hacktricks/mobile-pentesting/ios-pentesting/ios-hooking-with-objection.md

14 KiB

{% hint style="success" %} Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks
{% endhint %}

Para esta seção, a ferramenta Objection será utilizada.
Comece obtendo uma sessão do objection executando algo como:

objection -d --gadget "iGoat-Swift" explore
objection -d --gadget "OWASP.iGoat-Swift" explore

Você também pode executar frida-ps -Uia para verificar os processos em execução do telefone.

Enumeração Básica do aplicativo

Caminhos Locais do Aplicativo

  • env: Encontre os caminhos onde o aplicativo está armazenado dentro do dispositivo
env

Nome               Caminho
-----------------  -----------------------------------------------------------------------------------------------
BundlePath         /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F546068/iGoat-Swift.app
CachesDirectory    /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library/Caches
DocumentDirectory  /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Documents
LibraryDirectory   /var/mobile/Containers/Data/Application/A079DF84-726C-4AEA-A194-805B97B3684A/Library

Listar Bundles, frameworks e bibliotecas

  • ios bundles list_bundles: Listar bundles do aplicativo
ios bundles list_bundles
Executável    Bundle                Versão    Caminho
------------  --------------------  ---------  -------------------------------------------
iGoat-Swift   OWASP.iGoat-Swift     1.0        ...8-476E-BBE3-B9300F546068/iGoat-Swift.app
AGXMetalA9    com.apple.AGXMetalA9  172.18.4   ...tem/Library/Extensions/AGXMetalA9.bundle
  • ios bundles list_frameworks: Listar frameworks externos usados pelo aplicativo
ios bundles list_frameworks
Executável                      Bundle                                        Versão     Caminho
------------------------------  --------------------------------------------  ----------  -------------------------------------------
ReactCommon                     org.cocoapods.ReactCommon                     0.61.5      ...tle.app/Frameworks/ReactCommon.framework
...vateFrameworks/CoreDuetContext.framework
FBReactNativeSpec               org.cocoapods.FBReactNativeSpec               0.61.5      ...p/Frameworks/FBReactNativeSpec.framework
...ystem/Library/Frameworks/IOKit.framework
RCTAnimation                    org.cocoapods.RCTAnimation                    0.61.5      ...le.app/Frameworks/RCTAnimation.framework
jsinspector                     org.cocoapods.jsinspector                     0.61.5      ...tle.app/Frameworks/jsinspector.framework
DoubleConversion                org.cocoapods.DoubleConversion                1.1.6       ...pp/Frameworks/DoubleConversion.framework
react_native_config             org.cocoapods.react-native-config             0.12.0      ...Frameworks/react_native_config.framework
react_native_netinfo            org.cocoapods.react-native-netinfo            4.4.0       ...rameworks/react_native_netinfo.framework
PureLayout                      org.cocoapods.PureLayout                      3.1.5       ...ttle.app/Frameworks/PureLayout.framework
GoogleUtilities                 org.cocoapods.GoogleUtilities                 6.6.0       ...app/Frameworks/GoogleUtilities.framework
RCTNetwork                      org.cocoapods.RCTNetwork                      0.61.5      ...ttle.app/Frameworks/RCTNetwork.framework
RCTActionSheet                  org.cocoapods.RCTActionSheet                  0.61.5      ....app/Frameworks/RCTActionSheet.framework
react_native_image_editor       org.cocoapods.react-native-image-editor       2.1.0       ...orks/react_native_image_editor.framework
CoreModules                     org.cocoapods.CoreModules                     0.61.5      ...tle.app/Frameworks/CoreModules.framework
RCTVibration                    org.cocoapods.RCTVibration                    0.61.5      ...le.app/Frameworks/RCTVibration.framework
RNGestureHandler                org.cocoapods.RNGestureHandler                1.6.1       ...pp/Frameworks/RNGestureHandler.framework
RNCClipboard                    org.cocoapods.RNCClipboard                    1.5.1       ...le.app/Frameworks/RNCClipboard.framework
react_native_image_picker       org.cocoapods.react-native-image-picker       2.3.4       ...orks/react_native_image_picker.framework
[..]
  • memory list modules: Listar módulos carregados na memória
memory list modules
Nome                                 Base         Tamanho              Caminho
-----------------------------------  -----------  -------------------  ------------------------------------------------------------------------------
iGoat-Swift                          0x104ffc000  2326528 (2.2 MiB)    /private/var/containers/Bundle/Application/179A6E8B-E7A8-476E-BBE3-B9300F54...
SubstrateBootstrap.dylib             0x105354000  16384 (16.0 KiB)     /usr/lib/substrate/SubstrateBootstrap.dylib
SystemConfiguration                  0x1aa842000  495616 (484.0 KiB)   /System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguratio...
libc++.1.dylib                       0x1bdcfd000  368640 (360.0 KiB)   /usr/lib/libc++.1.dylib
libz.1.dylib                         0x1efd3c000  73728 (72.0 KiB)     /usr/lib/libz.1.dylib
libsqlite3.dylib                     0x1c267f000  1585152 (1.5 MiB)    /usr/lib/libsqlite3.dylib
Foundation                           0x1ab550000  2732032 (2.6 MiB)    /System/Library/Frameworks/Foundation.framework/Foundation
libobjc.A.dylib                      0x1bdc64000  233472 (228.0 KiB)   /usr/lib/libobjc.A.dylib
[...]
  • memory list exports <module_name>: Exportações de um módulo carregado
memory list exports iGoat-Swift
Tipo      Nome                                                                                                                                    Endereço
--------  --------------------------------------------------------------------------------------------------------------------------------------  -----------
variável  _mh_execute_header                                                                                                                      0x104ffc000
função    _mdictof                                                                                                                                0x10516cb88
função    _ZN9couchbase6differ10BaseDifferD2Ev                                                                                                    0x10516486c
função    _ZN9couchbase6differ10BaseDifferD1Ev                                                                                                    0x1051648f4
função    _ZN9couchbase6differ10BaseDifferD0Ev                                                                                                    0x1051648f8
função    _ZN9couchbase6differ10BaseDiffer5setupEmm                                                                                               0x10516490c
função    _ZN9couchbase6differ10BaseDiffer11allocStripeEmm                                                                                        0x105164a20
função    _ZN9couchbase6differ10BaseDiffer7computeEmmj                                                                                            0x105164ad8
função    _ZN9couchbase6differ10BaseDiffer7changesEv                                                                                              0x105164de4
função    _ZN9couchbase6differ10BaseDiffer9addChangeENS0_6ChangeE                                                                                 0x105164fa8
função    _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS0_6ChangeE                                                   0x1051651d8
função    _ZN9couchbase6differlsERNSt3__113basic_ostreamIcNS1_11char_traitsIcEEEERKNS1_6vectorINS0_6ChangeENS1_9allocatorIS8_EEEE                 0x105165280
variável  _ZTSN9couchbase6differ10BaseDifferE                                                                                                     0x1051d94f0
variável  _ZTVN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0a0
variável  _ZTIN9couchbase6differ10BaseDifferE                                                                                                     0x10523c0f8
[..]

Listar classes de um APP

  • ios hooking list classes: Listar classes do aplicativo
ios hooking list classes

AAAbsintheContext
AAAbsintheSigner
AAAbsintheSignerContextCache
AAAcceptedTermsController
AAAccount
AAAccountManagementUIResponse
AAAccountManager
AAAddEmailUIRequest
AAAppleIDSettingsRequest
AAAppleTVRequest
AAAttestationSigner
[...]
  • ios hooking search classes <search_term>: Pesquisar uma classe que contém uma string. Você pode pesquisar algum termo único que esteja relacionado ao nome do pacote principal do aplicativo para encontrar as principais classes do aplicativo, como no exemplo:
ios hooking search classes iGoat
iGoat_Swift.CoreDataHelper
iGoat_Swift.RCreditInfo
iGoat_Swift.SideContainmentSegue
iGoat_Swift.CenterContainmentSegue
iGoat_Swift.KeyStorageServerSideVC
iGoat_Swift.HintVC
iGoat_Swift.BinaryCookiesExerciseVC
iGoat_Swift.ExerciseDemoVC
iGoat_Swift.PlistStorageExerciseViewController
iGoat_Swift.CouchBaseExerciseVC
iGoat_Swift.MemoryManagementVC
[...]

Listar métodos de classe

  • ios hooking list class_methods: Listar métodos de uma classe específica
ios hooking list class_methods iGoat_Swift.RCreditInfo
- cvv
- setCvv:
- setName:
- .cxx_destruct
- name
- cardNumber
- init
- initWithValue:
- setCardNumber:
  • ios hooking search methods <search_term>: Pesquisar um método que contém uma string
ios hooking search methods cvv
[AMSFinanceVerifyPurchaseResponse + _dialogRequestForCVVFromPayload:verifyType:]
[AMSFinanceVerifyPurchaseResponse - _handleCVVDialogResult:shouldReattempt:]
[AMSFinanceVerifyPurchaseResponse - _runCVVRequestForCode:error:]
[iGoat_Swift.RCreditInfo - cvv]
[iGoat_Swift.RCreditInfo - setCvv:]
[iGoat_Swift.RealmExerciseVC - creditCVVTextField]
[iGoat_Swift.RealmExerciseVC - setCreditCVVTextField:]
[iGoat_Swift.DeviceLogsExerciseVC - cvvTextField]
[iGoat_Swift.DeviceLogsExerciseVC - setCvvTextField:]
[iGoat_Swift.CloudMisconfigurationExerciseVC - cvvTxtField]
[iGoat_Swift.CloudMisconfigurationExerciseVC - setCvvTxtField:]

Hooking Básico

Agora que você enumerou as classes e módulos usados pelo aplicativo, pode ter encontrado alguns nomes de classes e métodos interessantes.

Hooking todos os métodos de uma classe

  • ios hooking watch class <class_name>: Hook todos os métodos de uma classe, despeje todos os parâmetros iniciais e retornos
ios hooking watch class iGoat_Swift.PlistStorageExerciseViewController

Hooking um único método

  • ios hooking watch method "-[<class_name> <method_name>]" --dump-args --dump-return --dump-backtrace: Hook um método específico de uma classe despejando os parâmetros, backtraces e retornos do método cada vez que é chamado
ios hooking watch method "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" --dump-args --dump-backtrace --dump-return

Alterar Retorno Booleano

  • ios hooking set return_value "-[<class_name> <method_name>]" false: Isso fará com que o método selecionado retorne o booleano indicado
ios hooking set return_value "-[iGoat_Swift.BinaryCookiesExerciseVC verifyItemPressed]" false

Gerar template de hooking

  • ios hooking generate simple <class_name>:
ios hooking generate simple iGoat_Swift.RCreditInfo

var target = ObjC.classes.iGoat_Swift.RCreditInfo;

Interceptor.attach(target['+ sharedSchema'].implementation, {
onEnter: function (args) {
console.log('Entering + sharedSchema!');
},
onLeave: function (retval) {
console.log('Leaving + sharedSchema');
},
});


Interceptor.attach(target['+ className'].implementation, {
onEnter: function (args) {
console.log('Entering + className!');
},
onLeave: function (retval) {
console.log('Leaving + className');
},
});


Interceptor.attach(target['- cvv'].implementation, {
onEnter: function (args) {
console.log('Entering - cvv!');
},
onLeave: function (retval) {
console.log('Leaving - cvv');
},
});


Interceptor.attach(target['- setCvv:'].implementation, {
onEnter: function (args) {
console.log('Entering - setCvv:!');
},
onLeave: function (retval) {
console.log('Leaving - setCvv:');
},
});

{% hint style="success" %} Aprenda e pratique Hacking AWS:HackTricks Training AWS Red Team Expert (ARTE)
Aprenda e pratique Hacking GCP: HackTricks Training GCP Red Team Expert (GRTE)

Suporte ao HackTricks
{% endhint %}