm/SpoofSession.java#L92

correct me if I'm wrong, but if the device doesn't have a default gateway, we can't poison the network/target using arpspoof. So we have to decide what to do in this scenario. I see these possibilities:

• Use an ICMP redirection attack using ettercap (or other tool/coding it), in order to tell the victim/s that we're a better path for access internet.
• Use the ettercap gateway discover plugin in order to try to discover the network gw on app start up.
• Prompt the user with a dialog for enter a gateway.