-
-
Save Mad-robot/628b5482f1b66f212befeb8cba9409ff to your computer and use it in GitHub Desktop.
Frida "Universal" SSL Unpinner
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Java.perform(function () { | |
console.log('\n[.] Cert Pinning Bypass'); | |
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager'); | |
var SSLContext = Java.use('javax.net.ssl.SSLContext'); | |
console.log('[+] Creating a TrustyTrustManager that trusts everything...'); | |
// Create a TrustManager that trusts everything | |
var TrustyTrustManager = Java.registerClass({ | |
name: 'com.example.TrustyTrustManager', | |
implements: [X509TrustManager], | |
methods: { | |
checkClientTrusted: function (chain, authType) {}, | |
checkServerTrusted: function (chain, authType) {}, | |
getAcceptedIssuers: function () { | |
return []; | |
} | |
} | |
}); | |
console.log('[+] Our TrustyTrustManagers is ready, ...'); | |
console.log('[+] Hijacking SSLContext methods now...'); | |
console.log('[-] Waiting for the app to invoke SSLContext.init()...'); | |
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').implementation = function (a, b, c) { | |
console.log('[o] App invoked SSLContext.init()...'); | |
SSLContext.init.overload('[Ljavax.net.ssl.KeyManager;', '[Ljavax.net.ssl.TrustManager;', 'java.security.SecureRandom').call(this, a, [TrustyTrustManager.$new()], c); | |
console.log('[+] SSLContext initialized with our custom TrustManager!'); | |
}; | |
// TrustManagerImpl | |
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
try { | |
TrustManagerImpl.verifyChain.implementation = function (untrustedChain, trustAnchorChain, host, clientAuth, ocspData, tlsSctData) { | |
console.log('[+] Intercepted TrustManagerImpl for host: ' + host); | |
return untrustedChain; | |
} | |
console.log('[+] Setup TrustManagerImpl pinning'); | |
} catch (err) { | |
console.log('[!] Unable to hook into TrustManagerImpl') | |
} | |
var TrustManagerImpl = Java.use('com.android.org.conscrypt.TrustManagerImpl'); | |
var Arrays = Java.use('java.util.Arrays'); | |
TrustManagerImpl.checkTrusted.overload('[Ljava.security.cert.X509Certificate;', 'java.lang.String', 'java.lang.String', 'boolean').implementation = function(chain, type, host, b) { | |
console.log('Ignoring trust check for host: ' + host); | |
return Arrays.asList(chain); | |
}; | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment