The Hookshot: Runtime Exploitation
3 likes1,449 views
The document discusses dynamic binary instrumentation (DBI) and the use of the Frida toolkit for runtime exploitation without the need for rooting or jailbreaking devices. It highlights methods to bypass security measures such as root detection and SSL pinning, along with case studies and countermeasures for mobile banking applications. Additionally, it provides references and automation scripts for injecting libraries into apps for security analysis.
The Hookshot: Runtime Exploitation
- 2. @zeq3ul • Just a guy who is passionate in (offensive)security ~ 10 years+ • Dota2 SEA MMR ~ 3k+ • Rainbow Six Siege LVL ~ 100+ “Keep farming (Self-study) and Challenge the Roshan (Get certificate)” tanprathan pprathan prathan
- 3. TL;DR • Motivation • Dynamic binary instrumentation • FRIDA • DBI without rooting / jailbreaking • Unleash the power of Frida • Case study for runtime exploitation • Countermeasure • References
- 4. Motivation • Root / Jailbreak Detection • SSL Pinning Implementation • End-to-end encryption on top of TLS • Cellular network (4G) restriction
- 5. Dynamic binary instrumentation • A method of analyzing the behavior of a binary application at runtime through the injection of instrumentation code. • DBI can : • Access process memory • Overwrite functions while the application is running • Call functions from imported classes • Find object instances on the heap and use them • Hook, trace and intercept functions etc.
- 6. FRIDA • Dynamic code instrumentation toolkit allowing you to hook into applications while running, inject your own JavaScript while getting complete access to the memory and functions. • With Frida, we got the power to : • Bypass Root / Jailbreak Detection • Bypass SSL Pinning • Modify the encrypted traffic over TLS • Pwn the application without using proxy • Bypass local authentication • Subvert business logic • Increase game gems without purchasing
- 8. Tip!! How to root/jailbreak device • Android • https://www.xda-developers.com/root/ • iOS • https://canijailbreak.com Jailbreak Type Processor iOS Version Duration Untethered jailbreak 32 bit 7.0.0-7.1.2 September 18, 2013 - September 16, 2014 8.0-8.4 September 17, 2014 - August 12, 2015 64 bit 9.0-9.1 September 16 2015 - December 7, 2015 Semi untethered jailbreak 32 bit 8.4.1 August 13, 2015 - September 15, 2015 9.1-9.3.5 October 21, 2015 - September 12, 2016 64 bit 9.2-9.3.3 December 8, 2015 - August 3, 2016 Unstable (Don’t work on i7) 64 bit 10.0 - 10.2 September 13, 2016- January 22, 2017
- 9. FRIDA Bypass local authentication on Android https://vimeo.com/235930373
- 10. FRIDA Bypass Jailbreak Detection on iOS https://vimeo.com/236043814
- 11. DBI without rooting / jailbreaking
- 12. Library Injection • Re-route application control during library initialization • Be able to conduct Runtime analysis without rooting or jailbreaking the device • Bypass Root/Jailbreak detection
- 13. Library Injection on Android app
- 14. Library Injection on Android app
- 15. Library Injection on Android app Dissemble the app using apktool Insert the Frida native library ("frida-gadget") into the APK’s /lib folder Inject a System.loadLibrary ("frida-gadget") call into the bytecode of the app (Main application activity) Add the Internet permission to the manifest, so that Frida gadget can open a socket Repackage the app, Resign the updated APK using your own keys and zipalign
- 16. Library Injection on Android app • An automated script for unpacking, patching (Insert the frida library into binary), re-packaging, re-signing and deploying apps on non-rooted device. • https://github.com/dpnishant/appmon/ tree/master/apk_builder
- 17. Dynamic Library (DYLIB) Injection on iOS app Mach-O File Structure
- 18. Dynamic Library (DYLIB) Injection on iOS app
- 19. Dynamic Library (DYLIB) Injection on iOS app
- 20. Dynamic Library (DYLIB) Injection on iOS app Create a developer profile, provision profile and Certificate Insert the Frida library (FridaGadget.dylib) to the application container, Insert the load command on the load commands section of the binary Increment the load command counter on the header section, Increase the size binary number on the header section Re-package the application by replacing the provision profile, re-sign both the main executable and FridaGadget.dylib with the certificate listed in the profile Deploy all set of application container and run the application on device as debug mode
- 21. Dynamic Library (DYLIB) Injection on iOS app • An automated script for unpacking, patching (Insert the load command into binary), re-signing and deploying apps on non-jailbroken device. https://github.com/tanprathan/Fridpa
- 22. Unleash the power of Frida https://codeshare.frida.re
- 23. Unleash the power of Frida • Objection uses Frida to inject objects into an applications runtime and executes them within that applications security context to perform various tasks. https://github.com/sensepost/objection • An automated framework for monitoring and tampering system API calls of native MacOS, iOS and Android apps. https://github.com/dpnishant/appmon
- 24. Unleash the power of Frida Using FRIDA without Jailbreaking https://vimeo.com/236055614
- 25. • Mobile banking application (Android, iOS) that: • Conducted source code review from commercial tools • Be able to detect Root/Jailbreak • Implemented SSL Pinning • Implemented end-to-end encryption Case study for runtime exploitation
- 26. • Mobile banking application (Android, iOS) that: • Conducted source code review from commercial tools • Be able to detect Root/Jailbreak • Implemented SSL Pinning • Implemented end-to-end encryption Case study for runtime exploitation tsprotector TrustKiller
- 27. Case study for runtime exploitation • Decrypted the app and performed reverse engineering • Analyzed the app classes and methods • Found some interesting class name and method • Created script to intercept the class and method • Customized script to manipulate the argument • Bypassed the business logic on the app coz they didn’t validate at server-side NOOB SPOTTED !!
- 28. Case study for runtime exploitation
- 29. Countermeasures Defense in depth and Fix root causes MSTG and MASVS
- 30. References • http://www.ninoishere.com/frida-learn-by-example/ • https://www.slideshare.net/andreaskurtz/pentesting-i-os-apps-deepsec-2012-andreas-kurtz-15423426 • https://www.notsosecure.com/pentesting-android-apps-using-frida/ • http://blog.attify.com/2017/05/06/bypass-jailbreak-detection-frida-ios-applications/ • https://github.com/interference-security/frida-scripts/blob/master/iOS/frida_python_script.py • https://koz.io/using-frida-on-android-without-root/ • https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/october/ios-instrumentation-without-jailbreak/ • https://www.vantagepoint.sg/blog/85-patching-and-re-signing-ios-apps