-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathtlsPinningBypass.js
145 lines (123 loc) · 5.43 KB
/
tlsPinningBypass.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
/*
* iOS Frida TLS pinning bypass
*
* (c) 2017 INTEGRITY S.A.
* By: Herman Duarte <[email protected]>
*/
'use strict';
var kSSLSessionOptionBreakOnServerAuth = 0;
var errSecSuccess = 0;
var noErr = 0;
var errSSLServerAuthCompleted = -9841;
function disablePinning()
{
console.log('Disabling Pinning');
internalDisablePinningIOS10();
internalDisablePinningIOS9();
console.log('... done');
}
function enablePinning()
{
var tls_helper_create_peer_trust = Module.findExportByName('libcoretls_cfhelpers.dylib', 'tls_helper_create_peer_trust');
if (tls_helper_create_peer_trust != null)
{
console.log('tls_helper_create_peer_trust PTR: ' + tls_helper_create_peer_trust);
Interceptor.revert(tls_helper_create_peer_trust);
console.log('tls_helper_create_peer_trust restored');
}
var SSLSetSessionOption = Module.findExportByName('Security', 'SSLSetSessionOption');
if (SSLSetSessionOption != null)
{
console.log('SSLSetSessionOption PTR: ' + SSLSetSessionOption);
Interceptor.revert(SSLSetSessionOption);
console.log('SSLSetSessionOption restored');
}
var SSLCreateContext = Module.findExportByName('Security', 'SSLCreateContext');
if (SSLCreateContext != null)
{
console.log('SSLCreateContext PTR: ' + SSLCreateContext);
Interceptor.revert(SSLCreateContext);
console.log('SSLCreateContext restored');
}
var SSLHandshake = Module.findExportByName('Security', 'SSLHandshake');
if (SSLHandshake != null)
{
console.log('SSLHandshake PTR: ' + SSLHandshake);
Interceptor.revert(SSLHandshake);
console.log('SSLHandshake restored');
}
}
function internalDisablePinningIOS10()
{
// Frida hooks for iOS 10
// OSStatus tls_helper_create_peer_trust(tls_handshake_t hdsk, bool server, SecTrustRef *trustRef);
var tls_helper_create_peer_trust = Module.findExportByName('libcoretls_cfhelpers.dylib', 'tls_helper_create_peer_trust');
//console.log('tls_helper_create_peer_trust PTR: ' + tls_helper_create_peer_trust);
if (tls_helper_create_peer_trust != null)
{
console.log('Found tls_helper_create_peer_trust');
Interceptor.replace(tls_helper_create_peer_trust, new NativeCallback(function (hdsk, server, trustRef)
{
return errSecSuccess;
}, 'pointer', ['pointer', 'int', 'pointer']));
}
}
function internalDisablePinningIOS9()
{
// Frida hooks for iOS 9 and below
// https://developer.apple.com/reference/security/1399173-sslsetsessionoption?language=objc
// OSStatus SSLSetSessionOption(SSLContextRef context, SSLSessionOption option, Boolean value)
var SSLSetSessionOptionPtr = Module.findExportByName('Security', 'SSLSetSessionOption');
var SSLSetSessionOption = new NativeFunction(SSLSetSessionOptionPtr, 'pointer', ['pointer', 'int', 'int']);
if (SSLSetSessionOptionPtr != null)
{
console.log('Found SSLSetSessionOption');
Interceptor.replace(SSLSetSessionOptionPtr, new NativeCallback(function (context, option, value)
{
console.log('Inside SSLSetSessionOption');
if (option == kSSLSessionOptionBreakOnServerAuth)
{
console.log('option == kSSLSessionOptionBreakOnServerAuth');
return noErr;
}
return SSLSetSessionOption(context, option, value);
}, 'pointer', ['pointer', 'int', 'int']));
}
// https://developer.apple.com/reference/security/1393063-sslcreatecontext?language=objc
// SSLContextRef SSLCreateContext(CFAllocatorRef alloc, SSLProtocolSide protocolSide, SSLConnectionType connectionType)
var SSLCreateContextPtr = Module.findExportByName('Security', 'SSLCreateContext');
var SSLCreateContext = new NativeFunction(SSLCreateContextPtr, 'pointer', ['pointer', 'int', 'int']);
if (SSLCreateContextPtr != null)
{
console.log('Found SSLCreateContext');
Interceptor.replace(SSLCreateContextPtr, new NativeCallback(function (alloc, protocolSide, connectionType)
{
console.log('Inside SSLCreateContext');
var sslContext = SSLCreateContext(alloc, protocolSide, connectionType);
// Immediately set the kSSLSessionOptionBreakOnServerAuth option in order to disable cert validation
SSLSetSessionOption(sslContext, kSSLSessionOptionBreakOnServerAuth, 1);
return sslContext;
}, 'pointer', ['pointer', 'int', 'int']));
}
// https://developer.apple.com/reference/security/1400161-sslhandshake?language=objc
// OSStatus SSLHandshake(SSLContextRef context)
var SSLHandshakePtr = Module.findExportByName('Security', 'SSLHandshake');
var SSLHandshake = new NativeFunction(SSLHandshakePtr, 'int', ['pointer']);
if (SSLHandshakePtr != null)
{
console.log('Found SSLHandshake');
Interceptor.replace(SSLHandshakePtr, new NativeCallback(function (context)
{
console.log('Inside SSLHandshake');
var result = SSLHandshake(context);
// Hijack the flow when breaking on server authentication
if (result == errSSLServerAuthCompleted)
{
console.log('result == errSSLServerAuthCompleted');
// Do not check the cert and call SSLHandshake() again
return SSLHandshake(context);
}
return result;
}, 'int', ['pointer']));
}
}