首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 看雪社区
  2. iOS安全
    3. 发新帖
[原创]frida 配置iOS系统WiFi和代理
2022-11-10 15:11 34652

[原创]frida 配置iOS系统WiFi和代理

chinasf 活跃值
2022-11-10 15:11
34652

#iOS #frida #WiFi #proxy #系统相关

前言

最近研究一个App时顺便研究了下如何给iOS系统WiFi挂代理,并将相关功能整理成函数,方便调试时使用。

代码实现

1.切换飞行模式

1
2
3
4
5
6
function toggleAirplaneMode(mode) {
    var p = ObjC.classes.RadiosPreferences.alloc().init();
    p.setAirplaneMode_(mode)
    p.synchronize()
    p.release();
}

2.开关 WiFi

1
2
3
4
function toggleWifiMode(mode) {
    var wfc = ObjC.classes.WFClient.sharedInstance();
    wfc.setPowered_(mode);
}

3.读取 WiFi 密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
function readWifiPasswords() {
    var knownNet = ObjC.classes.WFKnownNetworkStore.sharedInstance();
    var nets = knownNet.knownNetworks();
    var objs = nets.allObjects();
    var count = objs.count();
 
    var result = []
    for (var n = 0; n < count; n++) {
        var networkProfile = objs.objectAtIndex_(n);
 
        result.push(
            {
                HS20AccountName: networkProfile.HS20AccountName(),
                HS20Badge: networkProfile.HS20Badge(),
                isHS20Network: networkProfile.isHS20Network(),
                isHS20NetworkProvisioned: networkProfile.isHS20NetworkProvisioned(),
                TLSIdentity: networkProfile.TLSIdentity()+'',
                addedDate: networkProfile.addedDate()+'',
                adhoc: networkProfile.isAdhoc(),
                autoJoinEnabled: networkProfile.isAutoJoinEnabled(),
                autoLoginEnabled: networkProfile.isAutoLoginEnabled(),
                bssid: networkProfile.bssid()+'',
                canExposeIMSI: networkProfile.canExposeIMSI(),
                captive: networkProfile.isCaptive(),
                carPlay: networkProfile.isCarPlay(),
                carPlayType: networkProfile.carPlayType(),
                carPlayUUID: networkProfile.carPlayUUID(),
                carrierBased: networkProfile.isCarrierBased(),
                certificateChain: networkProfile.certificateChain(),
                enterpriseProfile: networkProfile.enterpriseProfile(),
                fetchedPassword: networkProfile.fetchedPassword(),
                hidden: networkProfile.isHidden(),
                lastAutoJoinDate: networkProfile.lastAutoJoinDate()+'',
                managed: networkProfile.isManaged(),
                originatorBundleIdentifier: networkProfile.originatorBundleIdentifier(),
                password: networkProfile.password()+'',
                policyUUID: networkProfile.policyUUID(),
                previousPassword: networkProfile.previousPassword(),
                requiresPassword: networkProfile.requiresPassword(),
                scanAttributes: valueOf(networkProfile.scanAttributes()),
                securityMode: networkProfile.securityMode()+'',
                ssid: networkProfile.ssid()+'',
                username: networkProfile.username()+''
            }
        );
    }
    return result;
 
}

4.获取当前 WiFi SSID

1
2
3
function currentWifiSSID() {
    return currentNetwork().ssid();
}

5.获取当前 WiFi Network 实例

1
2
3
function currentNetwork() {
    return ObjC.classes.WFClient.sharedInstance().interface().currentNetwork();
}

6.读取当前 WiFi 的配置实例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
function readWifiSettings(_ssid) {
    //读取配置
    var WFGetSettingsOperation = ObjC.classes.WFGetSettingsOperation.alloc();
    //10684 ms  -[WFGetSettingsOperation initWithSSID:xxxWiFiSSID]
    var wfGetSet = WFGetSettingsOperation.initWithSSID_(_ssid);
    /* TID 0x23c2f */
    //10732 ms  -[WFGetSettingsOperation start]
    wfGetSet.start();
    //10737 ms     | -[WFGetSettingsOperation ssid]
    //10740 ms     | -[WFGetSettingsOperation keychainQueue]
    /* TID 0x303 */
    //10759 ms  -[WFGetSettingsOperation settings]
    //10759 ms  -[WFGetSettingsOperation dealloc]
    //10759 ms     | -[WFGetSettingsOperation .cxx_destruct]
    console.log('WIFI-SSID', wfGetSet.ssid());
    console.log('keychainQueue', wfGetSet.keychainQueue());
    var settings = wfGetSet.settings();
    return settings;//__NSArrayM
}

7.写入 WiFi 配置实例到系统

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function writeWifiSettings(_ssid, settings) {
    //写入配置
    var WFSaveSettingsOperation = ObjC.classes.WFSaveSettingsOperation.alloc()
    // /* TID 0x303 */
    // 6803 ms  -[WFSaveSettingsOperation initWithSSID:0x2822acdc0 settings:0x282c15dd0]
    var wfs = WFSaveSettingsOperation.initWithSSID_settings_(_ssid, settings);
    // 6806 ms  -[WFSaveSettingsOperation setCurrentNetwork:0x1]
    wfs.setCurrentNetwork_(1); // YES(0x1)
    // /* TID 0x1307 */
    // 6807 ms  -[WFSaveSettingsOperation start]
    wfs.start();
 
    console.log('new-settings', readWifiSettings(_ssid));
}

8.打印 WiFi 配置

1
2
3
4
5
6
7
function printWifiSettings(settings) {
    var count = settings.count();
    for (var n = 0; n < count; n++) {
        var o = settings.objectAtIndex_(n);
        console.log(o.handle, o.$className, valueOf(o));
    }
}

9.设置系统 WiFi 代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
function setWifiProxy(_ssid, server, port, username, password) {
    const { NSString, NSNumber } = ObjC.classes
 
    var ps = ObjC.classes.WFSettingsProxy.alloc().initWithDictionary_(ObjC.classes.WFSettingsProxy.defaultProxyConfiguration());
    var items = ObjC.classes.NSMutableDictionary.alloc().initWithDictionary_(ps.items())
    items.setObject_forKey_(NSNumber.numberWithInt_(1), NSString.stringWithString_('HTTPEnable'));
    items.setObject_forKey_(NSNumber.numberWithInt_(port), NSString.stringWithString_('HTTPPort'));
    items.setObject_forKey_(NSString.stringWithString_(server), NSString.stringWithString_('HTTPProxy'));
    items.setObject_forKey_(NSNumber.numberWithInt_(1), NSString.stringWithString_('HTTPProxyAuthenticated'));
    items.setObject_forKey_(NSString.stringWithString_(username), NSString.stringWithString_('HTTPProxyUsername'));
    items.setObject_forKey_(NSNumber.numberWithInt_(1), NSString.stringWithString_('HTTPSEnable'));
    items.setObject_forKey_(NSNumber.numberWithInt_(port), NSString.stringWithString_('HTTPSPort'));
    items.setObject_forKey_(NSString.stringWithString_(server), NSString.stringWithString_('HTTPSProxy'));
 
    var wifiProxySet = ObjC.classes.WFSettingsProxy.alloc().initWithDictionary_(items);
    wifiProxySet.setPassword_(password);
    var settings = ObjC.classes.NSMutableArray.alloc().init();
    settings.addObject_(wifiProxySet);
 
    writeWifiSettings(_ssid, settings);
 
}

10.其它函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
///////////////
//  辅助函数  //
///////////////
 
function typeOf(raw) {
    try {
        var o = new ObjC.Object(ptr(raw));
        return o.$className
    } catch {
        return ''
    }
}
 
function valueOf(raw) {
    try {
        var o = new ObjC.Object(ptr(raw));
        return o + ''
    } catch {
        return ''
    }
}

测试

需要注意的是,可以使用 frida 注入到 SpringBoard 进程内,并且要确保 WiFiKit.framework 已经装入,以下是测试代码:

1
2
3
4
5
//装入 WiFiKit 库
Module.load('/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit');
//WiFi 网络名
var ssid = 'tplink-123';
setWifiProxy(ssid, "代理ip",8080,"代理账号","密码");

frida 命令

1
frida -U -n SpringBoard -l ./wifi.js

全文完


[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。

最后于 2022-11-11 23:47 被chinasf编辑 ,原因:
收藏
点赞3
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
 回帖  表情 雪币赚取及消费
高级回复
返回