addCerFeature

Xibotao · Jan 14, 2021 · e641afb · e641afb
1 parent cda0d13
commit e641afb
Show file tree

Hide file tree

Showing 7 changed files with 113 additions and 6 deletions.
diff --git a/Sample.PNG → pic/Sample.PNG b/Sample.PNG → pic/Sample.PNG
diff --git a/pic/bypass.png b/pic/bypass.png
diff --git a/pic/clientcer.png b/pic/clientcer.png
diff --git a/pic/locator.png b/pic/locator.png
diff --git a/pic/sslunpinningcer.png b/pic/sslunpinningcer.png
diff --git a/r0capture.py b/r0capture.py
@@ -218,9 +218,11 @@ def on_message(message, data):
             pprint.pprint(message)
             os.kill(os.getpid(), signal.SIGTERM)
             return
-        if len(data) == 0:
+        if len(data) == 1:
+            print(message["payload"]["function"])
+            print(message["payload"]["stack"])
             return
-        p = message["payload"]
+        p = message["payload"]        
         if verbose:
             src_addr = socket.inet_ntop(socket.AF_INET,
                                         struct.pack(">I", p["src_addr"]))
@@ -234,13 +236,16 @@ def on_message(message, data):
                 dst_addr,
                 p["dst_port"]))
             hexdump.hexdump(data)
-            print()
+            print(p["stack"])
         if pcap:
             log_pcap(pcap_file, p["ssl_session_id"], p["function"], p["src_addr"],
                      p["src_port"], p["dst_addr"], p["dst_port"], data)
 
     if isUsb:
-        device = frida.get_usb_device()
+        try:
+            device = frida.get_usb_device()
+        except:
+            device = frida.get_remote_device()
         # session = device.attach(process)
     else:
         device = frida.get_local_device()

diff --git a/script.js b/script.js
@@ -19,11 +19,12 @@ var getpeername = null;
 var getsockname = null;
 var ntohs = null;
 var ntohl = null;
+var SSLstackwrite = null;
+var SSLstackread = null;
 
 var libname = "*libssl*";
 
 
-
 function return_zero(args) {
   return 0;
 }
@@ -164,6 +165,7 @@ Interceptor.attach(addresses["SSL_read"],
       var message = getPortsAndAddresses(SSL_get_fd(args[0]), true);
       message["ssl_session_id"] = getSslSessionId(args[0]);
       message["function"] = "SSL_read";
+      message["stack"] = SSLstackread;
       this.message = message;
       this.buf = args[1];
     },
@@ -182,14 +184,98 @@ Interceptor.attach(addresses["SSL_write"],
       var message = getPortsAndAddresses(SSL_get_fd(args[0]), false);
       message["ssl_session_id"] = getSslSessionId(args[0]);
       message["function"] = "SSL_write";
+      message["stack"] = SSLstackwrite;
       send(message, Memory.readByteArray(args[1], parseInt(args[2])));
     },
     onLeave: function (retval) {
     }
   });
 
 if (Java.available) {
+  function uuid(len, radix) {
+    var chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'.split('');
+    var uuid = [], i;
+    radix = radix || chars.length;
+
+    if (len) {
+      // Compact form
+      for (i = 0; i < len; i++) uuid[i] = chars[0 | Math.random() * radix];
+    } else {
+      // rfc4122, version 4 form
+      var r;
+
+      // rfc4122 requires these characters
+      uuid[8] = uuid[13] = uuid[18] = uuid[23] = '-';
+      uuid[14] = '4';
+
+      // Fill in random data. At i==19 set the high bits of clock sequence as
+      // per rfc4122, sec. 4.1.5
+      for (i = 0; i < 36; i++) {
+        if (!uuid[i]) {
+          r = 0 | Math.random() * 16;
+          uuid[i] = chars[(i == 19) ? (r & 0x3) | 0x8 : r];
+        }
+      }
+    }
+
+    return uuid.join('');
+  }
+
+  function storeP12(pri, p7, p12Path, p12Password) {
+    var X509Certificate = Java.use("java.security.cert.X509Certificate")
+    var p7X509 = Java.cast(p7, X509Certificate);
+    var chain = Java.array("java.security.cert.X509Certificate", [p7X509])
+    var ks = Java.use("java.security.KeyStore").getInstance("PKCS12", "BC");
+    ks.load(null, null);
+    ks.setKeyEntry("client", pri, Java.use('java.lang.String').$new(p12Password).toCharArray(), chain);
+    try {
+      var out = Java.use("java.io.FileOutputStream").$new(p12Path);
+      ks.store(out, Java.use('java.lang.String').$new(p12Password).toCharArray())
+    } catch (exp) {
+      console.log(exp)
+    }
+  }
   Java.perform(function () {
+
+    //在服务器校验客户端的情形下，帮助dump客户端证书，并保存为p12的格式，证书密码为r0ysue
+    Java.use("java.security.KeyStore$PrivateKeyEntry").getPrivateKey.implementation = function () {
+      var result = this.getPrivateKey()
+      var packageName = Java.use("android.app.ActivityThread").currentApplication().getApplicationContext().getPackageName();
+      storeP12(this.getPrivateKey(), this.getCertificate(), '/sdcard/Download/' + packageName + uuid(10, 16) + '.p12', 'r0ysue');
+      var message = {};
+      message["function"] = "dumpClinetCertificate=>" + '/sdcard/Download/' + packageName + uuid(10, 16) + '.p12'+'   pwd: r0ysue';
+      message["stack"] = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new());
+      var data = Memory.alloc(1);
+      send(message, Memory.readByteArray(data, 1))
+      return result;
+    }
+    Java.use("java.security.KeyStore$PrivateKeyEntry").getCertificateChain.implementation = function () {
+      var result = this.getCertificateChain()
+      var packageName = Java.use("android.app.ActivityThread").currentApplication().getApplicationContext().getPackageName();
+      storeP12(this.getPrivateKey(), this.getCertificate(), '/sdcard/Download/' + packageName + uuid(10, 16) + '.p12', 'r0ysue');
+      var message = {};
+      message["function"] = "dumpClinetCertificate=>" + '/sdcard/Download/' + packageName + uuid(10, 16) + '.p12'+'   pwd: r0ysue';
+      message["stack"] = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new());
+      var data = Memory.alloc(1);
+      send(message, Memory.readByteArray(data, 1))
+      return result;
+    }
+
+    //SSLpinning helper 帮助定位证书绑定的关键代码
+    Java.use("java.io.File").$init.overload('java.io.File', 'java.lang.String').implementation = function (file, cert) {
+      var result = this.$init(file, cert)
+      var stack = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new());
+      if (file.getPath().indexOf("cacert") >= 0 && stack.indexOf("X509TrustManagerExtensions.checkServerTrusted") >= 0) {
+        var message = {};
+        message["function"] = "SSLpinning position locator => " + file.getPath() + " " + cert;
+        message["stack"] = stack;
+        var data = Memory.alloc(1);
+        send(message, Memory.readByteArray(data, 1))
+      }
+      return result;
+    }
+
+
     Java.use("java.net.SocketOutputStream").socketWrite0.overload('java.io.FileDescriptor', '[B', 'int', 'int').implementation = function (fd, bytearry, offset, byteCount) {
       var result = this.socketWrite0(fd, bytearry, offset, byteCount);
       var message = {};
@@ -199,6 +285,7 @@ if (Java.available) {
       message["src_port"] = parseInt(this.socket.value.getLocalPort().toString());
       message["dst_addr"] = ntohl(ipToNumber((this.socket.value.getRemoteSocketAddress().toString().split(":")[0]).split("/").pop()));
       message["dst_port"] = parseInt(this.socket.value.getRemoteSocketAddress().toString().split(":").pop());
+      message["stack"] = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()).toString();
       var ptr = Memory.alloc(byteCount);
       for (var i = 0; i < byteCount; ++i)
         Memory.writeS8(ptr.add(i), bytearry[offset + i]);
@@ -214,6 +301,7 @@ if (Java.available) {
       message["src_port"] = parseInt(this.socket.value.getRemoteSocketAddress().toString().split(":").pop());
       message["dst_addr"] = ntohl(ipToNumber((this.socket.value.getLocalAddress().toString().split(":")[0]).split("/").pop()));
       message["dst_port"] = parseInt(this.socket.value.getLocalPort());
+      message["stack"] = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()).toString();      
       if (result > 0) {
         var ptr = Memory.alloc(result);
         for (var i = 0; i < result; ++i)
@@ -222,5 +310,19 @@ if (Java.available) {
       }
       return result;
     }
-  })
+
+    Java.use("com.android.org.conscrypt.ConscryptFileDescriptorSocket$SSLOutputStream").write.overload('[B', 'int', 'int').implementation = function (bytearry, int1, int2) {
+      var result = this.write(bytearry, int1, int2);
+      SSLstackwrite = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()).toString();
+      return result;
+    }
+
+    Java.use("com.android.org.conscrypt.ConscryptFileDescriptorSocket$SSLInputStream").read.overload('[B', 'int', 'int').implementation = function (bytearry, int1, int2) {
+      var result = this.read(bytearry, int1, int2);
+      SSLstackread = Java.use("android.util.Log").getStackTraceString(Java.use("java.lang.Throwable").$new()).toString();
+      return result;
+    }
+  }
+
+  )
 }