added Spar PoC, added objection and frida guide

2023-09-01 20:04:03 +02:00
commit 7739693d63
17 changed files with 1966 additions and 0 deletions
--- a/Spar/frida/README.md
+++ b/Spar/frida/README.md
@@ -0,0 +1,54 @@
+# Start emulator and install burp cert
+Original guide see [here](https://medium.com/mii-cybersec/how-to-connect-burp-suite-to-an-android-emulator-9da19b0ad2c3)
+```sh
+emulator -netdelay none -netspeed full -avd Pixel_2_XL_API_27_2 -qt-hide-window -grpc-use-token -idle-grpc-timeout 300 -http-proxy http://192.168.0.171:8081 -debug-proxy -writable-system
+adb root
+sleep 2
+adb remount
+adb push Downloads/sparapp/9a5ba575.0 /storage/emulated/0/
+adb shell "mv /storage/emulated/0/9a5ba575.0 /system/etc/security/cacerts"
+adb shell "chmod 644 /system/etc/security/cacerts/9a5ba575.0"
+adb shell "chown root:root /system/etc/security/cacerts/9a5ba575.0"
+adb shell "ls -lah /system/etc/security/cacerts/9a5ba575.0"
+```
+
+# Hacking jar
+Good starting point [OWASP](https://github.com/OWASP/owasp-mastg/blob/master/Document/0x08a-Testing-Tools.md#objection)
+
+## install frida server
+```sh
+curl -L -o /tmp/frida-server.xz https://github.com/frida/frida/releases/download/16.1.3/frida-server-16.1.3-android-x86.xz
+unxz /tmp/frida-server.xz
+adb root && sleep 2
+adb push /tmp/frida-server /data/local/tmp/
+adb shell "chmod 755 /data/local/tmp/frida-server"
+adb shell "/data/local/tmp/frida-server &"
+```
+
+## Patch and install an apk
+```sh
+python -m venv1 venv                                # creates virtual environment
+. ./venv1/bin/activate                              # changes into the virtual environment
+pip install objection
+objection patchapk --source SPAR_1.0.1_Apkpure.apk  # patches apk so that is injectable
+adb root && sleep 2
+adb install
+adb install SPAR_1.0.1_Apkpure.objection.apk
+```
+
+## Connected to patched apk
+```sh
+# while in virtual environment
+frida-ps -Ua                                        # lists available to attach objection to
+objection -d -g `at.spar.app` explore               # starts app with objection attached
+```
+
+## Useful commands when in objection shell
+```sh
+android sslpinning disable                          # try disable certificate pinning
+android hooking ...                                 # various commands for class/method listing, call hooking, etc
+import <scriptname on computer>                     # executes a frida injection javascript
+import Fin/Spar/frida/hook_login.js
+import Fin/Spar/frida/hook_apicalls.js
+...
+```
--- a/Spar/frida/hook_apicalls.js
+++ b/Spar/frida/hook_apicalls.js
@@ -0,0 +1,18 @@
+Java.perform(() => {
+  Java.use('okhttp3.Request').$init.overload('okhttp3.Request$Builder').implementation = function(builder) {
+    this.$init(builder);
+    let out = "-----------------------------------\n";
+    out += this.toString() + "\n\n";
+    out += this.method() + " " + this.url().toString() + "\n" + this.headers().toString();
+    if (this.body()) {
+      const buffer = Java.use('okio.Buffer').$new();
+      this.body().writeTo(buffer);
+      out += buffer.toString();
+    }
+    out += "\n-----------------------------------";
+    console.log(out);
+
+    //var jAndroidLog = Java.use("android.util.Log"), jException = Java.use("java.lang.Exception");
+    //console.log( jAndroidLog.getStackTraceString( jException.$new() ) );
+  };
+});
--- a/Spar/frida/hook_login.js
+++ b/Spar/frida/hook_login.js
@@ -0,0 +1,52 @@
+Java.perform(() => {
+  const readField = function(className, field, instance) {
+    const f = Java.use(className).class.getDeclaredField(field);
+    f.setAccessible(true);
+    return f.get(instance);
+  }
+
+  Java.use('com.gigya.android.sdk.network.adapter.HttpNetworkProvider$GigyaNetworkAsyncTask').doInBackground
+      .overload('[Lcom.gigya.android.sdk.api.GigyaApiHttpRequest;')
+      .implementation = function(requests) {
+    const res = this.doInBackground(requests);
+
+    let out = "";
+    [...requests].forEach((request, i) => {
+      Java.perform(() => {
+        out += "-----------------------------------\n";
+        out += request.getHttpMethod() + " " + request.getUrl().toString() + "\n"
+            + request.getHeaders()?.toString() + "\n"
+            + request.getEncodedParams() + "\n" ;
+        out += ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n";
+        const resp = Array.isArray(res) ? [...res][i] : res;
+        out += "code: " + resp.getCode() + "; "
+            + "result: " + readField("com.gigya.android.sdk.network.adapter.HttpNetworkProvider$AsyncResult", "result", resp) + "\n";
+        out += "-----------------------------------";
+      });
+    })
+    console.log(out);
+
+    return res;
+  };
+
+  Java.use('com.gigya.android.sdk.session.SessionInfo').$init
+      .overload('java.lang.String', 'java.lang.String', 'long')
+      .implementation = function(sessionSecret, sessionToken, expirationTime) {
+    console.log("new SessionInfo(sessionSecret: " + sessionSecret
+        + ", sessionToken: " + sessionToken
+        + ", expirationTime: " + expirationTime);
+
+    return this.$init(sessionSecret, sessionToken, expirationTime);
+  };
+
+  Java.use('com.gigya.android.sdk.utils.SigUtils').getSignature
+      .implementation = function(str, str2, str3, map) {
+    console.log("SigUtils.getSignature("
+        + "\nstr: " + str
+        + "\n, str2: " + str2
+        + "\n, str3: " + str3
+        + "\n, map: " + map);
+
+    return this.getSignature(str, str2, str3, map);
+  };
+});