Add support for macOS Mojave #52
Comments
|
Might be the same problem as ios 11.3.1 |
|
I tried the iOS 12 version of SSL Kill Switch on Mojave, but it looks like fishhook is unable to hook any functions. I am pretty sure the patch/tweak itself will work (as iOS 12 and Mojave should have a very similar network stack), but we need a new hooking implementation to replace fishhook. |
nabla-c0d3
changed the title
|
I was able to hook functions in 10.14 using https://github.com/steven-michaud/HookCase/ Here's the diff of the hook example I used: diff --git a/HookLibraryTemplate/Makefile b/HookLibraryTemplate/Makefile
index b22c760..615a1f2 100644
--- a/HookLibraryTemplate/Makefile
+++ b/HookLibraryTemplate/Makefile
@@ -23,13 +23,13 @@
CC=/usr/bin/clang++
hook.dylib : hook.o
- $(CC) -arch i386 -arch x86_64 -o hook.dylib hook.o \
- -lobjc -framework Cocoa -framework Carbon \
+ $(CC) -arch x86_64 -o hook.dylib hook.o \
+ -lobjc -framework Cocoa\
-Wl,-F/System/Library/PrivateFrameworks -framework CoreSymbolication \
-dynamiclib
hook.o : hook.mm
- $(CC) -arch i386 -arch x86_64 -o hook.o \
+ $(CC) -arch x86_64 -o hook.o \
-Wno-deprecated-declarations -c hook.mm
clean :
diff --git a/HookLibraryTemplate/hook.mm b/HookLibraryTemplate/hook.mm
index f455fc9..61beee3 100644
--- a/HookLibraryTemplate/hook.mm
+++ b/HookLibraryTemplate/hook.mm
@@ -50,7 +50,6 @@
#include <stdarg.h>
#include <time.h>
#import <Cocoa/Cocoa.h>
-#import <Carbon/Carbon.h>
#import <objc/Object.h>
extern "C" {
#include <mach-o/getsect.h>
@@ -888,11 +887,42 @@ - (id)Example_doSomethingWith:(id)whatever
"_" #function, \
"" }
+enum ssl_verify_result_t {
+ ssl_verify_ok = 0,
+ ssl_verify_invalid,
+ ssl_verify_retry,
+};
+
+/* extern "C" void (*SSL_CTX_set_custom_verify)(void *ctx, int mode, int (*callback)(void *ssl, uint8_t *out_alert)); */
+
+static int custom_verify_callback_that_does_not_validate(void *ssl, uint8_t *out_alert)
+{
+ // Yes this certificate is 100% valid...
+ return ssl_verify_ok;
+}
+
+static void (*SSL_CTX_set_custom_verify_caller)(void *ctx, int mode, int (*callback)(void *ssl, uint8_t *out_alert));
+static void Hooked_SSL_CTX_set_custom_verify(void *ctx, int mode, int (*callback)(void *ssl, uint8_t *out_alert))
+{
+ printf("Entering replaced_SSL_CTX_set_custom_verify()\n");
+ SSL_CTX_set_custom_verify_caller(ctx, 0, custom_verify_callback_that_does_not_validate);
+ return;
+}
+
+static char (*SSL_get_psk_identity_caller)(void *ssl);
+char *Hooked_SSL_get_psk_identity(void *ssl)
+{
+ printf("SSL_get_psk_identity\n");
+ return "notarealPSKidentity";
+}
+
__attribute__((used)) static const hook_desc user_hooks[]
__attribute__((section("__DATA, __hook"))) =
{
INTERPOSE_FUNCTION(NSPushAutoreleasePool),
PATCH_FUNCTION(__CFInitialize, /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation),
+ PATCH_FUNCTION(SSL_CTX_set_custom_verify, /usr/lib/libboringssl.dylib),
+ PATCH_FUNCTION(SSL_get_psk_identity, /usr/lib/libboringssl.dylib),
};
// What follows are declarations of the CoreSymbolication APIs that we use toAfter loading the HookCase kext, I can insert my dylib hook into any executable: However, I keep getting this error: Any idea what could be happening? |
|
That's really cool - I hadn't heard of HookCase. -9810 is for an "internal error" (https://gist.github.com/ubergoob/04a981caa92d766a7f37f59848b6bc07) so I am not sure. It's possible that the patch as it is actually doesn't work on macOS. |
|
I only tried with App Store and Tweetbot, so it might also be related to
how those apps implement pinning.
I’ll try to port the iOS sample pinning app to macOS and try to bypass that.
If I succeed, would it be ok if I submit a PR with the hook dylib
implementation plus instructions to install HookCase?
…On Mon, 3 Jun 2019 at 05:43, Alban Diquet ***@***.***> wrote:
That's really cool - I hadn't heard of HookCase.
-9810 is for an "internal error" (
https://gist.github.com/ubergoob/04a981caa92d766a7f37f59848b6bc07) so I
am not sure. It's possible that the patch as it is actually doesn't work on
macOS.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#52?email_source=notifications&email_token=AAHXSZWKWGSIBLNRPKLUB4LPYSHNLA5CNFSM4FYF7IE2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWYHEHQ#issuecomment-498102814>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHXSZVMW6HKZL467PJC2LTPYSHNLANCNFSM4FYF7IEQ>
.
|
Yes for sure! Thanks |
|
I was able to get the kill switch somewhat working in 10.14 using HookCase. The functions that need to be patched are all in /usr/lib/libboringssl.dylib. So far, I've patched This seems to work with applications that just use the NSURLSession Delegate methods to test the certificate. The delegate methods never get called. However, the patches may be too simplistic - the code we're replacing updates the SSLContext that's being passed around. Processes that perform more sophisticated validation eventually fail or crash. For example, akd (AuthKitDaemon) will eventually fail with the "peer trust" errors. Has anyone tried patching at a higher level (like CFNetwork)? Only Apple's networking uses their forked BoringSSL library, so applications the use different network libraries (e.g. curl) will require an alternate bypass method anyway. |
|
H i there, I just came across this thread. Any updates with the HookCase PR? |
|
@MarkVillacampa I tried your diff on Catalina, seems not working. I would like to dig into it. Any updates? |
|
actually, I found a super important thing: |
|
Hey guys! Are there any updates on the situation? I really want to see how the api calls look for the App Store. I've tried the diff by @MarkVillacampa on Catalina, and App Store doesn't work. @lupojpoodle can you please share the full patched |
|
Hello again, everyone! I have some great news! I stumbled upon a Frida script that allowed me to bypass the ssl certificate pinning in App Store on macOS Catalina! Huge thank you to @kendfinger for the impressive work! You can access the script here -> https://gist.github.com/kendfinger/37f941de24c5dfe46f3b8e93d94ce909 I had Catalina running on Virtualbox, with SIP disabled, and mitmproxy installed & configured. All I had to do in order to disable the certificate pinning was:
That's it! And I was able to see all of the requests coming from the App Store! |
|
The original gist is down, so I'll paste it here so it doesn't get lost forever: var SecTrustEvaluate_handle =
Module.findExportByName('Security', 'SecTrustEvaluate');
var SecTrustEvaluateWithError_handle =
Module.findExportByName('Security', 'SecTrustEvaluateWithError');
var SSL_CTX_set_custom_verify_handle =
Module.findExportByName('libboringssl.dylib', 'SSL_CTX_set_custom_verify');
var SSL_get_psk_identity_handle =
Module.findExportByName('libboringssl.dylib', 'SSL_get_psk_identity');
var boringssl_context_set_verify_mode_handle = Module.findExportByName(
'libboringssl.dylib', 'boringssl_context_set_verify_mode');
if (SecTrustEvaluateWithError_handle) {
var SecTrustEvaluateWithError = new NativeFunction(
SecTrustEvaluateWithError_handle, 'int', ['pointer', 'pointer']);
Interceptor.replace(
SecTrustEvaluateWithError_handle,
new NativeCallback(function(trust, error) {
console.log('[*] Called SecTrustEvaluateWithError()');
SecTrustEvaluateWithError(trust, NULL);
Memory.writeU8(error, 0);
return 1;
}, 'int', ['pointer', 'pointer']));
console.log('[+] SecTrustEvaluateWithError() hook installed.');
}
if (SecTrustEvaluate_handle) {
var SecTrustEvaluate = new NativeFunction(
SecTrustEvaluate_handle, 'int', ['pointer', 'pointer']);
Interceptor.replace(
SecTrustEvaluate_handle, new NativeCallback(function(trust, result) {
console.log('[*] Called SecTrustEvaluate()');
SecTrustEvaluate(trust, result);
Memory.writeU8(result, 1);
return 0;
}, 'int', ['pointer', 'pointer']));
console.log('[+] SecTrustEvaluate() hook installed.');
}
if (SSL_CTX_set_custom_verify_handle) {
var SSL_CTX_set_custom_verify = new NativeFunction(
SSL_CTX_set_custom_verify_handle, 'void', ['pointer', 'int', 'pointer']);
var replaced_callback = new NativeCallback(function(ssl, out) {
console.log('[*] Called custom SSL verifier')
return 0;
}, 'int', ['pointer', 'pointer']);
Interceptor.replace(
SSL_CTX_set_custom_verify_handle,
new NativeCallback(function(ctx, mode, callback) {
console.log('[*] Called SSL_CTX_set_custom_verify()');
SSL_CTX_set_custom_verify(ctx, 0, replaced_callback);
}, 'int', ['pointer', 'int', 'pointer']));
console.log('[+] SSL_CTX_set_custom_verify() hook installed.')
}
if (SSL_get_psk_identity_handle) {
Interceptor.replace(
SSL_get_psk_identity_handle, new NativeCallback(function(ssl) {
console.log('[*] Called SSL_get_psk_identity_handle()');
return 'notarealPSKidentity';
}, 'pointer', ['pointer']));
console.log('[+] SSL_get_psk_identity() hook installed.')
}
if (boringssl_context_set_verify_mode_handle) {
var boringssl_context_set_verify_mode = new NativeFunction(
boringssl_context_set_verify_mode_handle, 'int', ['pointer', 'pointer']);
Interceptor.replace(
boringssl_context_set_verify_mode_handle,
new NativeCallback(function(a, b) {
console.log('[*] Called boringssl_context_set_verify_mode()');
return 0;
}, 'int', ['pointer', 'pointer']));
console.log('[+] boringssl_context_set_verify_mode() hook installed.')
} |
and others
I follow the README OS X usage, and everything seems right, but it still does't work...
Is it not support macOS Mojave?
The text was updated successfully, but these errors were encountered: