Abhineet Jayaraj interference-security

Source: https://blog.ropnop.com/configuring-burp-suite-with-android-nougat/

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
mv cacert.pem <hash>.0  
adb push <hash>.0 /sdcard/Download/  
adb shell
  su  
  mount -o rw,remount /system  
 mv /sdcard/Download/.0 /system/etc/security/cacerts/

#Source: https://serializethoughts.wordpress.com/2018/07/23/frida-magisk-and-selinux/

Error when MagiskHide is running and we try to run Frida:

avc: denied { sigchld } for scontext=u:r:zygote:s0 tcontext=u:r:magisk:s0 tclass=process permissive=0

Solution 1: Run the below commands from ADB

magiskpolicy --live "allow zygote magisk process *"
magiskpolicy --live "allow system_server magisk process *"
magiskpolicy --live "allow radio magisk process *"

Source: https://www.linkedin.com/pulse/android-emulator-tips-security-testers-divya-mudgal/

List created Android AVDs:

emulator -list-avds

Start an AVD (without Play Store) with writable "/system":

emulator -avd Pixel_3_XL_API_26 -writable-system

Start ADB daemon as root:

Nmap output open ports separated by comma:

Nmap open ports:

Linux: grep -i ".*/tcp.*open.*" filename.nmap | cut -d "/" -f1 | sort -u -n | tr "\n" "," | sed 's/,$//'

Windows: grep -i ".*/tcp.*open.*" filename.nmap | cut -d "/" -f1 | sort2 -u -n | tr -s "\r\n" "," | sed "s/,$//"

Powershell: Select-String -Path .\filename.nmap -Pattern ".*/tcp.*open.*" | Select-Object -ExpandProperty Line | %{$_.Split('/')[0]} | Sort-Object -Unique | %{$_.replace("`r","a")}

iDevice:~ root#ldid -e `which bash` > ent.xml

iDevice:~ root# cat ent.xml

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>platform-application</key>
        <true/>
 com.apple.private.security.no-container

mount -o rw,remount /vendor

copy /sdcard/Download/frida-server /vendor/bin/

chmod 700 /vendor/bin/frida-server

setprop ctl.start fridaserver

Source: https://web.archive.org/web/20210626015800/https://defparam.medium.com/ios-app-testing-through-burp-on-corellium-fe59ed849516

wget https://github.com/JohnCoates/flexdecrypt/releases/download/1.1/flexdecrypt.deb
dpkg -i flexdecrypt.deb
rm flexdecrypt.deb
wget https://gist.githubusercontent.com/defparam/71d67ee738341559c35c684d659d40ac/raw/30c7612262f1faf7871ba8e32fbe29c0f3ef9e27/flexdump -P /usr/local/bin
chmod +x /usr/local/bin/flexdump
flexdump --help

openssl x509 -inform DER -in cacert.der -out cacert.pem
openssl x509 -inform PEM -subject_hash_old -in cacert.pem | head -1
mv cacert.pem <hash>.0  
adb push <hash>.0 /sdcard/Download/
adb shell
su
mkdir -m 700 /sdcard/cert/
cp /system/etc/security/cacerts/* /sdcard/cert/
mount -t tmpfs tmpfs /system/etc/security/cacerts

	# Install curl using Cydia before using the next command
	# /bin/bash -c "$(curl -fsSL https://gist.githubusercontent.com/interference-security/68faea1f4a445a7814cc2518a7d1c416/raw/c715dbc30397762239b3bf2d76c60859a5c83625/frida-server-ios-all-interfaces.sh)"
	launchctl unload -w /Library/LaunchDaemons/re.frida.server.plist
	cat >/Library/LaunchDaemons/re.frida.server.plist <<EOL
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<dict>
	<key>Label</key>
	<string>re.frida.server</string>

	//Source: https://medium.com/@dPhoeniixx/arbitrary-code-execution-on-facebook-for-android-through-download-feature-fb6826e33e0f
	#include <jni.h>
	#include <string>
	#include <stdlib.h>
	JNIEXPORT jint JNI_OnLoad(JavaVM* vm, void* reserved)
	{
	system("id > /sdcard/PoC");
	return JNI_VERSION_1_6;
	}