-
Universal SSL Pinning Bypass ( Android )Mobile/Frida 2020. 3. 8. 20:01
function SSLContext() { var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); var SSLContext = Java.use('javax.net.ssl.SSLContext'); // build fake trust manager var TrustManager = Java.registerClass({ name: 'com.sensepost.test.TrustManager', implements: [X509TrustManager], methods: { checkClientTrusted: function (chain, authType) { }, checkServerTrusted: function (chain, authType) { }, getAcceptedIssuers: function () { return []; } } }); // pass our own custom trust manager through when requested var TrustManagers = [TrustManager.$new()]; var SSLContext_init = SSLContext.init.overload( '[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom' ); SSLContext_init.implementation = function (keyManager, trustManager, secureRandom) { console.log('! Intercepted trustmanager request'); SSLContext_init.call(this, keyManager, TrustManagers, secureRandom); }; console.log('* Setup custom trust manager'); } function okhttp3() { try { var CertificatePinner = Java.use('okhttp3.CertificatePinner'); CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function (str) { console.log('! Intercepted okhttp3: ' + str); return; }; console.log('* Setup okhttp3 pinning') } catch(err) { console.log('* Unable to hook into okhttp3 pinner') } } function trustkit() { try { var Activity = Java.use("com.datatheorem.android.trustkit.pinning.OkHostnameVerifier"); Activity.verify.overload('java.lang.String', 'javax.net.ssl.SSLSession').implementation = function (str) { console.log('! Intercepted trustkit{1}: ' + str); return true; }; Activity.verify.overload('java.lang.String', 'java.security.cert.X509Certificate').implementation = function (str) { console.log('! Intercepted trustkit{2}: ' + str); return true; }; console.log('* Setup trustkit pinning') } catch(err) { console.log('* Unable to hook into trustkit pinner') } } function TrustManagerImpl() { try { var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { console.log('! Intercepted TrustManagerImp: ' + host); return untrustedChain; } console.log('* Setup TrustManagerImpl pinning') } catch (err) { console.log('* Unable to hook into TrustManagerImpl') } } function Appcelerator() { try { var PinningTrustManager = Java.use('appcelerator.https.PinningTrustManager'); PinningTrustManager.checkServerTrusted.implementation = function () { console.log('! Intercepted Appcelerator'); } console.log('* Setup Appcelerator pinning') } catch (err) { console.log('* Unable to hook into Appcelerator pinning') } } Java.perform(function () { console.log(""); console.log("[*] Universal SSL Bypass"); console.log("[1] javax.net.ssl.SSLContext.init()"); console.log("[2] okhttp3.CertificatePinner.check()"); console.log("[3] com.datatheorem.android.trustkit.pinning.OkHostnameVerifier.verify()"); console.log("[4] com.android.org.conscrypt.TrustManagerImpl.verifyChain()"); console.log("[5] appcelerator.https.PinningTrustManager.checkServerTrusted()"); console.log(""); //TODO: TrustManagerImpl.checkTrustedRecursive() SSLContext(); okhttp3(); trustkit(); TrustManagerImpl(); Appcelerator(); });출처 http://linforum.kr/bbs/board.php?bo_table=android&wr_id=757&sca=FRIDA
Multiple SSL Pinning 스크립트
여러 방법으로 SSL Pinning하는 Frida 스크립트 입니다.사용법은 frida -U -l pinning.js -f [APP_ID] -- no-pause로 하시면되요.Java.perform(function () { console.log('') console.log('===') console.log('* Injecting hooks into common…
linforum.kr
위 스크립트를 좀 더 보기쉽게 정리하였다.
SSL Pinning과 관련된 메소드를 전부 후킹하는 스크립트며, 해당 스크립트로도 우회가 안된다면TrustManagerImpl.checkTrustedRecursive( )도 추가해서 사용해보길 바란다.
'Mobile > Frida' 카테고리의 다른 글
FRIDA Cheat Sheet (8) 2020.03.02 Anti-Debugging 우회 ( ptrace 선점 ) (1) 2020.02.29 FRIDA Hooking (OWASP - UnCrackable2) (2) 2019.12.22 Fridump (메모리 덤프) (1) 2019.12.19 Unity Game App Hacking (궁수의 전설) (14) 2019.12.18 댓글