Skip to content
This repository has been archived by the owner on Jan 22, 2022. It is now read-only.

Commit

Permalink
Defcon safemode RedTeamVillage woot!
Browse files Browse the repository at this point in the history
  • Loading branch information
@B3nac
B3nac committed Aug 7, 2020
1 parent 7c2d38a commit c1b8173
Show file tree
Hide file tree
Showing 8 changed files with 245 additions and 23 deletions.
32 changes: 10 additions & 22 deletions InjuredAndroid/app/src/main/java/b3nac/injuredandroid/RCEActivity.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,8 @@ import android.widget.TextView
import android.widget.Toast
import androidx.appcompat.app.AppCompatActivity
import androidx.appcompat.widget.Toolbar
import b3nac.injuredandroid.RCEActivity
import com.google.android.gms.tasks.Task
import com.google.android.material.floatingactionbutton.FloatingActionButton
import com.google.android.material.snackbar.Snackbar
import com.google.firebase.auth.AuthResult
import com.google.firebase.auth.FirebaseAuth
import com.google.firebase.database.DataSnapshot
import com.google.firebase.database.DatabaseError
Expand All @@ -23,7 +20,7 @@ import java.io.*
class RCEActivity : AppCompatActivity() {
var database = FirebaseDatabase.getInstance().reference
var childRef = database.child("/rce")
private var mAuth: FirebaseAuth? = null

var click = 0
override fun onCreate(savedInstanceState: Bundle?) {
super.onCreate(savedInstanceState)
Expand All @@ -38,11 +35,11 @@ class RCEActivity : AppCompatActivity() {
Snackbar.make(view!!, "Find the binary!", Snackbar.LENGTH_LONG)
.setAction("Action", null).show()
//Figure out how to login anonymously on click
click = click + 1
click++
} else if (click == 1) {
Snackbar.make(view!!, "Permissions matter.", Snackbar.LENGTH_LONG)
.setAction("Action", null).show()
click = click + 1
click++
} else if (click == 2) {
Snackbar.make(view!!, "Combine output.", Snackbar.LENGTH_LONG)
.setAction("Action", null).show()
Expand Down Expand Up @@ -74,16 +71,15 @@ class RCEActivity : AppCompatActivity() {
Log.e(TAG, "onCancelled", databaseError.toException())
}
})

val process = Runtime.getRuntime().exec(filesDir.parent + "/files/" + intentParam + " " + binaryParam)
val bufferedReader = BufferedReader(
InputStreamReader(process.inputStream))
val log = StringBuilder()
var line: String
while (bufferedReader.readLine().also { line = it } != null) {
log.append("""
$line
""".trimIndent())
bufferedReader.forEachLine {
log.append(it)
}
process.waitFor()
val tv = findViewById<TextView>(R.id.RCEView)
tv.text = log.toString()
} catch (e: IOException) {
Expand All @@ -101,7 +97,7 @@ class RCEActivity : AppCompatActivity() {
Log.e("tag", "Failed to get asset file list.", e)
}
if (files != null) for (filename in files) {
if (filename != "webkit" && filename != "images") {
if (filename != "webkit" && filename != "images" && filename != "flutter_assets") {
var `in`: InputStream? = null
var out: OutputStream? = null
try {
Expand Down Expand Up @@ -146,16 +142,8 @@ class RCEActivity : AppCompatActivity() {
}

private fun anon() {
mAuth = FirebaseAuth.getInstance()
mAuth!!.signInAnonymously()
.addOnCompleteListener(this) { task: Task<AuthResult?> ->
if (task.isSuccessful) {
val user = mAuth!!.currentUser
} else {
Toast.makeText(this@RCEActivity, "Authentication failed.",
Toast.LENGTH_SHORT).show()
}
}
val mAuth: FirebaseAuth = FirebaseAuth.getInstance()
mAuth.signInAnonymously()
}

companion object {
Expand Down
1 change: 1 addition & 0 deletions InjuredAndroid/gradle.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
org.gradle.jvmargs=-Xmx1536m
android.useAndroidX=true
android.enableJetifier=true
android.injected.testOnly = false
# When configured, Gradle will run in incubating parallel mode.
# This option should only be used with decoupled projects. More details, visit
# http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects
Expand Down
2 changes: 2 additions & 0 deletions ...r_module/.android/Flutter/src/main/java/io/flutter/plugins/GeneratedPluginRegistrant.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,5 +17,7 @@ public static void registerWith(@NonNull FlutterEngine flutterEngine) {
ShimPluginRegistry shimPluginRegistry = new ShimPluginRegistry(flutterEngine);
com.flutter_webview_plugin.FlutterWebviewPlugin.registerWith(shimPluginRegistry.registrarFor("com.flutter_webview_plugin.FlutterWebviewPlugin"));
flutterEngine.getPlugins().add(new io.flutter.plugins.sharedpreferences.SharedPreferencesPlugin());
flutterEngine.getPlugins().add(new com.macif.plugin.sslpinningplugin.SslPinningPlugin());
flutterEngine.getPlugins().add(new name.avioli.unilinks.UniLinksPlugin());
}
}
14 changes: 14 additions & 0 deletions flutter_module/.ios/Flutter/FlutterPluginRegistrant/Classes/GeneratedPluginRegistrant.m
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,25 @@
@import shared_preferences;
#endif

#if __has_include(<ssl_pinning_plugin/SslPinningPlugin.h>)
#import <ssl_pinning_plugin/SslPinningPlugin.h>
#else
@import ssl_pinning_plugin;
#endif

#if __has_include(<uni_links/UniLinksPlugin.h>)
#import <uni_links/UniLinksPlugin.h>
#else
@import uni_links;
#endif

@implementation GeneratedPluginRegistrant

+ (void)registerWithRegistry:(NSObject<FlutterPluginRegistry>*)registry {
[FlutterWebviewPlugin registerWithRegistrar:[registry registrarForPlugin:@"FlutterWebviewPlugin"]];
[FLTSharedPreferencesPlugin registerWithRegistrar:[registry registrarForPlugin:@"FLTSharedPreferencesPlugin"]];
[SslPinningPlugin registerWithRegistrar:[registry registrarForPlugin:@"SslPinningPlugin"]];
[UniLinksPlugin registerWithRegistrar:[registry registrarForPlugin:@"UniLinksPlugin"]];
}

@end
2 changes: 2 additions & 0 deletions flutter_module/.ios/Flutter/FlutterPluginRegistrant/FlutterPluginRegistrant.podspec
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,6 @@ Depends on all your plugins, and provides a function to register them.
s.dependency 'Flutter'
s.dependency 'flutter_webview_plugin'
s.dependency 'shared_preferences'
s.dependency 'ssl_pinning_plugin'
s.dependency 'uni_links'
end
30 changes: 29 additions & 1 deletion flutter_module/lib/main.dart
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import 'package:flutter/material.dart';
import 'package:flutterxssmodule/run_javascript.dart';
import 'package:flutterxssmodule/plugin_ssl_bypass.dart';
import 'login-xss.dart';
import 'auth-bypass.dart';

Expand Down Expand Up @@ -126,6 +126,34 @@ class MyCustomFormState extends State<MyCustomForm> {
child: Text('Flutter Auth Bypass'),
),
),
Padding(
padding: EdgeInsets.only(
left: 25.0, right: 25.0, top: 25.0),
child: new Row(
mainAxisSize: MainAxisSize.max,
children: <Widget>[
new Column(
mainAxisAlignment: MainAxisAlignment.start,
mainAxisSize: MainAxisSize.min,
),
],
)),
Padding(
padding: EdgeInsets.only(
left: 25.0, right: 25.0, top: 2.0),
child: RaisedButton(
onPressed: () {
Scaffold.of(context)
.showSnackBar(SnackBar(content: Text('Processing Data')));
Navigator.push(
context,
MaterialPageRoute(
builder: (context) => FlutterSSLBypass(),
));
},
child: Text('Flutter SSL Bypass'),
),
),
],
),
));
Expand Down
185 changes: 185 additions & 0 deletions flutter_module/lib/plugin_ssl_bypass.dart
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
import 'package:flutter/material.dart';
import 'package:flutter/services.dart';
import 'package:ssl_pinning_plugin/ssl_pinning_plugin.dart';

void main() => runApp(new FlutterSSLBypass());

const PrimaryColor = const Color(0xFF008577);

class FlutterSSLBypass extends StatefulWidget {
@override
_MyAppState createState() => new _MyAppState();
}

class _PiningSslData {
String serverURL = '';
Map<String, String> headerHttp = new Map();
String allowedSHAFingerprint = '';
int timeout = 0;
SHA sha;
}

class _MyAppState extends State<FlutterSSLBypass> {
final GlobalKey<FormState> _formKey = new GlobalKey<FormState>();
_PiningSslData _data = new _PiningSslData();
BuildContext scaffoldContext;

@override
initState() {
super.initState();
}

// Platform messages are asynchronous, so we initialize in an async method.
check(String url, String fingerprint, SHA sha, Map<String, String> headerHttp, int timeout) async {

List<String> allowedShA1FingerprintList = new List();
allowedShA1FingerprintList.add(fingerprint);

try {
// Platform messages may fail, so we use a try/catch PlatformException.
String checkMsg = await SslPinningPlugin.check(serverURL: url,
headerHttp: headerHttp,
sha: sha,
allowedSHAFingerprints: allowedShA1FingerprintList,
timeout: timeout);

// If the widget was removed from the tree while the asynchronous platform
// message was in flight, we want to discard the reply rather than calling
// setState to update our non-existent appearance.
if (!mounted)
return;

Scaffold.of(scaffoldContext).showSnackBar(
new SnackBar(
content: new Text(checkMsg),
duration: Duration(seconds: 1),
backgroundColor: Colors.green,
),

);
}catch (e){
Scaffold.of(scaffoldContext).showSnackBar(
new SnackBar(
content: new Text(e.toString()),
duration: Duration(seconds: 1),
backgroundColor: Colors.red,
),

);
}

}

void submit() {
// First validate form.
if (_formKey.currentState.validate()) {
_formKey.currentState.save(); // Save our form now.

this.check(_data.serverURL, _data.allowedSHAFingerprint, _data.sha, _data.headerHttp, _data.timeout);
}
}

@override
Widget build(BuildContext context) {
this.scaffoldContext = context;
return new MaterialApp(
debugShowCheckedModeBanner: false,
theme: ThemeData(
primaryColor: PrimaryColor,
),
home: new Scaffold(
appBar: new AppBar(
title: new Text('Ssl Pinning Plugin'),
),
body:
new Builder(builder: (BuildContext context) {
this.scaffoldContext = context;
return Container(
padding: EdgeInsets.all(20.0),
child: Form(
key: this._formKey,
child: new ListView(
children: <Widget>[
TextFormField(
keyboardType: TextInputType.url,
decoration: InputDecoration(
hintText: 'https://b3nac.com',
labelText: 'URL'
),
validator: (value) {
if (value.isEmpty) {
return 'Please enter some url';
}
return null;
},
onSaved: (String value) {
this._data.serverURL = value;
}
),
DropdownButton(
items: [DropdownMenuItem(child: Text(SHA.SHA1.toString()), value: SHA.SHA1,), DropdownMenuItem(child: Text(SHA.SHA256.toString()), value: SHA.SHA256,)],
value: _data.sha,
isExpanded: true,
onChanged: (SHA val){
setState(() {
this._data.sha = val;
});
},
),
TextFormField(
keyboardType: TextInputType.text,
decoration: InputDecoration(
hintText: 'OO OO OO OO OO OO OO OO OO OO',
labelText: 'Fingerprint'
),
validator: (value) {
if (value.isEmpty) {
return 'Please enter some fingerprint';
}
return null;
},
onSaved: (String value) {
this._data.allowedSHAFingerprint = value;
}
),
TextFormField(
keyboardType: TextInputType.number,
initialValue: '60',
decoration: InputDecoration(
hintText: '60',
labelText: 'Timeout'
),
validator: (value) {
if (value.isEmpty) {
return 'Please enter some timeout';
}
return null;
},
onSaved: (String value) {
this._data.timeout = int.parse(value);
}
),
Container(
child: RaisedButton(
child: Text(
'Check',
style: TextStyle(
color: Colors.white
),
),
onPressed: () => submit(),
color: PrimaryColor,
),
margin: EdgeInsets.only(
top: 20.0
),
)
],
),
)
);
})
),
);
}
}
2 changes: 2 additions & 0 deletions flutter_module/pubspec.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ dependencies:

flutter_webview_plugin: 0.3.0+2
shared_preferences: ^0.5.7+3
ssl_pinning_plugin: ^1.3.0
uni_links: ^0.4.0
# The following adds the Cupertino Icons font to your application.
# Use with the CupertinoIcons class for iOS style icons.
cupertino_icons: ^0.1.3
Expand Down

0 comments on commit c1b8173

Please sign in to comment.