API tools faq
paste
nhanchaukp

Universal Android SSL Pinning Bypass with Frida

nhanchaukp
Jan 6th, 2023 (edited)
170
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JavaScript 2.88 KB | None | 0 0
raw download clone embed print report
  1. /*
  2.    Android SSL Re-pinning frida script v0.2 030417-pier
  3.  
  4.    $ adb push burpca-cert-der.crt /data/local/tmp/cert-der.crt
  5.    $ frida -U -f it.app.mobile -l frida-android-repinning.js --no-pause
  6.  
  7.    https://techblog.mediaservice.net/2017/07/universal-android-ssl-pinning-bypass-with-frida/
  8.    
  9.    UPDATE 20191605: Fixed undeclared var. Thanks to @oleavr and @ehsanpc9999 !
  10. */
  11.  
  12. setTimeout(function(){
  13.     Java.perform(function (){
  14.         console.log("");
  15.         console.log("[.] Cert Pinning Bypass/Re-Pinning");
  16.  
  17.         var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
  18.         var FileInputStream = Java.use("java.io.FileInputStream");
  19.         var BufferedInputStream = Java.use("java.io.BufferedInputStream");
  20.         var X509Certificate = Java.use("java.security.cert.X509Certificate");
  21.         var KeyStore = Java.use("java.security.KeyStore");
  22.         var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
  23.         var SSLContext = Java.use("javax.net.ssl.SSLContext");
  24.  
  25.         // Load CAs from an InputStream
  26.         console.log("[+] Loading our CA...")
  27.         var cf = CertificateFactory.getInstance("X.509");
  28.        
  29.         try {
  30.             var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
  31.         }
  32.         catch(err) {
  33.             console.log("[o] " + err);
  34.         }
  35.        
  36.         var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
  37.         var ca = cf.generateCertificate(bufferedInputStream);
  38.         bufferedInputStream.close();
  39.  
  40.         var certInfo = Java.cast(ca, X509Certificate);
  41.         console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
  42.  
  43.         // Create a KeyStore containing our trusted CAs
  44.         console.log("[+] Creating a KeyStore for our CA...");
  45.         var keyStoreType = KeyStore.getDefaultType();
  46.         var keyStore = KeyStore.getInstance(keyStoreType);
  47.         keyStore.load(null, null);
  48.         keyStore.setCertificateEntry("ca", ca);
  49.        
  50.         // Create a TrustManager that trusts the CAs in our KeyStore
  51.         console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
  52.         var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
  53.         var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
  54.         tmf.init(keyStore);
  55.         console.log("[+] Our TrustManager is ready...");
  56.  
  57.         console.log("[+] Hijacking SSLContext methods now...")
  58.         console.log("[-] Waiting for the app to invoke SSLContext.init()...")
  59.  
  60.         SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
  61.             console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
  62.             SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
  63.             console.log("[+] SSLContext initialized with our custom TrustManager!");
  64.         }
  65.     });
  66. },0);
Comments
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!