Advertisement
saleks28

Untitled

Sep 13th, 2020
314
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. setTimeout(function(){
  2.     Java.perform(function (){
  3.      console.log("");
  4.      console.log("[.] Cert Pinning Bypass/Re-Pinning");
  5. var CertificateFactory = Java.use("java.security.cert.CertificateFactory");
  6.      var FileInputStream = Java.use("java.io.FileInputStream");
  7.      var BufferedInputStream = Java.use("java.io.BufferedInputStream");
  8.      var X509Certificate = Java.use("java.security.cert.X509Certificate");
  9.      var KeyStore = Java.use("java.security.KeyStore");
  10.      var TrustManagerFactory = Java.use("javax.net.ssl.TrustManagerFactory");
  11.      var SSLContext = Java.use("javax.net.ssl.SSLContext");
  12. // Load CAs from an InputStream
  13.      console.log("[+] Loading our CA...")
  14.      var cf = CertificateFactory.getInstance("X.509");
  15.      
  16.      try {
  17.       var fileInputStream = FileInputStream.$new("/data/local/tmp/cert-der.crt");
  18.      }
  19.      catch(err) {
  20.       console.log("[o] " + err);
  21.      }
  22.      
  23.      var bufferedInputStream = BufferedInputStream.$new(fileInputStream);
  24.      var ca = cf.generateCertificate(bufferedInputStream);
  25.      bufferedInputStream.close();
  26.      var certInfo = Java.cast(ca, X509Certificate);
  27.      console.log("[o] Our CA Info: " + certInfo.getSubjectDN());
  28.      console.log("[+] Creating a KeyStore for our CA...");
  29.      var keyStoreType = KeyStore.getDefaultType();
  30.      var keyStore = KeyStore.getInstance(keyStoreType);
  31.      keyStore.load(null, null);
  32.      keyStore.setCertificateEntry("ca", ca);
  33.      console.log("[+] Creating a TrustManager that trusts the CA in our KeyStore...");
  34.      var tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
  35.      var tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
  36.      tmf.init(keyStore);
  37.      console.log("[+] Our TrustManager is ready...");
  38.      console.log("[+] Hijacking SSLContext methods now...")
  39.      console.log("[-] Waiting for the app to invoke SSLContext.init()...")
  40.      SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").implementation = function(a,b,c) {
  41.      console.log("[o] App invoked javax.net.ssl.SSLContext.init...");
  42.      SSLContext.init.overload("[Ljavax.net.ssl.KeyManager;", "[Ljavax.net.ssl.TrustManager;", "java.security.SecureRandom").call(this, a, tmf.getTrustManagers(), c);
  43.      console.log("[+] SSLContext initialized with our custom TrustManager!");
  44.      }
  45.     });
  46. },0);
  47.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement