The Universal SSL pinning bypass for Android applications

모바일 2019. 11. 21. 16:01

This article will cover:

  1. Introduction to Frida and SSL pinning
  2. Requirements
  3. Setup and Installation
  4. Frida Server Setup
  5. Setup BurpSuite
  6. Pushing the proxy’s CA Certificate:
  7. Script injection to bypass SSL pinning
  8. All stuff in a nutshell
  9. Troubleshooting



https://codeshare.frida.re/@pcipolloni/universal-android-ssl-pinning-bypass-with-frida/
 

Frida CodeShare

 

codeshare.frida.re

or you can save this code as fridascript.js in same folder as adb.

/*
Android SSL Re-pinning frida script v0.2 030417-pier$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pausehttps://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/

UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
*/setTimeout(function(){
Java.perform(function (){
console.log("");
console.log("[.] Cert Pinning Bypass/Re-Pinning");var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
var FileInputStream = Java.use("java.io.FileInputStream");
var BufferedInputStream = Java.use("java.io.BufferedInputStream");
var X509Certificate = Java.use("java.security.cert.X509Certificate");
var KeyStore = Java.use("java.security.KeyStore");
var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
var SSLContext = Java.use("javax.net.ssl.SSLContext");// Load CAs from an InputStream
console.log("[+] Loading our CA...")
var cf = CertificateFactory.getInstance("X.509");

try {
var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
}
catch(err) {
console.log("[o] " + err);
}

var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
var ca = cf.generateCertificate(bufferedInputStream);
bufferedInputStream.close();var certInfo = Java.cast(ca, X509Certificate);
console.log("[o] Our CA Info: " + certInfo.getSubjectDN());// Create a KeyStore containing our trusted CAs
console.log("[+] Creating a KeyStore for our CA...");
var keyStoreType = KeyStore.getDefaultType();
var keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
console.log("[+] Our TrustManager is ready...");console.log("[+] Hijacking SSLContext methods now...")
console.log("[-] Waiting for the app to invoke SSLContext.init()...")SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
console.log("[+] SSLContext initialized with our custom TrustManager!");
}
});
},0);



'모바일' 카테고리의 다른 글

remote-iphone-exploitation(project zero)  (0) 2020.01.10
iOS Application Injection  (0) 2020.01.02
ARM 어셈블리어  (0) 2019.12.05
iOS Penetration Testing Part 3  (0) 2019.11.25
iOS 무결성 내용  (0) 2019.11.21
블로그 이미지

wtdsoul

,

WhatsApp Bug / Secretly Install Spyware On Your Devices

News 2019. 11. 21. 15:44

https://thehackernews.com/2019/11/whatsapp-hacking-vulnerability.html?fbclid=IwAR29_Ta1wgs0itQkPCIQgtxvuXAzXtsMohZD38kRe152DVJUYvWZnma8TKo

 

New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices

New WhatsApp Flaw (CVE-2019-11931) Could Have Allowed Hackers to Install Spyware On Your Device Just by Singing MP4 Media File

thehackernews.com

 

According to an advisory published by Facebook, which owns WhatsApp, the list of affected app versions are as follows:


  • Android versions before 2.19.274
  • iOS versions before 2.19.100
  • Enterprise Client versions before 2.25.3
  • Windows Phone versions before and including 2.18.368
  • Business for Android versions before 2.19.104
  • Business for iOS versions before 2.19.100

'News' 카테고리의 다른 글

Bad Binder: Android In-The-Wild Exploit  (0) 2019.11.25
IoT Device Search & Default Credential Scanner  (0) 2019.11.25
Microsoft Edge - Local File Disclosure and EoP  (0) 2019.11.21
PHP Remote Code Execution 0-Day Discovered in Real World CTF Exercise  (0) 2019.11.21
New ZombieLoad v2 Attack Affects  (0) 2019.11.21
블로그 이미지

wtdsoul

,

Android Camera Apps

CVE 2019. 11. 21. 15:41

https://securityaffairs.co/wordpress/94089/hacking/cve-2019-2234-android-camera-apps-flaws.html?fbclid=IwAR0tjThpkEnxEgEum9RVgqoz41egBSwBneoMb9BtnjhbH1LoKMEhPFcmPyI

 

CVE-2019-2234 flaws in Android Camera Apps exposed millions of users surveillance

Experts found multiple flaws (CVE-2019-2234) in the Android camera apps provided by Google and Samsung that could allow attackers to spy on users. Cybersecurity experts from Checkmarx discovered multiple vulnerabilities in the Android camera apps provided

securityaffairs.co

 

Below the video PoC of the attack:

 

https://youtu.be/XJAMJOVoVyw

 

The researchers reported the flaws to Google in early July and the company confirmed that a security patch addressed them was released in the same month. Samsung also confirmed to have addressed the issue.

“This type of research activity is part of the Checkmarx Security Research Team’s ongoing efforts to drive the necessary changes in software security practices among vendors that manufacture consumer-based smartphones and IoT devices, while bringing more security awareness amid the consumers who purchase and use them. Protecting privacy of consumers must be a priority for all of us in today’s increasingly connected world”

'CVE' 카테고리의 다른 글

POODLE Attack  (0) 2020.08.09
CVE-2020-0796-RCE-POC  (0) 2020.07.14
CVE-2019-8805 - A macOS Catalina privilege escalation  (0) 2019.12.10
CVE-2019-2890  (0) 2019.12.10
WhatsApp exploit poc  (0) 2019.11.21
블로그 이미지

wtdsoul

,

공지사항

태그목록

글 보관함

달력

«   2024/04   »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

티스토리툴바