-
Notifications
You must be signed in to change notification settings - Fork 49
Expand file tree
/
Copy pathssl-pinning-bypass.js
More file actions
141 lines (126 loc) · 5.53 KB
/
ssl-pinning-bypass.js
File metadata and controls
141 lines (126 loc) · 5.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
/*
* Universal SSL Pinning Bypass
* Works on both Android and iOS
* Bypasses most common SSL pinning implementations
*/
console.log("[*] Universal SSL Pinning Bypass loaded");
// Android SSL Pinning Bypass
if (Java.available) {
console.log("[*] Android environment detected");
Java.perform(function() {
// OkHTTP3 Certificate Pinner bypass
try {
var CertificatePinner = Java.use("okhttp3.CertificatePinner");
CertificatePinner.check.overload('java.lang.String', 'java.util.List').implementation = function(hostname, peerCertificates) {
console.log("[*] OkHTTP3 Certificate Pinner bypassed for: " + hostname);
return;
};
console.log("[+] OkHTTP3 Certificate Pinner hooked");
} catch (e) {
console.log("[-] OkHTTP3 Certificate Pinner not found");
}
// HttpsURLConnection bypass
try {
var HttpsURLConnection = Java.use("javax.net.ssl.HttpsURLConnection");
HttpsURLConnection.setDefaultHostnameVerifier.implementation = function(hostnameVerifier) {
console.log("[*] HttpsURLConnection setDefaultHostnameVerifier bypass");
var TrustAllHostnameVerifier = Java.use("org.apache.http.conn.ssl.AllowAllHostnameVerifier");
return this.setDefaultHostnameVerifier(TrustAllHostnameVerifier.$new());
};
console.log("[+] HttpsURLConnection hooked");
} catch (e) {
console.log("[-] HttpsURLConnection not found");
}
// X509TrustManager bypass
try {
var X509TrustManager = Java.use("javax.net.ssl.X509TrustManager");
var SSLContext = Java.use("javax.net.ssl.SSLContext");
var TrustManager = Java.registerClass({
name: 'dev.asd.test.TrustManager',
implements: [X509TrustManager],
methods: {
checkClientTrusted: function(chain, authType) {},
checkServerTrusted: function(chain, authType) {
console.log("[*] X509TrustManager checkServerTrusted bypassed");
},
getAcceptedIssuers: function() {
return [];
}
}
});
var trustManager = TrustManager.$new();
var sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, [trustManager], null);
console.log("[+] X509TrustManager bypass installed");
} catch (e) {
console.log("[-] X509TrustManager bypass failed: " + e);
}
// Volley bypass
try {
var HurlStack = Java.use("com.android.volley.toolbox.HurlStack");
HurlStack.createConnection.implementation = function(url) {
var connection = this.createConnection(url);
if (connection.toString().includes("HttpsURLConnection")) {
console.log("[*] Volley HTTPS connection bypassed");
connection.setHostnameVerifier(Java.use("javax.net.ssl.HttpsURLConnection").getDefaultHostnameVerifier());
}
return connection;
};
console.log("[+] Volley bypass hooked");
} catch (e) {
console.log("[-] Volley not found");
}
});
}
// iOS SSL Pinning Bypass
if (ObjC.available) {
console.log("[*] iOS environment detected");
// NSURLSessionConfiguration bypass
try {
var NSURLSessionConfiguration = ObjC.classes.NSURLSessionConfiguration;
var oldMethod = NSURLSessionConfiguration['- URLSessionDidReceiveChallenge:completionHandler:'];
if (oldMethod) {
Interceptor.attach(oldMethod.implementation, {
onEnter: function(args) {
console.log("[*] NSURLSession challenge bypassed");
var completionHandler = new ObjC.Block(args[3]);
completionHandler(1, null); // NSURLSessionAuthChallengeUseCredential
}
});
console.log("[+] NSURLSessionConfiguration hooked");
}
} catch (e) {
console.log("[-] NSURLSessionConfiguration bypass failed: " + e);
}
// SecTrustEvaluate bypass
try {
var SecTrustEvaluate = Module.findExportByName("Security", "SecTrustEvaluate");
if (SecTrustEvaluate) {
Interceptor.attach(SecTrustEvaluate, {
onLeave: function(retval) {
console.log("[*] SecTrustEvaluate result modified");
retval.replace(0); // errSecSuccess
}
});
console.log("[+] SecTrustEvaluate hooked");
}
} catch (e) {
console.log("[-] SecTrustEvaluate bypass failed: " + e);
}
// tls_helper_create_peer_trust bypass
try {
var tls_helper_create_peer_trust = Module.findExportByName("libnetwork.dylib", "tls_helper_create_peer_trust");
if (tls_helper_create_peer_trust) {
Interceptor.attach(tls_helper_create_peer_trust, {
onLeave: function(retval) {
console.log("[*] tls_helper_create_peer_trust bypassed");
retval.replace(0);
}
});
console.log("[+] tls_helper_create_peer_trust hooked");
}
} catch (e) {
console.log("[-] tls_helper_create_peer_trust not found");
}
}
console.log("[*] Universal SSL Pinning Bypass setup complete!");