0

I'm trying to bind to a remote service of the Drozer test app (sieve), but I keep crashing this app with a NullPointerException, and I don't understand why.

The basic idea is to send a PIN code to the sieve app and it will return a password.

The test app's code includes the following lines:

public void handleMessage(Message param1Message) {
switch (param1Message.what) {...
case 2354: 
 if (str.arg1 == 9234) { 
  String str1 = bundle.getString("com.mwr.example.sieve.PIN");
  if (AuthService.this.verifyPin(str1)){ 
   Bundle bundle1 = new Bundle();
   bundle1.putString("com.mwr.example.sieve.PASSWORD", AuthService.this.getKey()); 
   ...

I'm trying to jump in there with my own app (using Kotlin):

val serviceIntent = Intent()
serviceIntent.setClassName("com.mwr.example.sieve", "com.mwr.example.sieve.AuthService")
bindService(serviceIntent, myConnection, Context.BIND_AUTO_CREATE)

        if (!isBound) {
            Toast.makeText(this, "Please press again to bind", Toast.LENGTH_LONG).show()
            return
        } else {
            Toast.makeText(this, "Service bound", Toast.LENGTH_LONG).show()
        }

        try {
            val msg = Message.obtain()
            val bundle = Bundle()
            bundle.putString("com.mwr.example.sieve.PIN", "1234")
            msg.what = 2354
            msg.arg1 = 9234
            msg.data = bundle
            myService?.send(msg)

        } catch (e: Exception) {
            e.printStackTrace()
        }

The sieve app crashes with the following message:

com.mwr.example.sieve E/AndroidRuntime: FATAL EXCEPTION: m_AuthService
    Process: com.mwr.example.sieve:remote, PID: 5752
    java.lang.NullPointerException: Attempt to invoke virtual method 'java.lang.String android.os.BaseBundle.getString(java.lang.String)' on a null object reference
        at com.mwr.example.sieve.AuthService$MessageHandler.handleMessage(AuthService.java:156)
        at android.os.Handler.dispatchMessage(Handler.java:102)
        at android.os.Looper.loop(Looper.java:154)
        at android.os.HandlerThread.run(HandlerThread.java:61)

This looks to me like it gets a null value instead of the expected value, but I don't understand what else it is expecting. By using the Drozer tool itself, I can access the data I'm interested in:

dz> run app.service.send com.mwr.example.sieve com.mwr.example.sieve.AuthService --msg 2354 9234 1 --extra string com.mwr.example.sieve.PIN 1234 --bundle-as-obj

        Got a reply from com.mwr.example.sieve/com.mwr.example.sieve.AuthService:
          what: 5
          arg1: 41
          arg2: 0
          Extras
            com.mwr.example.sieve.PASSWORD (String) : H4ck3d
User0815
  • 1

1 Answers1

0

The problem seems be in:

com.mwr.example.sieve.AuthService$MessageHandler.handleMessage()

If this method is your "handleMessage(Message param1Message) {..}" then when you do

bundle.getString("com.mwr.example.sieve.PIN");

the "bundle" is NULL.

emandt
  • 2,547
  • 2
  • 16
  • 20
  • Thank you for your answer! Unfortunately, I can't modify the sieve app's code. But you're saying that my code looks correct? I don't understand why the bundle is not transmitted. Can it be an issue with synchronization? – User0815 Mar 22 '21 at 20:16
  • Try to use "Message.obj" var in similar way you use "Message.arg1". OBJ accepts ANY object so even a Bundle if you create it and assign it to "obj". However in "handleMessage()" you cut-off "bundle" declaration and/or assignment, so maybe the problem could be there....it's difficult to say with so man lacking parts. – emandt Mar 22 '21 at 21:01
  • The code is too long for this form, so I've pasted the service class here (extracted from the APK): https://pastebin.com/pD8ZwPxe My own app uses code from a tutorial, and that's really all: ```var myService: Messenger? = null var isBound: Boolean = false private val myConnection = object : ServiceConnection { override fun onServiceConnected(className: ComponentName, service: IBinder) { myService = Messenger(service) isBound = true } override fun onServiceDisconnected(className: ComponentName) { myService = null isBound = false } }``` – User0815 Mar 23 '21 at 17:25