-
-
[原创]frida 配置iOS系统WiFi和代理
-
2022-11-10 15:11 34652
-
#iOS #frida #WiFi #proxy #系统相关
前言
最近研究一个App时顺便研究了下如何给iOS系统WiFi挂代理,并将相关功能整理成函数,方便调试时使用。
代码实现
1.切换飞行模式
1 2 3 4 5 6 | function toggleAirplaneMode(mode) { var p = ObjC.classes.RadiosPreferences.alloc().init(); p.setAirplaneMode_(mode) p.synchronize() p.release(); } |
2.开关 WiFi
1 2 3 4 | function toggleWifiMode(mode) { var wfc = ObjC.classes.WFClient.sharedInstance(); wfc.setPowered_(mode); } |
3.读取 WiFi 密码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | function readWifiPasswords() { var knownNet = ObjC.classes.WFKnownNetworkStore.sharedInstance(); var nets = knownNet.knownNetworks(); var objs = nets.allObjects(); var count = objs.count(); var result = [] for (var n = 0 ; n < count; n + + ) { var networkProfile = objs.objectAtIndex_(n); result.push( { HS20AccountName: networkProfile.HS20AccountName(), HS20Badge: networkProfile.HS20Badge(), isHS20Network: networkProfile.isHS20Network(), isHS20NetworkProvisioned: networkProfile.isHS20NetworkProvisioned(), TLSIdentity: networkProfile.TLSIdentity() + '', addedDate: networkProfile.addedDate() + '', adhoc: networkProfile.isAdhoc(), autoJoinEnabled: networkProfile.isAutoJoinEnabled(), autoLoginEnabled: networkProfile.isAutoLoginEnabled(), bssid: networkProfile.bssid() + '', canExposeIMSI: networkProfile.canExposeIMSI(), captive: networkProfile.isCaptive(), carPlay: networkProfile.isCarPlay(), carPlayType: networkProfile.carPlayType(), carPlayUUID: networkProfile.carPlayUUID(), carrierBased: networkProfile.isCarrierBased(), certificateChain: networkProfile.certificateChain(), enterpriseProfile: networkProfile.enterpriseProfile(), fetchedPassword: networkProfile.fetchedPassword(), hidden: networkProfile.isHidden(), lastAutoJoinDate: networkProfile.lastAutoJoinDate() + '', managed: networkProfile.isManaged(), originatorBundleIdentifier: networkProfile.originatorBundleIdentifier(), password: networkProfile.password() + '', policyUUID: networkProfile.policyUUID(), previousPassword: networkProfile.previousPassword(), requiresPassword: networkProfile.requiresPassword(), scanAttributes: valueOf(networkProfile.scanAttributes()), securityMode: networkProfile.securityMode() + '', ssid: networkProfile.ssid() + '', username: networkProfile.username() + '' } ); } return result; } |
4.获取当前 WiFi SSID
1 2 3 | function currentWifiSSID() { return currentNetwork().ssid(); } |
5.获取当前 WiFi Network 实例
1 2 3 | function currentNetwork() { return ObjC.classes.WFClient.sharedInstance().interface().currentNetwork(); } |
6.读取当前 WiFi 的配置实例
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | function readWifiSettings(_ssid) { / / 读取配置 var WFGetSettingsOperation = ObjC.classes.WFGetSettingsOperation.alloc(); / / 10684 ms - [WFGetSettingsOperation initWithSSID:xxxWiFiSSID] var wfGetSet = WFGetSettingsOperation.initWithSSID_(_ssid); / * TID 0x23c2f * / / / 10732 ms - [WFGetSettingsOperation start] wfGetSet.start(); / / 10737 ms | - [WFGetSettingsOperation ssid] / / 10740 ms | - [WFGetSettingsOperation keychainQueue] / * TID 0x303 * / / / 10759 ms - [WFGetSettingsOperation settings] / / 10759 ms - [WFGetSettingsOperation dealloc] / / 10759 ms | - [WFGetSettingsOperation .cxx_destruct] console.log( 'WIFI-SSID' , wfGetSet.ssid()); console.log( 'keychainQueue' , wfGetSet.keychainQueue()); var settings = wfGetSet.settings(); return settings; / / __NSArrayM } |
7.写入 WiFi 配置实例到系统
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | function writeWifiSettings(_ssid, settings) { / / 写入配置 var WFSaveSettingsOperation = ObjC.classes.WFSaveSettingsOperation.alloc() / / / * TID 0x303 * / / / 6803 ms - [WFSaveSettingsOperation initWithSSID: 0x2822acdc0 settings: 0x282c15dd0 ] var wfs = WFSaveSettingsOperation.initWithSSID_settings_(_ssid, settings); / / 6806 ms - [WFSaveSettingsOperation setCurrentNetwork: 0x1 ] wfs.setCurrentNetwork_( 1 ); / / YES( 0x1 ) / / / * TID 0x1307 * / / / 6807 ms - [WFSaveSettingsOperation start] wfs.start(); console.log( 'new-settings' , readWifiSettings(_ssid)); } |
8.打印 WiFi 配置
1 2 3 4 5 6 7 | function printWifiSettings(settings) { var count = settings.count(); for (var n = 0 ; n < count; n + + ) { var o = settings.objectAtIndex_(n); console.log(o.handle, o.$className, valueOf(o)); } } |
9.设置系统 WiFi 代理
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | function setWifiProxy(_ssid, server, port, username, password) { const { NSString, NSNumber } = ObjC.classes var ps = ObjC.classes.WFSettingsProxy.alloc().initWithDictionary_(ObjC.classes.WFSettingsProxy.defaultProxyConfiguration()); var items = ObjC.classes.NSMutableDictionary.alloc().initWithDictionary_(ps.items()) items.setObject_forKey_(NSNumber.numberWithInt_( 1 ), NSString.stringWithString_( 'HTTPEnable' )); items.setObject_forKey_(NSNumber.numberWithInt_(port), NSString.stringWithString_( 'HTTPPort' )); items.setObject_forKey_(NSString.stringWithString_(server), NSString.stringWithString_( 'HTTPProxy' )); items.setObject_forKey_(NSNumber.numberWithInt_( 1 ), NSString.stringWithString_( 'HTTPProxyAuthenticated' )); items.setObject_forKey_(NSString.stringWithString_(username), NSString.stringWithString_( 'HTTPProxyUsername' )); items.setObject_forKey_(NSNumber.numberWithInt_( 1 ), NSString.stringWithString_( 'HTTPSEnable' )); items.setObject_forKey_(NSNumber.numberWithInt_(port), NSString.stringWithString_( 'HTTPSPort' )); items.setObject_forKey_(NSString.stringWithString_(server), NSString.stringWithString_( 'HTTPSProxy' )); var wifiProxySet = ObjC.classes.WFSettingsProxy.alloc().initWithDictionary_(items); wifiProxySet.setPassword_(password); var settings = ObjC.classes.NSMutableArray.alloc().init(); settings.addObject_(wifiProxySet); writeWifiSettings(_ssid, settings); } |
10.其它函数
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | / / / / / / / / / / / / / / / / / 辅助函数 / / / / / / / / / / / / / / / / / function typeOf(raw) { try { var o = new ObjC. Object (ptr(raw)); return o.$className } catch { return '' } } function valueOf(raw) { try { var o = new ObjC. Object (ptr(raw)); return o + '' } catch { return '' } } |
测试
需要注意的是,可以使用 frida 注入到 SpringBoard 进程内,并且要确保 WiFiKit.framework
已经装入,以下是测试代码:
1 2 3 4 5 | / / 装入 WiFiKit 库 Module.load( '/System/Library/PrivateFrameworks/WiFiKit.framework/WiFiKit' ); / / WiFi 网络名 var ssid = 'tplink-123' ; setWifiProxy(ssid, "代理ip" , 8080 , "代理账号" , "密码" ); |
frida 命令
1 | frida - U - n SpringBoard - l . / wifi.js |
全文完
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
最后于 2022-11-11 23:47
被chinasf编辑
,原因:
赞赏
看原图