From c1b8173d3a4d2c956a6a09a8abee842fd734ea48 Mon Sep 17 00:00:00 2001 From: B3nac Date: Thu, 6 Aug 2020 21:41:00 -0700 Subject: [PATCH] Defcon safemode RedTeamVillage woot! --- .../java/b3nac/injuredandroid/RCEActivity.kt | 32 +-- InjuredAndroid/gradle.properties | 1 + .../plugins/GeneratedPluginRegistrant.java | 2 + .../Classes/GeneratedPluginRegistrant.m | 14 ++ .../FlutterPluginRegistrant.podspec | 2 + flutter_module/lib/main.dart | 30 ++- flutter_module/lib/plugin_ssl_bypass.dart | 185 ++++++++++++++++++ flutter_module/pubspec.yaml | 2 + 8 files changed, 245 insertions(+), 23 deletions(-) create mode 100644 flutter_module/lib/plugin_ssl_bypass.dart diff --git a/InjuredAndroid/app/src/main/java/b3nac/injuredandroid/RCEActivity.kt b/InjuredAndroid/app/src/main/java/b3nac/injuredandroid/RCEActivity.kt index b1bac3a..2e38ce8 100644 --- a/InjuredAndroid/app/src/main/java/b3nac/injuredandroid/RCEActivity.kt +++ b/InjuredAndroid/app/src/main/java/b3nac/injuredandroid/RCEActivity.kt @@ -8,11 +8,8 @@ import android.widget.TextView import android.widget.Toast import androidx.appcompat.app.AppCompatActivity import androidx.appcompat.widget.Toolbar -import b3nac.injuredandroid.RCEActivity -import com.google.android.gms.tasks.Task import com.google.android.material.floatingactionbutton.FloatingActionButton import com.google.android.material.snackbar.Snackbar -import com.google.firebase.auth.AuthResult import com.google.firebase.auth.FirebaseAuth import com.google.firebase.database.DataSnapshot import com.google.firebase.database.DatabaseError @@ -23,7 +20,7 @@ import java.io.* class RCEActivity : AppCompatActivity() { var database = FirebaseDatabase.getInstance().reference var childRef = database.child("/rce") - private var mAuth: FirebaseAuth? = null + var click = 0 override fun onCreate(savedInstanceState: Bundle?) { super.onCreate(savedInstanceState) @@ -38,11 +35,11 @@ class RCEActivity : AppCompatActivity() { Snackbar.make(view!!, "Find the binary!", Snackbar.LENGTH_LONG) .setAction("Action", null).show() //Figure out how to login anonymously on click - click = click + 1 + click++ } else if (click == 1) { Snackbar.make(view!!, "Permissions matter.", Snackbar.LENGTH_LONG) .setAction("Action", null).show() - click = click + 1 + click++ } else if (click == 2) { Snackbar.make(view!!, "Combine output.", Snackbar.LENGTH_LONG) .setAction("Action", null).show() @@ -74,16 +71,15 @@ class RCEActivity : AppCompatActivity() { Log.e(TAG, "onCancelled", databaseError.toException()) } }) + val process = Runtime.getRuntime().exec(filesDir.parent + "/files/" + intentParam + " " + binaryParam) val bufferedReader = BufferedReader( InputStreamReader(process.inputStream)) val log = StringBuilder() - var line: String - while (bufferedReader.readLine().also { line = it } != null) { - log.append(""" - $line - """.trimIndent()) + bufferedReader.forEachLine { + log.append(it) } + process.waitFor() val tv = findViewById(R.id.RCEView) tv.text = log.toString() } catch (e: IOException) { @@ -101,7 +97,7 @@ class RCEActivity : AppCompatActivity() { Log.e("tag", "Failed to get asset file list.", e) } if (files != null) for (filename in files) { - if (filename != "webkit" && filename != "images") { + if (filename != "webkit" && filename != "images" && filename != "flutter_assets") { var `in`: InputStream? = null var out: OutputStream? = null try { @@ -146,16 +142,8 @@ class RCEActivity : AppCompatActivity() { } private fun anon() { - mAuth = FirebaseAuth.getInstance() - mAuth!!.signInAnonymously() - .addOnCompleteListener(this) { task: Task -> - if (task.isSuccessful) { - val user = mAuth!!.currentUser - } else { - Toast.makeText(this@RCEActivity, "Authentication failed.", - Toast.LENGTH_SHORT).show() - } - } + val mAuth: FirebaseAuth = FirebaseAuth.getInstance() + mAuth.signInAnonymously() } companion object { diff --git a/InjuredAndroid/gradle.properties b/InjuredAndroid/gradle.properties index d100ac4..009053b 100644 --- a/InjuredAndroid/gradle.properties +++ b/InjuredAndroid/gradle.properties @@ -12,6 +12,7 @@ org.gradle.jvmargs=-Xmx1536m android.useAndroidX=true android.enableJetifier=true +android.injected.testOnly = false # When configured, Gradle will run in incubating parallel mode. # This option should only be used with decoupled projects. More details, visit # http://www.gradle.org/docs/current/userguide/multi_project_builds.html#sec:decoupled_projects diff --git a/flutter_module/.android/Flutter/src/main/java/io/flutter/plugins/GeneratedPluginRegistrant.java b/flutter_module/.android/Flutter/src/main/java/io/flutter/plugins/GeneratedPluginRegistrant.java index 0536162..f3dfa7b 100644 --- a/flutter_module/.android/Flutter/src/main/java/io/flutter/plugins/GeneratedPluginRegistrant.java +++ b/flutter_module/.android/Flutter/src/main/java/io/flutter/plugins/GeneratedPluginRegistrant.java @@ -17,5 +17,7 @@ public static void registerWith(@NonNull FlutterEngine flutterEngine) { ShimPluginRegistry shimPluginRegistry = new ShimPluginRegistry(flutterEngine); com.flutter_webview_plugin.FlutterWebviewPlugin.registerWith(shimPluginRegistry.registrarFor("com.flutter_webview_plugin.FlutterWebviewPlugin")); flutterEngine.getPlugins().add(new io.flutter.plugins.sharedpreferences.SharedPreferencesPlugin()); + flutterEngine.getPlugins().add(new com.macif.plugin.sslpinningplugin.SslPinningPlugin()); + flutterEngine.getPlugins().add(new name.avioli.unilinks.UniLinksPlugin()); } } diff --git a/flutter_module/.ios/Flutter/FlutterPluginRegistrant/Classes/GeneratedPluginRegistrant.m b/flutter_module/.ios/Flutter/FlutterPluginRegistrant/Classes/GeneratedPluginRegistrant.m index 82af7fd..f31a19c 100644 --- a/flutter_module/.ios/Flutter/FlutterPluginRegistrant/Classes/GeneratedPluginRegistrant.m +++ b/flutter_module/.ios/Flutter/FlutterPluginRegistrant/Classes/GeneratedPluginRegistrant.m @@ -16,11 +16,25 @@ @import shared_preferences; #endif +#if __has_include() +#import +#else +@import ssl_pinning_plugin; +#endif + +#if __has_include() +#import +#else +@import uni_links; +#endif + @implementation GeneratedPluginRegistrant + (void)registerWithRegistry:(NSObject*)registry { [FlutterWebviewPlugin registerWithRegistrar:[registry registrarForPlugin:@"FlutterWebviewPlugin"]]; [FLTSharedPreferencesPlugin registerWithRegistrar:[registry registrarForPlugin:@"FLTSharedPreferencesPlugin"]]; + [SslPinningPlugin registerWithRegistrar:[registry registrarForPlugin:@"SslPinningPlugin"]]; + [UniLinksPlugin registerWithRegistrar:[registry registrarForPlugin:@"UniLinksPlugin"]]; } @end diff --git a/flutter_module/.ios/Flutter/FlutterPluginRegistrant/FlutterPluginRegistrant.podspec b/flutter_module/.ios/Flutter/FlutterPluginRegistrant/FlutterPluginRegistrant.podspec index 3e28d80..bea387b 100644 --- a/flutter_module/.ios/Flutter/FlutterPluginRegistrant/FlutterPluginRegistrant.podspec +++ b/flutter_module/.ios/Flutter/FlutterPluginRegistrant/FlutterPluginRegistrant.podspec @@ -21,4 +21,6 @@ Depends on all your plugins, and provides a function to register them. s.dependency 'Flutter' s.dependency 'flutter_webview_plugin' s.dependency 'shared_preferences' + s.dependency 'ssl_pinning_plugin' + s.dependency 'uni_links' end diff --git a/flutter_module/lib/main.dart b/flutter_module/lib/main.dart index ecfb791..6202917 100644 --- a/flutter_module/lib/main.dart +++ b/flutter_module/lib/main.dart @@ -1,5 +1,5 @@ import 'package:flutter/material.dart'; -import 'package:flutterxssmodule/run_javascript.dart'; +import 'package:flutterxssmodule/plugin_ssl_bypass.dart'; import 'login-xss.dart'; import 'auth-bypass.dart'; @@ -126,6 +126,34 @@ class MyCustomFormState extends State { child: Text('Flutter Auth Bypass'), ), ), + Padding( + padding: EdgeInsets.only( + left: 25.0, right: 25.0, top: 25.0), + child: new Row( + mainAxisSize: MainAxisSize.max, + children: [ + new Column( + mainAxisAlignment: MainAxisAlignment.start, + mainAxisSize: MainAxisSize.min, + ), + ], + )), + Padding( + padding: EdgeInsets.only( + left: 25.0, right: 25.0, top: 2.0), + child: RaisedButton( + onPressed: () { + Scaffold.of(context) + .showSnackBar(SnackBar(content: Text('Processing Data'))); + Navigator.push( + context, + MaterialPageRoute( + builder: (context) => FlutterSSLBypass(), + )); + }, + child: Text('Flutter SSL Bypass'), + ), + ), ], ), )); diff --git a/flutter_module/lib/plugin_ssl_bypass.dart b/flutter_module/lib/plugin_ssl_bypass.dart new file mode 100644 index 0000000..b0b3408 --- /dev/null +++ b/flutter_module/lib/plugin_ssl_bypass.dart @@ -0,0 +1,185 @@ +import 'package:flutter/material.dart'; +import 'package:flutter/services.dart'; +import 'package:ssl_pinning_plugin/ssl_pinning_plugin.dart'; + +void main() => runApp(new FlutterSSLBypass()); + +const PrimaryColor = const Color(0xFF008577); + +class FlutterSSLBypass extends StatefulWidget { + @override + _MyAppState createState() => new _MyAppState(); +} + +class _PiningSslData { + String serverURL = ''; + Map headerHttp = new Map(); + String allowedSHAFingerprint = ''; + int timeout = 0; + SHA sha; +} + +class _MyAppState extends State { + final GlobalKey _formKey = new GlobalKey(); + _PiningSslData _data = new _PiningSslData(); + BuildContext scaffoldContext; + + @override + initState() { + super.initState(); + } + + // Platform messages are asynchronous, so we initialize in an async method. + check(String url, String fingerprint, SHA sha, Map headerHttp, int timeout) async { + + List allowedShA1FingerprintList = new List(); + allowedShA1FingerprintList.add(fingerprint); + + try { + // Platform messages may fail, so we use a try/catch PlatformException. + String checkMsg = await SslPinningPlugin.check(serverURL: url, + headerHttp: headerHttp, + sha: sha, + allowedSHAFingerprints: allowedShA1FingerprintList, + timeout: timeout); + + // If the widget was removed from the tree while the asynchronous platform + // message was in flight, we want to discard the reply rather than calling + // setState to update our non-existent appearance. + if (!mounted) + return; + + Scaffold.of(scaffoldContext).showSnackBar( + new SnackBar( + content: new Text(checkMsg), + duration: Duration(seconds: 1), + backgroundColor: Colors.green, + ), + + ); + }catch (e){ + Scaffold.of(scaffoldContext).showSnackBar( + new SnackBar( + content: new Text(e.toString()), + duration: Duration(seconds: 1), + backgroundColor: Colors.red, + ), + + ); + } + + } + + void submit() { + // First validate form. + if (_formKey.currentState.validate()) { + _formKey.currentState.save(); // Save our form now. + + this.check(_data.serverURL, _data.allowedSHAFingerprint, _data.sha, _data.headerHttp, _data.timeout); + } + } + + @override + Widget build(BuildContext context) { + this.scaffoldContext = context; + return new MaterialApp( + debugShowCheckedModeBanner: false, + theme: ThemeData( + primaryColor: PrimaryColor, + ), + home: new Scaffold( + appBar: new AppBar( + title: new Text('Ssl Pinning Plugin'), + ), + body: + new Builder(builder: (BuildContext context) { + this.scaffoldContext = context; + return Container( + padding: EdgeInsets.all(20.0), + child: Form( + key: this._formKey, + child: new ListView( + children: [ + TextFormField( + keyboardType: TextInputType.url, + decoration: InputDecoration( + hintText: 'https://b3nac.com', + labelText: 'URL' + ), + validator: (value) { + if (value.isEmpty) { + return 'Please enter some url'; + } + return null; + }, + onSaved: (String value) { + this._data.serverURL = value; + } + ), + DropdownButton( + items: [DropdownMenuItem(child: Text(SHA.SHA1.toString()), value: SHA.SHA1,), DropdownMenuItem(child: Text(SHA.SHA256.toString()), value: SHA.SHA256,)], + value: _data.sha, + isExpanded: true, + onChanged: (SHA val){ + setState(() { + this._data.sha = val; + }); + }, + ), + TextFormField( + keyboardType: TextInputType.text, + decoration: InputDecoration( + hintText: 'OO OO OO OO OO OO OO OO OO OO', + labelText: 'Fingerprint' + ), + validator: (value) { + if (value.isEmpty) { + return 'Please enter some fingerprint'; + } + return null; + }, + onSaved: (String value) { + this._data.allowedSHAFingerprint = value; + } + ), + TextFormField( + keyboardType: TextInputType.number, + initialValue: '60', + decoration: InputDecoration( + hintText: '60', + labelText: 'Timeout' + ), + validator: (value) { + if (value.isEmpty) { + return 'Please enter some timeout'; + } + return null; + }, + onSaved: (String value) { + this._data.timeout = int.parse(value); + } + ), + Container( + child: RaisedButton( + child: Text( + 'Check', + style: TextStyle( + color: Colors.white + ), + ), + onPressed: () => submit(), + color: PrimaryColor, + ), + margin: EdgeInsets.only( + top: 20.0 + ), + ) + ], + ), + ) + ); + }) + ), + ); + } +} \ No newline at end of file diff --git a/flutter_module/pubspec.yaml b/flutter_module/pubspec.yaml index 4c68324..fa0d4f6 100644 --- a/flutter_module/pubspec.yaml +++ b/flutter_module/pubspec.yaml @@ -26,6 +26,8 @@ dependencies: flutter_webview_plugin: 0.3.0+2 shared_preferences: ^0.5.7+3 + ssl_pinning_plugin: ^1.3.0 + uni_links: ^0.4.0 # The following adds the Cupertino Icons font to your application. # Use with the CupertinoIcons class for iOS style icons. cupertino_icons: ^0.1.3