beau
/
relab
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
RE env for inspecting APKs
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
10 MiB
Tree: 1884e6e63e
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1884e6e63e'
${ noResults }
relab/frida/frida_scripts/ssl_pinning.js

70 lines
2.8 KiB
Raw Normal View History

adding re env setup
2 years ago
  1. /*
  2. Android SSL Re-pinning frida script v0.2 030417-pier
  4. $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
  5. $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
  7. https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
  9. UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
  10. */
  12. setTimeout(function(){
  13. Java.perform(function (){
  14. console.log("");
  15. console.log("[.] Cert Pinning Bypass/Re-Pinning");
  17. var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
  18. var FileInputStream = Java.use("java.io.FileInputStream");
  19. var BufferedInputStream = Java.use("java.io.BufferedInputStream");
  20. var X509Certificate = Java.use("java.security.cert.X509Certificate");
  21. var KeyStore = Java.use("java.security.KeyStore");
  22. var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
  23. var SSLContext = Java.use("javax.net.ssl.SSLContext");
  25. // Load CAs from an InputStream
  26. console.log("[+] Loading our CA...")
  27. var cf = CertificateFactory.getInstance("X.509");
  29. try {
  30. var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
  31. }
  32. catch(err) {
  33. console.log("[o] " + err);
  34. }
  36. var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
  37. var ca = cf.generateCertificate(bufferedInputStream);
  38. bufferedInputStream.close();
  40. var certInfo = Java.cast(ca, X509Certificate);
  41. console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
  43. // Create a KeyStore containing our trusted CAs
  44. console.log("[+] Creating a KeyStore for our CA...");
  45. var keyStoreType = KeyStore.getDefaultType();
  46. var keyStore = KeyStore.getInstance(keyStoreType);
  47. keyStore.load(null, null);
  48. keyStore.setCertificateEntry("ca", ca);
  50. // Create a TrustManager that trusts the CAs in our KeyStore
  51. console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
  52. var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
  53. var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
  54. tmf.init(keyStore);
  55. console.log("[+] Our TrustManager is ready...");
  57. console.log("[+] Hijacking SSLContext methods now...")
  58. console.log("[-] Waiting for the app to invoke SSLContext.init()...")
  60. SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
  61. console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
  62. SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
  63. console.log("[+] SSLContext initialized with our custom TrustManager!");
  64. }
  65. });
  66. },0);