def run(self):
result = {
"title": "Application Communicates Over Unencrypted Channels",
"details": "",
"severity": "Medium",
"report": False
}
ignore = [url.strip() for url in self.ignore.split(";")]
Log.info("Getting application's strings")
strs = strings(self.binary)
Log.info("Analysing strings")
report_matches = []
matches = re.finditer(self._regex, strs)
for item in matches:
match = item.group()
if any(iurl in match for iurl in ignore) or match == "http://":
continue
report_matches += [match]
if report_matches:
result.update({
"report":
True,
"details":
"The following strings were found:\n* {}".format("\n* ".join(
sorted(set(report_matches))))
})
return {"{}_result".format(self.name()): result}
def run(self):
result = {
"title": "Application Does Not Implement SSL Pinning",
"details": "",
"severity": "Medium",
"report": False
}
Log.info("Getting application's strings")
strs = strings(self.binary)
Log.info("Analysing strings and class dump")
matches = re.findall(self._regex, strs)
evidence = pretty_grep(self._regex, self.class_dump)
if matches:
result.update({
"report":
True,
"details":
"The following strings were found:\n* {}".format("\n* ".join(
sorted(set(matches))))
})
if evidence:
result.update({
"report":
True,
"details":
"{}\nThe following was found in the class dump:\n\
{}".format(result["details"], pretty_grep_to_str(evidence, self.class_dump))
})
return {"{}_result".format(self.name()): result}
def run(self):
result = {
"title": "Application Uses Weak Crypto Functions",
"details": "",
"severity": "High",
"report": True
}
Log.info("Getting application's strings")
strs = strings(self.binary)
symb_module = SymbolsModule()
symb_module.binary = self.binary
symbols_result, symbols = symb_module.run(), None
for key in symbols_result:
if key.endswith("_symbols"):
symbols = symbols_result[key]
if not symbols:
return {"print": "Couldn't get symbols from binary."}
Log.info("Analysing Symbols")
matches = re.findall(self._regex, symbols)
if matches:
result.update({
"report":
True,
"details":
"The following evidences were found:\n* {}".format("\n* ".join(
sorted(set(matches))))
})
Log.info("Analysing strings")
matches = re.findall(self._regex, strs)
if matches:
result.update({
"report":
True,
"details":
"{}\n* {}".format(result["details"],
"\n* ".join(sorted(set(matches))))
})
return {"{}_result".format(self.name()): result}
def run(self):
result = {
"title": "Application Does Not Detect Debuggers",
"details": "",
"severity": "Medium",
"report": False
}
Log.info("Getting binary strings")
strs = strings(self.binary)
Log.info("Analysing Strings")
if not re.search(self._regex, strs):
result.update({
"report":
True,
"details":
"No evidence of the application trying to detect \
debuggers being attached."
})
return {"{}_result".format(self.name()): result}
def run(self):
result = {
"title": "Application Communicates Over Insecure Channels",
"details": "",
"severity": "Medium",
"report": False
}
Log.info("Getting application's strings")
strs = strings(self.binary)
Log.info("Analysing strings and class dump")
if not re.search(self._regex, strs) and \
not pretty_grep(self._regex, self.class_dump):
result.update({
"report": True,
"details": "No evidence of secure channels being used."
})
return {
"{}_result".format(self.name()): result
}
def run(self):
result = {
"title": "Application Does Not Detect Debuggers",
"details": "",
"severity": "Medium",
"report": False
}
Log.info("Getting binary strings")
strs = strings(self.binary)
Log.info("Analysing Strings")
if not re.search(self._regex, strs):
result.update({
"report": True,
"details": "No evidence of the application trying to detect \
debuggers being attached."
})
Log.info("Starting the application and identifying the process ID")
openned, attempts = self.device.start(self.identifier), 0
while "device locked" in openned[1] and attempts < 3:
Log.error("Device is locked - cannot open the application")
Log.info("Please unlock the device - waiting 10 seconds")
sleep(10)
openned, attempts = self.device.start(self.identifier), attempts + 1
pid = self.device.pid(self.identifier)
if pid:
Log.info("Starting GDB on the remote device")
gdb = GDB(self.device)
Log.info("Attaching GDB to the application")
gdb_result, attempt = gdb.execute("attach {}".format(pid)), 0
# try to get stdout, might take time to flush
while not gdb_result and attempt < 3:
sleep(5)
gdb_result, attempt = gdb.read(), attempt + 1
if gdb_result and "unable to attach" in gdb_result.lower():
result.update({
"title": "Application Detected Debugger Attached",
"report": True,
"details": "Scrounger was unable to attach a debugger to \
the application."
})
elif gdb_result:
result.update({
"report": True,
"details": "{}\n\nScrounger was able to attach a debugger \
to the application:\n\n{}".format(result["details"], gdb_result)
}
)
gdb.exit()
else:
Log.error("The application is not running")
return {
"{}_result".format(self.name()): result
}
def run(self):
result = {
"title": "Application Does Not Implement SSL Pinning",
"details": "",
"severity": "Medium",
"report": False
}
Log.info("Getting application's strings")
strs = strings(self.binary)
Log.info("Analysing strings and class dump")
matches = re.findall(self._regex, strs)
evidence = pretty_grep(self._regex, self.class_dump)
if matches:
result.update({
"report":
True,
"details":
"The following strings were found:\n* {}".format("\n* ".join(
sorted(set(matches))))
})
if evidence:
result.update({
"report":
True,
"details":
"{}\nThe following was found in the class dump:\n\
{}".format(result["details"], pretty_grep_to_str(evidence, self.class_dump))
})
if self.device and self.identifier and \
self.proxy_host != None and self.proxy_port != None:
Log.info("Testing SSL Pinning using a proxy")
Log.info(
"Make sure your device trusts the CA in: {}/ca.crt".format(
_CERT_PATH))
Log.info("Waiting for {} seconds to allow time to setup the \
proxy on the remote device".format(self.wait_time))
sleep(int(self.wait_time))
Log.info("Killing the application")
self.device.stop(self.identifier)
Log.info("Starting the SSL proxy")
proxy_server = create_server(self.proxy_host, self.proxy_port,
_CERT_PATH)
Log.info("Starting the Application")
self.device.start(self.identifier)
Log.info("Waiting for the Application to start and make requests")
sleep(10)
pinned = list(
set(proxy_server.server.connected) -
set(proxy_server.server.requested))
if not proxy_server.server.connected:
Log.error("No connections made by the application")
if pinned:
result.update({
"report":
True,
"details":
"{}\n\nThe application started a connection but \
made no requests to the following domains:\n* {}".format(
result["details"], "\n* ".join(pinned))
})
proxy_server.stop()
return {"{}_result".format(self.name()): result}
