ios hacking bugbounty

Frequently used frida scripts and others..

hahwul

I've posted some frequently used Freda scripts. Honestly, I like cordshares, but sometimes I need them(raw script, link, etc...).

General Information

Docs

https://www.frida.re/docs/home/

Download

https://github.com/frida/frida/tags

Tool

https://github.com/nccgroup/house
https://github.com/federicodotta/Brida

Awesome

https://github.com/dweinstein/awesome-frida

Frida code share

https://codeshare.frida.re/browse

Android scripts & codeshare

Bypass root(codeshare)

frida --codeshare dzonerzy/fridantiroot -f

Bypass disabled Debug 

setTimeout(function() {
    Java.perform(function() {
        console.log("");
        console.log("[.] Debug check bypass");


        var Debug = Java.use('android.os.Debug');
        Debug.isDebuggerConnected.implementation = function() {
            //console.log('isDebuggerConnected Bypassed !');
            return false;
        }




    });
}, 0);

Bypass SSL Pinning

Java.perform(function() {
    var array_list = Java.use("java.util.ArrayList");
    var ApiClient = Java.use('com.android.org.conscrypt.TrustManagerImpl');
    ApiClient.checkTrustedRecursive.implementation = function(a1, a2, a3, a4, a5, a6) {
        // console.log('Bypassing SSL Pinning');
        var k = array_list.$new();
        return k;
    }
}, 0);

Bypass SSL Pinning(codeshare)

frida --codeshare pcipolloni/universal-android-ssl-pinning-bypass-with-frida -f

iOS

Bypass SSL Pinnging & Jail

var tls_helper_create_peer_trust; 
var version = ObjC.classes.UIDevice.currentDevice().systemVersion().toString(); 

if (version.startsWith("11.")) { // iOS 11
/* OSStatus nw_tls_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction( 
Module.findExportByName(null, "nw_tls_create_peer_trust"), 
'int', ['pointer', 'bool', 'pointer'] 
); 
} else if (version.startsWith("10.")) { // iOS 10
/* OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef); */
tls_helper_create_peer_trust = new NativeFunction( 
Module.findExportByName(null, "tls_helper_create_peer_trust"), 
'int', ['pointer', 'bool', 'pointer'] 
); 
} else { 
console.log("Unsupported OS version!"); 
} 

var errSecSuccess = 0; 

function bypassSSL() { 
Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function(hdsk, server, trustRef) { 
return errSecSuccess; 
}, 'int', ['pointer', 'bool', 'pointer'])); 

console.log("SSL Pinning bypass active"); 

} 


function revertSSL() { 
Interceptor.revert(tls_helper_create_peer_trust); 
console.log("SSL Pinning bypass disabled"); 
} 



function bypassJail() { 
var hook = ObjC.classes.KPAppIntegrity["- isSafe"] 
Interceptor.attach(hook.implementation, {onLeave: function(retval){retval.replace(1)}}) 
console.log("Jailbreak bypass disabled"); 
} 


function revertJail() { 
Interceptor.revert(ObjC.classes.KPAppIntegrity["- isSafe"]); 
consoleΩ.log("Jailbreak bypass disabled"); 
}

iOS 10&11 Bypass SSL Pinning

NSProcessInfo *processInfo = [NSProcessInfo processInfo];
if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){11, 0, 0}])
{
// Support for iOS 11
void* handle = dlopen("/usr/lib/libnetwork.dylib", RTLD_NOW);
void *tls_helper_create_peer_trust = dlsym(handle, "nw_tls_create_peer_trust");
if (tls_helper_create_peer_trust)
{
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
}
}


else if ([processInfo respondsToSelector:@selector(isOperatingSystemAtLeastVersion:)] && [processInfo isOperatingSystemAtLeastVersion:(NSOperatingSystemVersion){10, 0, 0}])
{
// Support for iOS 10
void *tls_helper_create_peer_trust = dlsym(RTLD_DEFAULT, "tls_helper_create_peer_trust");
MSHookFunction((void *) tls_helper_create_peer_trust, (void *) replaced_tls_helper_create_peer_trust, (void **) &original_tls_helper_create_peer_trust);
(https://www.hahwul.com/2018/10/ios-ssl-pinning-bypass-with-frida.html)

iOS 9 Bypass SSL Pinning

#pragma mark SecureTransport hooks - iOS 9 and below
// Explanation here: https://nabla-c0d3.github.io/blog/2013/08/20/ios-ssl-kill-switch-v0-dot-5-released/
static OSStatus (*original_SSLSetSessionOption)(SSLContextRef context,
SSLSessionOption option,
Boolean value);
static OSStatus replaced_SSLSetSessionOption(SSLContextRef context,
SSLSessionOption option,
Boolean value)
{
// Remove the ability to modify the value of the kSSLSessionOptionBreakOnServerAuth option
if (option == kSSLSessionOptionBreakOnServerAuth)
{
return noErr;
}
return original_SSLSetSessionOption(context, option, value);
}




static SSLContextRef (*original_SSLCreateContext)(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType);


static SSLContextRef replaced_SSLCreateContext(CFAllocatorRef alloc,
SSLProtocolSide protocolSide,
SSLConnectionType connectionType)
{
SSLContextRef sslContext = original_SSLCreateContext(alloc, protocolSide, connectionType);
// Immediately set the kSSLSessionOptionBreakOnServerAuth option in order to disable cert validation
original_SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, true);
return sslContext;
}


static OSStatus (*original_SSLHandshake)(SSLContextRef context);
static OSStatus replaced_SSLHandshake(SSLContextRef context)
{


OSStatus result = original_SSLHandshake(context);
// Hijack the flow when breaking on server authentication


if (result == errSSLServerAuthCompleted)
{
// Do not check the cert and call SSLHandshake() again
return original_SSLHandshake(context);
}
return result;
}




Security engineer, Developer and H4cker

Menu

Tags

Hacking Android Linux AWS Blogger Javascript Programming BurpSuite Design Docker Security Exploit Git Github Golang Metasploit BugBounty ZAProxy iOS Penetration Test PHP Ruby Windows Python Swift Jekyll Atom CSS Heroku VIM MacOS Crystal-Lang PostgreSQL SSL SQL Tools Cloud Diary Cullinan Phoenix