Skip to content

Commit

Permalink
Added simulator support and SSLPinning Bypass script
Browse files Browse the repository at this point in the history
  • Loading branch information
@dpnishant
dpnishant committed Jul 14, 2017
1 parent b3ebba0 commit 4c3db24
Show file tree
Hide file tree
Showing 3 changed files with 214 additions and 15 deletions.
11 changes: 10 additions & 1 deletion appmon.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ def init_opts():
parser.add_argument('--spawn', action='store', dest='spawn', default=0,
help='''Optional; Accepts 1=Spawn, 0=Attach; Needs "-p PLATFORM"''')
parser.add_argument('-p', action='store', dest='platform',
help='Platform Type; Accepts "ios", "android" or "macos"')
help='Platform Type; Accepts "ios", "iossim", "android" or "macos"')
parser.add_argument('-s', action='store', dest='script_path', default='',
help='''Path to agent script file;
Can be relative/absolute path for a file or directory;
Expand Down Expand Up @@ -279,6 +279,15 @@ def init_session():
print colored("HINT: Have you installed `frida` module from Cydia?", "blue")
print colored("HINT: Have used `ipa_installer` to inject the `FridaGadget` shared lbrary?", "blue")
sys.exit(1)
elif platform == 'iossim':
try:
device = frida.get_remote_device()
except Exception as e:
# print traceback.print_exc()
print colored("Troubleshooting Help", "blue")
print colored("HINT: Have you successfully integrated the FridaGadget dylib with the XCode Project?", "blue")
print colored("HINT: Do you see a message similar to \"[Frida INFO] Listening on 127.0.0.1 TCP port 27042\" on XCode console logs?", "blue")
sys.exit(1)
elif platform == 'macos':
device = frida.get_local_device()
else:
Expand Down
201 changes: 201 additions & 0 deletions intruder/scripts/iOS/SSLPinning.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,201 @@
/**
* Copyright (c) 2016 Nishant Das Patnaik.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
**/

'use strict';
var resolver = new ApiResolver('objc');
var NSURLCredential = ObjC.classes.NSURLCredential;

// Ref: https://developer.apple.com/documentation/security/1399173-sslsetsessionoption?preferredLanguage=occ
var SSLSetSessionOption = new NativeFunction(Module.findExportByName('Security', 'SSLSetSessionOption'), 'int', ['pointer', 'int', 'bool']);

// for iOS verion 10 and higher
// Ref: https://opensource.apple.com/source/coreTLS/coreTLS-121.1.1/coretls_cfhelpers/tls_helpers.c
var tls_helper_create_peer_trust = new NativeFunction(Module.findExportByName('libcoretls_cfhelpers.dylib', 'tls_helper_create_peer_trust'), 'int', ['void', 'bool', 'pointer']);

// Ref: https://developer.apple.com/documentation/security/1393063-sslcreatecontext
var SSLCreateContext = new NativeFunction(Module.findExportByName('Security', 'SSLCreateContext'), 'pointer', ['pointer', 'int', 'int']);


// for iOS version 9 and lower
// Ref: https://developer.apple.com/documentation/security/1400161-sslhandshake?language=objc#parameters
// Ref: https://developer.apple.com/documentation/security/secure_transport/1503828-secure_transport_result_codes/errsslserverauthcompleted?language=objc
var errSSLServerAuthCompleted = -9481;
var kSSLSessionOptionBreakOnServerAuth = 0;
var noErr = 0;
var errSecSuccess = 0;
var SSLHandshake = new NativeFunction(Module.findExportByName('Security', 'SSLHandshake'), 'int', ['pointer']);


// Ref: https://developer.apple.com/documentation/security/1394363-sectrustevaluate
var kSecTrustResultInvalid = 0;
var kSecTrustResultProceed = 1;
var kSecTrustResultDeny = 3;
var kSecTrustResultUnspecified = 4;
var kSecTrustResultRecoverableTrustFailure = 6;
var kSecTrustResultFatalTrustFailure = 6;
var kSecTrustResultOtherError = 7;
var SecTrustEvaluate = new NativeFunction(Module.findExportByName("Security", "SecTrustEvaluate"), 'int', ['pointer', 'pointer']);

// AFNetworking 3.0
// Ref: http://cocoadocs.org/docsets/AFNetworking/3.0.0/Classes/AFSecurityPolicy.html#//api/name/policyWithPinningMode:
try {
Interceptor.attach(ObjC.classes.AFSecurityPolicy['+ policyWithPinningMode:'].implementation, {
onEnter: function(args) {
var int_0 = new NativePointer('0x0');
if (args[2] != int_0) {
console.log('Executing SSL Pinning Bypass Technique #1');
args[2] = int_0;
}
}
});

} catch (e) {
console.log(e.stack);
}


// Ref: http://cocoadocs.org/docsets/AFNetworking/3.0.0/Classes/AFSecurityPolicy.html#//api/name/policyWithPinningMode:withPinnedCertificates:
try {
Interceptor.attach(ObjC.classes.AFSecurityPolicy['+ policyWithPinningMode:withPinnedCertificates:'].implementation, {
onEnter: function(args) {
var int_0 = new NativePointer('0x0');
if (args[2] != int_0) {
console.log('Executing SSL Pinning Bypass Technique #2');
args[2] = int_0;
}
}
});
} catch (e) {
console.log(e.stack);
}


// Ref: https://developer.apple.com/documentation/foundation/nsurlsessiondelegate/1409308-urlsession
try {
resolver.enumerateMatches('-[* URLSession:didReceiveChallenge:completionHandler:]', {
onMatch: function(match) {
console.log('[NSURLSession] Found URLSession:didReceiveChallenge:completionHandler:');
Interceptor.attach(match.address, {
onEnter: function(args) {

var receiver = new ObjC.Object(args[0]);
var selector = ObjC.selectorAsString(args[1]);
var session = new ObjC.Object(args[2]);
var challenge = new ObjC.Object(args[3]);

console.log('Executing SSL Pinning Bypass Technique #3');

var completion_handler = new ObjC.Block(args[4]);
var saved_completion_handler = completion_handler.implementation;

completion_handler.implementation = function() {

// Ref: https://developer.apple.com/documentation/foundation/nsurlcredential/1407330-credentialfortrust
var credential = NSURLCredential.credentialForTrust_(challenge.protectionSpace().serverTrust());

// Ref: https://developer.apple.com/documentation/foundation/nsurlauthenticationchallengesender/1411062-usecredential
challenge.sender().useCredential_forAuthenticationChallenge_(credential, challenge);
saved_completion_handler(0, credential);
}
}
});
},
onComplete: function() {}
});
} catch (e) {
console.log(e.stack);
}


// Ref: https://developer.apple.com/documentation/foundation/nsurlconnectiondelegate/1414078-connection?language=objc
try {
resolver.enumerateMatches('-[* connection:willSendRequestForAuthenticationChallenge:]', {
onMatch: function(match) {
console.log('Executing SSL Pinning Bypass Technique #4');
Interceptor.replace(match.address, new NativeCallback(function(a, b, connection, challenge) {
// console.log('swizzled');
}, 'void', ['pointer', 'pointer', 'pointer', 'pointer']));
},
onComplete: function() {}
});
} catch (e) {
console.log(e.stack);
}


// (as done in SSL-Killswitch2)
// Ref: https://github.com/nabla-c0d3/ssl-kill-switch2/blob/master/SSLKillSwitch/SSLKillSwitch.m
try {
Interceptor.replace(SecTrustEvaluate, new NativeCallback(function(trust, result) {
console.log('Executing SSL Pinning Bypass Technique #5');
var ret = SecTrustEvaluate(trust, result);
result = kSecTrustResultProceed;
return ret;
}, 'int', ['pointer', 'pointer']));
} catch (e) {
console.log(e.stack);
}


try {
Interceptor.replace(SSLSetSessionOption, new NativeCallback(function(context, option, value) {
console.log('Executing SSL Pinning Bypass Technique #6');
if (option === kSSLSessionOptionBreakOnServerAuth) {
return noErr;
}
return SSLSetSessionOption(context, option, value);
}, 'int', ['pointer', 'int', 'bool']));
} catch (e) {
console.log(e.stack);
}



try {
Interceptor.replace(SSLCreateContext, new NativeCallback(function(alloc, protocolSide, connectionType) {
console.log('Executing SSL Pinning Bypass Technique #7');
var sslContext = SSLCreateContext(alloc, protocolSide, connectionType);
SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, 1);
return sslContext;
}, 'pointer', ['pointer', 'int', 'int']));
} catch (e) {
console.log(e.stack);
}


try {
Interceptor.replace(SSLHandshake, new NativeCallback(function(context) {
console.log('Executing SSL Pinning Bypass Technique #8');
var result = SSLHandshake(context);
if (result === errSSLServerAuthCompleted) {
return SSLHandshake(context);
} else {
return result;
}
}, 'int', ['pointer']));
} catch (e) {
console.log(e.stack);
}


try {
Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, SecTrustRef) {
console.log('Executing SSL Pinning Bypass Technique #9');
return errSecSuccess;
}, 'int', ['void', 'bool', 'pointer']));
} catch (e) {
console.log(e.stack);
}
17 changes: 3 additions & 14 deletions templates/monitor.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -308,17 +308,6 @@
});
*/
$('#tblResultView').DataTable({
"columns": [
null,
null,
null,
{
"width": "50%"
},
null,
null,
null
],
ajax: {
"url": "/api/fetch",
"data": function (d) {
Expand All @@ -331,10 +320,10 @@
"smart": true
},
bAutoWidth: false,
autoWidth: false,
colReorder: true,
keys: true,
"scrollY": true,
"scrollX": true,
scrollY: true,
scrollX: true,
dom: 'Bfrtip',
lengthMenu: [
[ 15, 30, 50, 100, -1 ],
Expand Down

0 comments on commit 4c3db24

Please sign in to comment.