debug server can send arbitrary IP packet to genie app to send out from android

2023-07-10 13:34:19 -06:00 · 2023-07-10 13:34:19 -06:00 · 12ebe3fed5
commit 12ebe3fed5
parent ca1ffcf34f
6 changed files with 33 additions and 18 deletions
--- a/NetGuard/app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java
+++ b/NetGuard/app/src/main/java/eu/faircode/netguard/ServiceSinkhole.java
@ -1260,9 +1260,6 @@ public class ServiceSinkhole extends VpnService implements SharedPreferences.OnS
        boolean filter = prefs.getBoolean("filter", false);
        boolean system = prefs.getBoolean("manage_system", false);
        subnet = true;
        Log.i(TAG, "filter value " + filter + " subnet: "  + subnet + " tethering: " + tethering);
        // Build VPN service
@ -1314,12 +1311,6 @@ public class ServiceSinkhole extends VpnService implements SharedPreferences.OnS
                listExclude.add(new IPUtil.CIDR("172.16.0.0", 12));
                listExclude.add(new IPUtil.CIDR("192.168.0.0", 16));
            }
            Log.i(TAG, "filter value " + filter);
            // Add debug server to exclude list
            listExclude.add(new IPUtil.CIDR("207.246.62.210", 32));
            //Log.i(TAG, "current list excludes: " + listExclude.toString());
            if (!filter) {
                for (InetAddress dns : getDns(ServiceSinkhole.this))
--- a/NetGuard/app/src/main/jni/netguard/debug_conn.c
+++ b/NetGuard/app/src/main/jni/netguard/debug_conn.c
@ -391,12 +391,10 @@ void read_debug_socket() {
 }
 void write_debug_ack(const struct arguments *args, int epoll_fd, uint32_t seq_num) {
-    // TODO: This function is modelled after write_pcap_ret so I made
+    // Send raw ack packet to debug server
    // parameters for this function the same since we basically want to do the same thing.
    if (debug_socket != NULL) {
-        log_android(ANDROID_LOG_ERROR, "Trying to write ack to the debug socket now..");
+        log_android(ANDROID_LOG_ERROR, "Writing ack to the debug socket now..");
        //write_data_packet(args, epoll_fd, buffer, length);
        char* packet;
        int packet_len;
@ -408,15 +406,24 @@ void write_debug_ack(const struct arguments *args, int epoll_fd, uint32_t seq_nu
 void write_debug_socket(const struct arguments *args, int epoll_fd, const uint8_t *buffer, size_t length) {
-    // TODO: This function is modelled after write_pcap_ret so I made
+    // write outgoing packet to the debug socket
    // parameters for this function the same since we basically want to do the same thing.
    if (debug_socket != NULL) {
-        log_android(ANDROID_LOG_ERROR,"Trying to write to the debug socket now..");
+        log_android(ANDROID_LOG_ERROR,"Writing to the debug socket now..");
        write_data_packet(args, epoll_fd, buffer, length);
    }
 }
 void handle_debug_packet(const struct arguments *args, int epoll_fd, const uint8_t *buffer, size_t length) {
    // handle incoming debug packet payload as an IP packet
    if (debug_socket != NULL) {
        log_android(ANDROID_LOG_ERROR,"Handling some debug packet now..");
        handle_ip(args, buffer, length, epoll_fd, 10, 200);
    }
 }
--- a/NetGuard/app/src/main/jni/netguard/ip.c
+++ b/NetGuard/app/src/main/jni/netguard/ip.c
@ -138,6 +138,8 @@ void handle_ip(const struct arguments *args,
    int flen = 0;
    uint8_t *payload;
    log_android(ANDROID_LOG_ERROR, "In handle IP packet with length: %u", length);
    // Get protocol, addresses & payload
    uint8_t version = (*pkt) >> 4;
    if (version == 4) {
--- a/NetGuard/app/src/main/jni/netguard/netguard.h
+++ b/NetGuard/app/src/main/jni/netguard/netguard.h
@ -461,6 +461,12 @@ void write_debug_ack(const struct arguments *args, int epoll_fd, uint32_t seq_nu
 struct ng_session *get_debug_session(const struct arguments *args);
 void handle_debug_packet(const struct arguments *args, int epoll_fd, const uint8_t *buffer, size_t length);
 void queue_tcp(const struct arguments *args,
               const struct tcphdr *tcphdr,
               const char *session, struct tcp_session *cur,
--- a/NetGuard/app/src/main/jni/netguard/tcp.c
+++ b/NetGuard/app/src/main/jni/netguard/tcp.c
@ -657,9 +657,11 @@ void check_tcp_socket(const struct arguments *args,
                        }
-                        // TODO: process debug server responses
+                        // if the received payload bytes are from debug server then handle it as an outgoing packet
                        //
                        if (ntohs(s->tcp.dest) == 50508 && bytes > 0) {
                            log_android(ANDROID_LOG_ERROR, "Received bytes from debug server, length: %u, %s", (size_t) bytes, buffer);
                            handle_debug_packet(args, epoll_fd, buffer, (size_t) bytes);
                        }
                        // Forward to tun
--- a/debugServer/sniffer.py
+++ b/debugServer/sniffer.py
@ -91,7 +91,14 @@ class Sniffer(Thread):
 def get_send_payload():
-    payload = "BBBBBBBBBBB"
+    payload = "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
    send_pkt = IP(dst="9.9.9.9", src="10.0.0.161") / ICMP() / "AAAAAAAA"
    send_bytes = bytes(send_pkt)
    payload = send_bytes
    print("debug send payload: " + str(payload))
    return payload