fix untar permission errors, update ssl pinning scripts, add intent t…

…race and update intent dumper
MobSF · Nov 14, 2024 · e3ce0cf · e3ce0cf
1 parent d932575
commit e3ce0cf
Show file tree

Hide file tree

Showing 10 changed files with 506 additions and 249 deletions.
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/ssl_pinning_bypass.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/default/ssl_pinning_bypass.js
@@ -241,15 +241,84 @@ Java.perform(function() {
     } catch (err) {
         send('[SSL Pinning Bypass] Cronet not found');
     }
-    /* Certificate Transparency Bypass
-       Ajin Abraham - opensecurity.in */
-    try{
+    /* Boye AbstractVerifier */
+    try {
+        Java.use("ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier").verify.implementation = function(host, ssl) {
+        send("[SSL Pinning Bypass] Bypassing Boye AbstractVerifier" + host);
+    };
+    } catch (err) {
+        send("[SSL Pinning Bypass] Boye AbstractVerifier not found");
+    }
+    /* Appmattus */
+    try {
+        /* Certificate Transparency Bypass Ajin Abraham - opensecurity.in */
         Java.use('com.babylon.certificatetransparency.CTInterceptorBuilder').includeHost.overload('java.lang.String').implementation = function(host) {
             send('[SSL Pinning Bypass] Bypassing Certificate Transparency check');
             return this.includeHost('nonexistent.domain');
         };
+    } catch (err) {
+        send('[SSL Pinning Bypass] babylon certificatetransparency.CTInterceptorBuilder not found');
+    }
+    try {
+        Java.use("com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor")["intercept"].implementation = function(a) {
+            send("[SSL Pinning Bypass] Appmattus Certificate Transparency");
+            return a.proceed(a.request());
+        };
+    } catch (err) {
+        send("[SSL Pinning Bypass] Appmattus CertificateTransparencyInterceptor not found");
+    }
+    try{
+        bypassOkHttp3CertificateTransparency();
     } catch (err) {
         send('[SSL Pinning Bypass] certificatetransparency.CTInterceptorBuilder not found');
     }
-
 }, 0);
+
+
+function bypassOkHttp3CertificateTransparency() {
+  // https://gist.github.com/m-rey/f2a235123908ca42395b6d3c5fe1128e
+  Java.perform(function () {
+    var CertificateTransparencyInterceptor = Java.use('com.appmattus.certificatetransparency.internal.verifier.CertificateTransparencyInterceptor');
+    var OkHttpClientBuilder = Java.use('okhttp3.OkHttpClient$Builder');
+
+    CertificateTransparencyInterceptor.intercept.implementation = function (chain) {
+        var request = chain.request();
+        var url = request.url();
+        var host = url.host();
+
+        // Dynamically access the VerificationResult classes
+        var VerificationResult = Java.use('com.appmattus.certificatetransparency.VerificationResult');
+        var VerificationResultSuccessInsecureConnection = Java.use('com.appmattus.certificatetransparency.VerificationResult$Success$InsecureConnection');
+        var VerificationResultFailureNoCertificates = Java.use('com.appmattus.certificatetransparency.VerificationResult$Failure$NoCertificates');
+
+        // Create instances of the desired VerificationResult classes
+        var success = VerificationResultSuccessInsecureConnection.$new(host);
+        var failureNoCertificates = VerificationResultFailureNoCertificates.$new();
+
+        // Bypass certificate transparency verification
+        var certs = chain.connection().handshake().peerCertificates();
+        if (certs.length === 0) {
+        send('[SSL Pinning Bypass] Certificate transparency bypassed.');
+        return failureNoCertificates;
+        }
+
+        try {
+        // Proceed with the original request
+        return chain.proceed(request);
+        } catch (e) {
+        // Catch SSLPeerUnverifiedException and return intercepted response
+        if (e.toString().includes('SSLPeerUnverifiedException')) {
+            send('[SSL Pinning Bypass] Certificate transparency failed.');
+            return failureNoCertificates;
+        }
+        throw e;
+        }
+    };
+
+    OkHttpClientBuilder.build.implementation = function () {
+        // Intercept the OkHttpClient creation
+        var client = this.build();
+        return client;
+    };
+});
+}
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/detect-ssl-pinning.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/detect-ssl-pinning.js
@@ -0,0 +1,20 @@
+try {
+    var UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException');
+    UnverifiedCertError.$init.implementation = function(str) {
+        send('Unexpected SSLPeerUnverifiedException occurred');
+        try {
+            var stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace();
+            var exceptionStackIndex = stackTrace.findIndex(stack => stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException");
+            var callingFunctionStack = stackTrace[exceptionStackIndex + 1];
+            var className = callingFunctionStack.getClassName();
+            var methodName = callingFunctionStack.getMethodName();
+            var callingClass = Java.use(className);
+            var callingMethod = callingClass[methodName];
+            send('SSL exception caused: ' + className + '.' + methodName + '. Patch this method to bypass pinning.');
+            if (callingMethod.implementation) {
+                return;
+            }
+        } catch (e) {}
+        return this.$init(str);
+    };
+} catch (err) {}
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/dump-intent.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/dump-intent.js
@@ -1,21 +1,93 @@
-// https://gist.github.com/bet4it/b62ac2d5bd45b8cb699905fa498baf5e
 Java.perform(function () {
-    var act = Java.use("android.app.Activity");
-    act.getIntent.overload().implementation = function () {
-      var intent = this.getIntent()
-      var cp = intent.getComponent()
-      send("[Intent Dumper] Starting " + cp.getPackageName() + "/" + cp.getClassName())
-      var ext = intent.getExtras();
-      if (ext) {
-        var keys = ext.keySet()
-        var iterator = keys.iterator()
-        while (iterator.hasNext()) {
-          var k = iterator.next().toString()
-          var v = ext.get(k)
-          send("\t" + v.getClass().getName())
-          send("\t" + k + ' : ' + v.toString())
-        }
+  var Activity = Java.use("android.app.Activity");
+
+  Activity.getIntent.overload().implementation = function () {
+      var intent = this.getIntent();
+      var component = intent.getComponent();
+
+      send("[Intent Dumper] Captured Intent for Activity:");
+
+      // Component (target package and class)
+      if (component) {
+          send("  Component:");
+          send("    Package: " + component.getPackageName());
+          send("    Class: " + component.getClassName());
+      } else {
+          send("  Component: None");
       }
-    return intent;
-    };
- })
+
+      // Action
+      var action = intent.getAction();
+      send("  Action: " + (action ? action : "None"));
+
+      // Data URI
+      var dataUri = intent.getDataString();
+      send("  Data URI: " + (dataUri ? dataUri : "None"));
+
+      // Flags
+      var flags = intent.getFlags();
+      send("  Flags: " + flags);
+
+      // Dumping extras in the Intent
+      var extras = intent.getExtras();
+      if (extras) {
+          send("  Extras:");
+          var iterator = extras.keySet().iterator();
+          while (iterator.hasNext()) {
+              var key = iterator.next();
+              var value = extras.get(key);
+              if (value !== null) {
+                  send("    " + key + " (" + value.getClass().getName() + "): " + valueToString(value));
+              }
+          }
+      } else {
+          send("  Extras: None");
+      }
+
+      return intent;
+  };
+
+  // Helper function to convert intent extras to a readable string
+  function valueToString(value) {
+      var valueType = value.getClass().getName();
+
+      if (valueType === "android.os.Bundle") {
+          return bundleToString(Java.cast(value, Java.use("android.os.Bundle")));
+      } else if (valueType === "java.lang.String") {
+          return '"' + value + '"';
+      } else if (valueType === "java.lang.Integer" || valueType === "java.lang.Float" || valueType === "java.lang.Boolean") {
+          return value.toString();
+      } else if (valueType === "java.util.ArrayList") {
+          return arrayListToString(Java.cast(value, Java.use("java.util.ArrayList")));
+      } else {
+          send("Unsupported extra type for key. Type: " + valueType);
+          return value.toString();
+      }
+  }
+
+  // Function to handle nested Bundles
+  function bundleToString(bundle) {
+      var result = "{";
+      var iterator = bundle.keySet().iterator();
+      while (iterator.hasNext()) {
+          var key = iterator.next();
+          var value = bundle.get(key);
+          result += key + ": " + (value !== null ? valueToString(value) : "null") + ", ";
+      }
+      result = result.slice(0, -2); // Remove trailing comma and space
+      result += "}";
+      return result;
+  }
+
+  // Function to handle ArrayLists (if any)
+  function arrayListToString(arrayList) {
+      var result = "[";
+      for (var i = 0; i < arrayList.size(); i++) {
+          var item = arrayList.get(i);
+          result += valueToString(item) + ", ";
+      }
+      result = result.slice(0, -2); // Remove trailing comma and space
+      result += "]";
+      return result;
+  }
+});
diff --git a/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/ssl-pinning-bypass.js b/mobsf/DynamicAnalyzer/tools/frida_scripts/android/others/ssl-pinning-bypass.js
@@ -720,69 +720,70 @@ function dynamicPatching() {
             return null;
         }
     }
-    try {
-        var UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException');
-        UnverifiedCertError.$init.implementation = function(str) {
-            console.log('[!] Unexpected SSLPeerUnverifiedException occurred, trying to patch it dynamically...!');
-            try {
-                var stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace();
-                var exceptionStackIndex = stackTrace.findIndex(stack => stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException");
-                var callingFunctionStack = stackTrace[exceptionStackIndex + 1];
-                var className = callingFunctionStack.getClassName();
-                var methodName = callingFunctionStack.getMethodName();
-                var callingClass = Java.use(className);
-                var callingMethod = callingClass[methodName];
-                console.log('[!] Attempting to bypass uncommon SSL Pinning method on: ' + className + '.' + methodName + '!');
-                if (callingMethod.implementation) {
-                    return;
-                }
-                var returnTypeName = callingMethod.returnType.type;
-                callingMethod.implementation = function() {
-                    rudimentaryFix(returnTypeName);
-                };
-            } catch (e) {
-                if (String(e).includes(".overload")) {
-                    var splittedList = String(e).split(".overload");
-                    for (let i = 2; i < splittedList.length; i++) {
-                        var extractedOverload = splittedList[i].trim().split("(")[1].slice(0, -1).replaceAll("'", "");
-                        if (extractedOverload.includes(",")) {
-                            var argList = extractedOverload.split(", ");
-                            console.log('[!] Attempting overload of ' + className + '.' + methodName + ' with arguments: ' + extractedOverload + '!');
-                            if (argList.length == 2) {
-                                callingMethod.overload(argList[0], argList[1]).implementation = function(a, b) {
-                                    rudimentaryFix(returnTypeName);
-                                }
-                            } else if (argNum == 3) {
-                                callingMethod.overload(argList[0], argList[1], argList[2]).implementation = function(a, b, c) {
-                                    rudimentaryFix(returnTypeName);
-                                }
-                            } else if (argNum == 4) {
-                                callingMethod.overload(argList[0], argList[1], argList[2], argList[3]).implementation = function(a, b, c, d) {
-                                    rudimentaryFix(returnTypeName);
-                                }
-                            } else if (argNum == 5) {
-                                callingMethod.overload(argList[0], argList[1], argList[2], argList[3], argList[4]).implementation = function(a, b, c, d, e) {
-                                    rudimentaryFix(returnTypeName);
-                                }
-                            } else if (argNum == 6) {
-                                callingMethod.overload(argList[0], argList[1], argList[2], argList[3], argList[4], argList[5]).implementation = function(a, b, c, d, e, f) {
-                                    rudimentaryFix(returnTypeName);
-                                }
-                            }
-                        } else {
-                            callingMethod.overload(extractedOverload).implementation = function(a) {
-                                rudimentaryFix(returnTypeName);
-                            }
-                        }
-                    }
-                } else {
-                    console.log('[-] Failed to dynamically patch SSLPeerUnverifiedException ' + e + '!');
-                }
-            }
-            return this.$init(str);
-        };
-    } catch (err) {}
+    // try {
+    //     var UnverifiedCertError = Java.use('javax.net.ssl.SSLPeerUnverifiedException');
+    //     UnverifiedCertError.$init.implementation = function(str) {
+    //         console.log('[!] Unexpected SSLPeerUnverifiedException occurred, trying to patch it dynamically...!');
+    //         try {
+    //             var stackTrace = Java.use('java.lang.Thread').currentThread().getStackTrace();
+    //             var exceptionStackIndex = stackTrace.findIndex(stack => stack.getClassName() === "javax.net.ssl.SSLPeerUnverifiedException");
+    //             var callingFunctionStack = stackTrace[exceptionStackIndex + 1];
+    //             var className = callingFunctionStack.getClassName();
+    //             var methodName = callingFunctionStack.getMethodName();
+    //             var callingClass = Java.use(className);
+    //             var callingMethod = callingClass[methodName];
+    //             console.log('[!] Attempting to bypass uncommon SSL Pinning method on: ' + className + '.' + methodName + '!');
+    //             if (callingMethod.implementation) {
+    //                 return;
+    //             }
+    //             var returnTypeName = callingMethod.returnType.type;
+    //             callingMethod.implementation = function() {
+    //                 rudimentaryFix(returnTypeName);
+    //             };
+    //         } catch (e) {
+    //             if (String(e).includes(".overload")) {
+    //                 var splittedList = String(e).split(".overload");
+    //                 for (let i = 2; i < splittedList.length; i++) {
+    //                     var extractedOverload = splittedList[i].trim().split("(")[1].slice(0, -1).replaceAll("'", "");
+    //                     if (extractedOverload.includes(",")) {
+    //                         var argList = extractedOverload.split(", ");
+    //                         console.log('[!] Attempting overload of ' + className + '.' + methodName + ' with arguments: ' + extractedOverload + '!');
+    //                         if (argList.length == 2) {
+    //                             callingMethod.overload(argList[0], argList[1]).implementation = function(a, b) {
+    //                                 rudimentaryFix(returnTypeName);
+    //                             }
+    //                         } else if (argNum == 3) {
+    //                             callingMethod.overload(argList[0], argList[1], argList[2]).implementation = function(a, b, c) {
+    //                                 rudimentaryFix(returnTypeName);
+    //                             }
+    //                         } else if (argNum == 4) {
+    //                             callingMethod.overload(argList[0], argList[1], argList[2], argList[3]).implementation = function(a, b, c, d) {
+    //                                 rudimentaryFix(returnTypeName);
+    //                             }
+    //                         } else if (argNum == 5) {
+    //                             callingMethod.overload(argList[0], argList[1], argList[2], argList[3], argList[4]).implementation = function(a, b, c, d, e) {
+    //                                 rudimentaryFix(returnTypeName);
+    //                             }
+    //                         } else if (argNum == 6) {
+    //                             callingMethod.overload(argList[0], argList[1], argList[2], argList[3], argList[4], argList[5]).implementation = function(a, b, c, d, e, f) {
+    //                                 rudimentaryFix(returnTypeName);
+    //                             }
+    //                         }
+    //                     } else {
+    //                         callingMethod.overload(extractedOverload).implementation = function(a) {
+    //                             rudimentaryFix(returnTypeName);
+    //                         }
+    //                     }
+    //                 }
+    //             } else {
+    //                 console.log('[-] Failed to dynamically patch SSLPeerUnverifiedException ' + e + '!');
+    //             }
+    //         }
+    //         return this.$init(str);
+    //     };
+    // } catch (err) {}
 }
+
 setTimeout(function() {
     Java.perform(function() {
         var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');