porthack implemented

lint.xml

@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<lint>
+</lint>

native/Makefile

@@ -1,7 +1,7 @@
 CC = arm-linux-androideabi-gcc
 CFLAGS = -Wall -g
 LDFLAGS = -llog
-SRC = porthack.c
+SRC = p.c
 OBJ = $(SRC:.c=.o)
 EXE = p
  
@@ -17,7 +17,4 @@ clean:
 	rm -f *.o $(EXE)
 
 install:
-	adb push p /data/local
-
-run:
-	adb shell /data/local/p 21
+	adb push p /data/local

native/p.c

@@ -0,0 +1,139 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <sys/un.h>
+#include <netinet/in.h>
+
+#include <errno.h>
+
+#include <android/log.h>
+
+#define  LOG_TAG "hostage: p"
+#define  LOGI(...) __android_log_print(ANDROID_LOG_INFO,LOG_TAG,__VA_ARGS__)
+#define  LOGW(...) __android_log_print(ANDROID_LOG_WARN,LOG_TAG,__VA_ARGS__)
+#define  LOGE(...) __android_log_print(ANDROID_LOG_ERROR,LOG_TAG,__VA_ARGS__)
+
+#define CONTROLLEN CMSG_LEN(sizeof(int))
+
+char *socket_path = "hostage";
+
+int ipc_sock() {
+	int fd;
+	struct sockaddr_un addr;
+
+	if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) {
+		LOGE("Unable to create local socket: %d", errno);
+		return -1;
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sun_family = AF_UNIX;
+	strncpy(&addr.sun_path[1], socket_path, strlen(socket_path));
+
+	if (connect(fd, (struct sockaddr*) &addr,
+			sizeof(sa_family_t) + strlen(socket_path) + 1) == -1) {
+		LOGE("Unable to connect local socket: %d", errno);
+		return -1;
+	}
+
+	return fd;
+}
+
+int net_sock(int port) {
+	int fd;
+	struct sockaddr_in addr;
+
+	if ((fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
+		LOGE("Unable to create net socket: %d", errno);
+		return -1;
+	}
+
+	memset(&addr, 0, sizeof(addr));
+	addr.sin_family = AF_INET;
+	addr.sin_addr.s_addr = INADDR_ANY;
+	addr.sin_port = htons(port);
+
+	if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) == -1) {
+		LOGE("Unable to bind net socket: %d", errno);
+		return -1;
+	}
+
+	if (listen(fd, 5) == -1) {
+		LOGE("Unable to listen net socket: %d", errno);
+		return -1;
+	}
+
+	return fd;
+}
+
+int send_fd(int fd, int fd_to_send) {
+	struct iovec iov[1];
+	struct cmsghdr *cmptr;
+	struct msghdr msg;
+	char buf[2] = "FD";
+
+	iov[0].iov_base = buf;
+	iov[0].iov_len = 2;
+
+	cmptr = malloc(CONTROLLEN);
+	cmptr->cmsg_level = SOL_SOCKET;
+	cmptr->cmsg_type = SCM_RIGHTS;
+	cmptr->cmsg_len = CONTROLLEN;
+
+	msg.msg_iov = iov;
+	msg.msg_iovlen = 1;
+	msg.msg_name = NULL;
+	msg.msg_namelen = 0;
+	msg.msg_control = cmptr;
+	msg.msg_controllen = CONTROLLEN;
+	*(int *) CMSG_DATA(cmptr) = fd_to_send;
+
+	if (sendmsg(fd, &msg, 0) == -1) {
+		LOGE("sendmsg failed: %d", errno);
+	}
+
+	return 0;
+}
+
+int main(int argc, char *argv[]) {
+	int port;
+	int ipc_fd, net_fd;
+
+	if (argc < 2) {
+		exit(EXIT_FAILURE);
+	}
+
+	if ((port = atoi(argv[1])) < 1 || (port = atoi(argv[1])) > 65535) {
+		exit(EXIT_FAILURE);
+	}
+
+	if ((ipc_fd = ipc_sock()) == -1) {
+		close(ipc_fd);
+		exit(EXIT_FAILURE);
+	}
+	LOGI("ipc_fd: %d", ipc_fd);
+
+	if ((net_fd = net_sock(port)) == -1) {
+		close(ipc_fd);
+		close(net_fd);
+		exit(EXIT_FAILURE);
+	}
+	LOGI("net_fd: %d", net_fd);
+
+	int status;
+	status = send_fd(ipc_fd, net_fd);
+	LOGI("send_fd: %d", status);
+
+	close(ipc_fd);
+	close(net_fd);
+
+	if (status == -1) {
+		return (EXIT_FAILURE);
+	}
+
+	return EXIT_SUCCESS;
+}

project.properties

@@ -11,4 +11,4 @@
 #proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt
 
 # Project target.
-target=android--17
+target=android-18

src/de/tudarmstadt/informatik/hostage/HoneyHandler.java

@@ -21,13 +21,11 @@ public class HoneyHandler implements Runnable {
 	private Socket client;
 	private Thread thread;
 
-	private HoneyService service;
 	private HoneyListener listener;
 	private Logger log;
 
 	public HoneyHandler(HoneyService service, HoneyListener listener,
 			Protocol protocol, Socket client) {
-		this.service = service;
 		this.listener = listener;
 		this.log = service.getLog();
 		this.protocol = protocol;

src/de/tudarmstadt/informatik/hostage/HoneyListener.java

@@ -4,6 +4,7 @@ import java.net.ServerSocket;
 import java.net.Socket;
 import java.util.ArrayList;
 
+import de.tudarmstadt.informatik.hostage.net.MyServerSocketFactory;
 import de.tudarmstadt.informatik.hostage.protocol.Protocol;
 
 public class HoneyListener implements Runnable {
@@ -43,7 +44,8 @@ public class HoneyListener implements Runnable {
 
 	public void start() {
 		try {
-			server = new ServerSocket(protocol.getPort());
+			server = new MyServerSocketFactory().createServerSocket(protocol
+					.getPort());
 			(this.thread = new Thread(this)).start();
 			running = true;
 			service.notifyUI();

src/de/tudarmstadt/informatik/hostage/net/MyServerSocketFactory.java

@@ -0,0 +1,74 @@
+package de.tudarmstadt.informatik.hostage.net;
+
+import java.io.FileDescriptor;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.SocketImpl;
+
+import javax.net.ServerSocketFactory;
+
+import de.tudarmstadt.informatik.hostage.system.PrivilegedPort;
+
+public class MyServerSocketFactory extends ServerSocketFactory {
+
+	@Override
+	public ServerSocket createServerSocket(int port) throws IOException {
+		FileDescriptor fd = new PrivilegedPort(port).bindAndGetFD();
+
+		ServerSocket socket = new ServerSocket();
+		try {
+			SocketImpl impl = getImpl(socket);
+			injectFD(fd, impl);
+			injectImpl(impl, socket);
+			setBound(socket);
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+
+		return socket;
+	}
+
+	private SocketImpl getImpl(ServerSocket socket) throws Exception {
+		Field implField = socket.getClass().getDeclaredField("impl");
+		implField.setAccessible(true);
+		return (SocketImpl) implField.get(socket);
+	}
+
+	private void injectFD(FileDescriptor fd, SocketImpl impl) throws Exception {
+		Class<?> plainServerSocketImplClazz = impl.getClass();
+		Class<?> plainSocketImplClazz = plainServerSocketImplClazz
+				.getSuperclass();
+		Class<?> socketImplClazz = plainSocketImplClazz.getSuperclass();
+		Field fdField = socketImplClazz.getDeclaredField("fd");
+		fdField.setAccessible(true);
+		fdField.set(impl, fd);
+	}
+
+	private void injectImpl(SocketImpl impl, ServerSocket socket)
+			throws Exception {
+		Field implField = socket.getClass().getDeclaredField("impl");
+		implField.setAccessible(true);
+		implField.set(socket, impl);
+	}
+
+	private void setBound(ServerSocket socket) throws Exception {
+		Field boundField = socket.getClass().getDeclaredField("isBound");
+		boundField.setAccessible(true);
+		boundField.set(socket, true);
+	}
+
+	@Override
+	public ServerSocket createServerSocket(int port, int backlog)
+			throws IOException {
+		return createServerSocket(port);
+	}
+
+	@Override
+	public ServerSocket createServerSocket(int port, int backlog,
+			InetAddress iAddress) throws IOException {
+		return createServerSocket(port);
+	}
+
+}

src/de/tudarmstadt/informatik/hostage/protocol/transport/Protocol.java

@@ -0,0 +1,7 @@
+package de.tudarmstadt.informatik.hostage.protocol.transport;
+
+public interface Protocol<T> {
+
+	T processMessage(T message);
+
+}

src/de/tudarmstadt/informatik/hostage/protocol/transport/ProtocolImpl.java

@@ -0,0 +1,15 @@
+package de.tudarmstadt.informatik.hostage.protocol.transport;
+
+public class ProtocolImpl implements Protocol<String> {
+
+	public ProtocolImpl() {
+		// TODO Auto-generated constructor stub
+	}
+
+	@Override
+	public String processMessage(String message) {
+		// TODO Auto-generated method stub
+		return null;
+	}
+
+}

src/de/tudarmstadt/informatik/hostage/system/PrivilegedPort.java

@@ -0,0 +1,51 @@
+package de.tudarmstadt.informatik.hostage.system;
+
+import java.io.FileDescriptor;
+
+import android.net.LocalServerSocket;
+import android.net.LocalSocket;
+
+public class PrivilegedPort implements Runnable {
+
+	private final static String NAME = "hostage";
+
+	private int port;
+
+	public PrivilegedPort(int port) {
+		this.port = port;
+	}
+
+	@Override
+	public void run() {
+		Process p;
+		try {
+			String command = String.format("/data/local/p %d", port);
+			p = Runtime.getRuntime().exec(new String[] { "su", "-c", command });
+			p.waitFor();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+	}
+
+	public FileDescriptor bindAndGetFD() {
+		FileDescriptor fd = null;
+		try {
+			new Thread(this).start();
+			LocalServerSocket lss = new LocalServerSocket(NAME);
+			LocalSocket ls = lss.accept();
+			while (ls.getInputStream().read() != -1)
+				;
+			FileDescriptor[] fdarr;
+			fdarr = ls.getAncillaryFileDescriptors();
+			if (fdarr != null) {
+				fd = fdarr[0];
+			}
+			ls.close();
+			lss.close();
+		} catch (Exception e) {
+			e.printStackTrace();
+		}
+		return fd;
+	}
+
+}