Created
November 25, 2019 14:49
-
-
Save esabook/a84416b2729f0b4e047abfb0a316487f to your computer and use it in GitHub Desktop.
Mirror frida-android-repinning.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
Android SSL Re-pinning frida script v0.2 030417-pier | |
$ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt | |
$ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause | |
https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/ | |
*/ | |
setTimeout(function(){ | |
Java.perform(function (){ | |
console.log(""); | |
console.log("[.] Cert Pinning Bypass/Re-Pinning"); | |
var CertificateFactory = Java.use("java.security.cert.CertificateFactory"); | |
var FileInputStream = Java.use("java.io.FileInputStream"); | |
var BufferedInputStream = Java.use("java.io.BufferedInputStream"); | |
var X509Certificate = Java.use("java.security.cert.X509Certificate"); | |
var KeyStore = Java.use("java.security.KeyStore"); | |
var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory"); | |
var SSLContext = Java.use("javax.net.ssl.SSLContext"); | |
// Load CAs from an InputStream | |
console.log("[+] Loading our CA...") | |
cf = CertificateFactory.getInstance("X.509"); | |
try { | |
var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt"); | |
} | |
catch(err) { | |
console.log("[o] " + err); | |
} | |
var bufferedInputStream = BufferedInputStream.$new(fileInputStream); | |
var ca = cf.generateCertificate(bufferedInputStream); | |
bufferedInputStream.close(); | |
var certInfo = Java.cast(ca, X509Certificate); | |
console.log("[o] Our CA Info: " + certInfo.getSubjectDN()); | |
// Create a KeyStore containing our trusted CAs | |
console.log("[+] Creating a KeyStore for our CA..."); | |
var keyStoreType = KeyStore.getDefaultType(); | |
var keyStore = KeyStore.getInstance(keyStoreType); | |
keyStore.load(null, null); | |
keyStore.setCertificateEntry("ca", ca); | |
// Create a TrustManager that trusts the CAs in our KeyStore | |
console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore..."); | |
var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); | |
var tmf = TrustManagerFactory.getInstance(tmfAlgorithm); | |
tmf.init(keyStore); | |
console.log("[+] Our TrustManager is ready..."); | |
console.log("[+] Hijacking SSLContext methods now...") | |
console.log("[-] Waiting for the app to invoke SSLContext.init()...") | |
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) { | |
console.log("[o] App invoked javax.net.ssl.SSLContext.init..."); | |
SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c); | |
console.log("[+] SSLContext initialized with our custom TrustManager!"); | |
} | |
}); | |
},0); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment