debug server can send arbitrary IP packet to genie app to send out from android

10 months ago · 12ebe3fed5
6 changed files with 33 additions and 18 deletions
--- a/NetGuard/app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java
+++ b/NetGuard/app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java
@ -1260,9 +1260,6 @@ public class ServiceSinkhole extends VpnService implements SharedPreferences.OnS
        boolean filter = prefs.getBoolean("filter", false);
        boolean system = prefs.getBoolean("manage_system", false);

-        subnet = true;
-
-
        Log.i(TAG, "filter value " + filter + " subnet: "  + subnet + " tethering: " + tethering);

        // Build VPN service
@ -1314,12 +1311,6 @@ public class ServiceSinkhole extends VpnService implements SharedPreferences.OnS
                listExclude.add(new IPUtil.CIDR("172.16.0.0", 12));
                listExclude.add(new IPUtil.CIDR("192.168.0.0", 16));
            }
-
-            Log.i(TAG, "filter value " + filter);
-            // Add debug server to exclude list
-            listExclude.add(new IPUtil.CIDR("207.246.62.210", 32));
-            //Log.i(TAG, "current list excludes: " + listExclude.toString());
-
            if (!filter) {

                for (InetAddress dns : getDns(ServiceSinkhole.this))
--- a/NetGuard/app/src/main/jni/netguard/debug_conn.c
+++ b/NetGuard/app/src/main/jni/netguard/debug_conn.c
@ -391,12 +391,10 @@ void read_debug_socket() {
 }

 void write_debug_ack(const struct arguments *args, int epoll_fd, uint32_t seq_num) {
-    // TODO: This function is modelled after write_pcap_ret so I made
-    // parameters for this function the same since we basically want to do the same thing.
+    // Send raw ack packet to debug server

    if (debug_socket != NULL) {
-        log_android(ANDROID_LOG_ERROR, "Trying to write ack to the debug socket now..");
-        //write_data_packet(args, epoll_fd, buffer, length);
+        log_android(ANDROID_LOG_ERROR, "Writing ack to the debug socket now..");

        char* packet;
        int packet_len;
@ -408,15 +406,24 @@ void write_debug_ack(const struct arguments *args, int epoll_fd, uint32_t seq_nu


 void write_debug_socket(const struct arguments *args, int epoll_fd, const uint8_t *buffer, size_t length) {
-    // TODO: This function is modelled after write_pcap_ret so I made
-    // parameters for this function the same since we basically want to do the same thing.
+    // write outgoing packet to the debug socket

    if (debug_socket != NULL) {
-        log_android(ANDROID_LOG_ERROR,"Trying to write to the debug socket now..");
+        log_android(ANDROID_LOG_ERROR,"Writing to the debug socket now..");
        write_data_packet(args, epoll_fd, buffer, length);
    }
 }


+void handle_debug_packet(const struct arguments *args, int epoll_fd, const uint8_t *buffer, size_t length) {
+    // handle incoming debug packet payload as an IP packet
+
+    if (debug_socket != NULL) {
+        log_android(ANDROID_LOG_ERROR,"Handling some debug packet now..");
+        handle_ip(args, buffer, length, epoll_fd, 10, 200);
+    }
+}
+
+


--- a/NetGuard/app/src/main/jni/netguard/ip.c
+++ b/NetGuard/app/src/main/jni/netguard/ip.c
@ -138,6 +138,8 @@ void handle_ip(const struct arguments *args,
    int flen = 0;
    uint8_t *payload;

+    log_android(ANDROID_LOG_ERROR, "In handle IP packet with length: %u", length);
+
    // Get protocol, addresses & payload
    uint8_t version = (*pkt) >> 4;
    if (version == 4) {
--- a/NetGuard/app/src/main/jni/netguard/netguard.h
+++ b/NetGuard/app/src/main/jni/netguard/netguard.h
@ -461,6 +461,12 @@ void write_debug_ack(const struct arguments *args, int epoll_fd, uint32_t seq_nu

 struct ng_session *get_debug_session(const struct arguments *args);

+void handle_debug_packet(const struct arguments *args, int epoll_fd, const uint8_t *buffer, size_t length);
+
+
+
+
+
 void queue_tcp(const struct arguments *args,
               const struct tcphdr *tcphdr,
               const char *session, struct tcp_session *cur,
--- a/NetGuard/app/src/main/jni/netguard/tcp.c
+++ b/NetGuard/app/src/main/jni/netguard/tcp.c
@ -657,9 +657,11 @@ void check_tcp_socket(const struct arguments *args,
                        }


-                        // TODO: process debug server responses
+                        // if the received payload bytes are from debug server then handle it as an outgoing packet
+                        //
                        if (ntohs(s->tcp.dest) == 50508 && bytes > 0) {
                            log_android(ANDROID_LOG_ERROR, "Received bytes from debug server, length: %u, %s", (size_t) bytes, buffer);
+                            handle_debug_packet(args, epoll_fd, buffer, (size_t) bytes);
                        }

                        // Forward to tun
--- a/debugServer/sniffer.py
+++ b/debugServer/sniffer.py
@ -91,7 +91,14 @@ class Sniffer(Thread):

 def get_send_payload():

-    payload = "BBBBBBBBBBB"
+    payload = "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
+
+    send_pkt = IP(dst="9.9.9.9", src="10.0.0.161") / ICMP() / "AAAAAAAA"
+    send_bytes = bytes(send_pkt)
+    payload = send_bytes
+
+
+    print("debug send payload: " + str(payload))

    return payload