idb 1.3.1

data/lib/lib/app_binary.rb

@@ -0,0 +1,57 @@
+require_relative 'otool_wrapper'
+require_relative 'app'
+
+module Idb
+  class AppBinary
+
+    def initialize app_binary
+      @otool = OtoolWrapper.new app_binary
+    end
+
+    def get_shared_libraries
+      @otool.shared_libraries
+    end
+
+    def setDecryptedPath path
+      @decrypted_path = path
+    end
+
+    def is_pie?
+      @otool.pie
+    end
+
+
+    def is_stack_protected?
+      @otool.canaries
+    end
+
+    def uses_arc?
+      @otool.arc
+    end
+
+    def is_encrypted?
+      encrypted = false
+      if @otool.load_commands.nil?
+        return "Error"
+      end
+      @otool.load_commands.each {|key, val|
+        if val['cmd'].strip.start_with?('LC_ENCRYPTION_INFO') and val['cryptid'].strip == 1.to_s
+          encrypted =  true
+        end
+      }
+      return encrypted
+    end
+
+    def get_cryptid
+      if @otool.load_commands.nil?
+        return "Error"
+      end
+      @otool.load_commands.each {|key, val|
+        if val['cmd'] == 'LC_ENCRYPTION_INFO'
+          return val['cryptid']
+        end
+      }
+      return nil
+    end
+  end
+end

data/lib/lib/ca_interface.rb

@@ -0,0 +1,151 @@
+require 'openssl'
+require 'digest/sha1'
+require 'sqlite3'
+require "webrick"
+
+
+
+module Idb
+  class CAInterface
+
+    # performs uninstall based on sha1 hash provided in certfile
+    def remove_cert cert
+      der = cert.to_der
+
+      query = %Q|DELETE FROM "tsettings" WHERE sha1 = #{blobify(sha1_from_der der)};|
+      begin
+        db = SQLite3::Database.new(@db_path)
+        db.execute(query)
+        db.close
+      rescue Exception => e
+        raise "[*] Error writing to SQLite database at #{@db_path}: #{e.message}"
+        return
+      end
+      puts "[*] Operation complete"
+    end
+
+    def server_cert cert_file
+      FileUtils.mkpath "#{$tmp_path}/CAs"
+      cert_file_cache = "#{$tmp_path}/CAs/CA.pem"
+
+      FileUtils.copy cert_file, cert_file_cache
+      #copy cert file to tmp
+      @server_thread = Thread.new {
+        @server = WEBrick::HTTPServer.new(:Port => $settings['idb_utility_port'])
+        @server.mount "/", WEBrick::HTTPServlet::FileHandler, "#{$tmp_path}/CAs/"
+        @server.start
+      }
+
+      sleep 0.5
+      $device.open_url "http://localhost:#{$settings['idb_utility_port']}/CA.pem"
+
+    end
+
+    def stop_cert_server
+      @server.stop unless @server.nil?
+      @server_thread.terminate unless @server_thread.nil?
+    end
+
+
+    def add_cert cert_file
+      cert_file = File.expand_path(cert_file)
+      if not File.exist? cert_file
+        raise "File #{cert_file} does not exist."
+      end
+
+      cert = parse_certificate cert_file
+
+      # create plist file
+      #TODO might want to use the plist library instead
+      tset   = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n<plist version=\"1.0\">\n<array/>\n</plist>\n"
+      data   = cert[:cert].to_der
+
+      puts "[*] Inserting certificate into trust store..."
+
+      query = %Q|INSERT INTO "tsettings" VALUES(#{blobify(cert[:fprint])},#{blobify(cert[:subject])},#{blobify(tset)},#{blobify(data)});|
+      begin
+        db = SQLite3::Database.new(@db_path)
+        db.execute(query)
+        db.close
+      rescue Exception => e
+        if e.message.include? "column sha1 is not unique"
+          raise "The same certificate is installed already."
+        else
+          raise "Error writing to SQLite database at #{@db_path}: #{e.message}"
+        end
+        return
+      end
+    end
+
+    def get_certs
+      query = %Q|SELECT * FROM "tsettings";|
+      begin
+        db = SQLite3::Database.new(@db_path)
+        result = db.execute(query)
+        db.close
+      rescue Exception => e
+        raise "Error reading from SQLite database at #{@db_path}: #{e.message}"
+      end
+      result.map { |x|
+        OpenSSL::X509::Certificate.new(x[3])
+      }
+    end
+
+
+    def sha1_from_der der
+      Digest::SHA1.digest(der)
+    end
+
+    private
+
+    def string_to_hex(s)
+      s.unpack('H*')[0]
+    end
+
+    def blobify(bin)
+      "X'#{string_to_hex bin}'"
+    end
+
+    def parse_certificate cert_file
+      puts "[*] Reading and converting certificate..."
+      # Open and convert certificate
+      cert   = OpenSSL::X509::Certificate.new(File.read(cert_file))
+      fprint = sha1_from_der cert.to_der
+      subj   = cert.subject.to_der
+      puts subj.inspect
+      # Thanks Andy Schmitz
+      #toSkip = (subj[1].ord & 0x80) == 0 ? 2 : ((subj[2].ord & 0x7f) + 2)
+      toSkip = 3
+      subj   = subj[toSkip..-1]
+  #    subj = subj.gsub("PortSwigger","PORTSWIGGER")
+      #subj = "1\v0\t\x06\x03U\x04\x06\x13\x02US1\v0\t\x06\x03U\x04\b\x13\x02IL1\x100\x0E\x06\x03U\x04\a\x13\aCHICAGO1\x1A0\x18\x06\x03U\x04\n\x13\x11MATASANO SECURITY1\e0\x19\x06\x03U\x04\v\x13\x12PENTESTING MADNESS1\x1F0\x1D\x06\x03U\x04\x03\x13\x16CA.DANIEL.MATASANO.COM"
+      puts subj.inspect
+
+      #subj = "1\x140\x12\x06\x03U\x04\x06\x13\vPORTSWIGGER1\x140\x12\x06\x03U\x04\b\x13\vPORTSWIGGER1\x140\x12\x06\x03U\x04\a\x13\vPORTSWIGGER1\x140\x12\x06\x03U\x04\n\x13\vPORTSWIGGER1\x170\x15\x06\x03U\x04\v\x13\x0EPORTSWIGGER CA1\x170\x15\x06\x03U\x04\x03\x13\x0EPORTSWIGGER CA"
+
+      return {:cert => cert, :fprint => fprint, :subject => subj}
+    end
+
+
+    def validate? cert_file
+      if not File.exist? cert_file
+        puts "File #{cert_file} does not exist."
+        return false
+      end
+
+      if not File.file? cert_file
+        puts "#{cert_file} is not a file."
+        return false
+      end
+
+      return true
+    end
+  end
+
+  class CAServlet < WEBrick::HTTPServlet::AbstractServlet
+      def do_GET (request, response)
+
+      end
+
+  end
+end

data/lib/lib/console_launcher.rb

@@ -0,0 +1,24 @@
+module Idb
+  class ConsoleLauncher
+
+    def initialize
+      # if os x
+      #'/Applications/iTerm.app'
+  #   '/Applications/Utilities/Terminal.app/ '
+      #if linux
+      # terminator, gnome-terminal, Konsole(?), xterm
+      @term = "terminator"
+    end
+
+
+    def run cmd
+      command = "#{@term} -x sh -c '#{cmd}'"
+      puts command
+      Process.spawn command
+
+    end
+
+
+
+  end
+end

data/lib/lib/device.rb

@@ -0,0 +1,438 @@
+# encoding: utf-8
+
+require_relative 'abstract_device'
+require_relative 'ssh_port_forwarder'
+require_relative 'device_ca_interface'
+require_relative 'usb_muxd_wrapper'
+
+module Idb
+  class Device < AbstractDevice
+    attr_accessor :usb_ssh_port, :mode, :tool_port
+
+    def initialize username, password, hostname, port
+      @apps_dir = '/private/var/mobile/Applications'
+      @username = username
+      @password = password
+      @hostname = hostname
+      @port = port
+
+      @app = nil
+
+      @device_app_paths = Hash.new
+      @device_app_paths[:cycript] = [ "/usr/bin/cycript" ]
+      @device_app_paths[:rsync] = [ "/usr/bin/rsync" ]
+      @device_app_paths[:open] = ["/usr/bin/open"]
+      @device_app_paths[:openurl] = ["/usr/bin/uiopen", "/usr/bin/openurl",  "/usr/bin/openURL"]
+      @device_app_paths[:aptget] = ["/usr/bin/apt-get",  "/usr/bin/aptitude"]
+      @device_app_paths[:keychaindump] = [ "/var/root/keychain_dump"]
+      @device_app_paths[:pcviewer] = ["/var/root/protectionclassviewer"]
+      @device_app_paths[:pbwatcher] = ["/var/root/pbwatcher"]
+      @device_app_paths[:dumpdecrypted_armv7] = ["/var/root/dumpdecrypted_armv7.dylib"]
+      @device_app_paths[:dumpdecrypted_armv6] = ["/var/root/dumpdecrypted_armv6.dylib"]
+      @device_app_paths[:clutch] = ["/usr/bin/Clutch"]
+
+      if $settings['device_connection_mode'] == "ssh"
+        $log.debug "Connecting via SSH"
+        @mode = 'ssh'
+        @ops = SSHOperations.new username, password, hostname, port
+      else
+        $log.debug "Connecting via USB"
+        @mode = 'usb'
+        @usbmuxd = USBMuxdWrapper.new
+        proxy_port = @usbmuxd.find_available_port
+        $log.debug "Using port #{proxy_port} for SSH forwarding"
+
+        @usbmuxd.proxy proxy_port, $settings['ssh_port']
+        sleep 1
+
+
+
+
+        @ops = SSHOperations.new username, password, 'localhost', proxy_port
+
+        @usb_ssh_port = $settings['manual_ssh_port']
+        $log.debug "opening port #{proxy_port} for manual ssh connection"
+        @usbmuxd.proxy @usb_ssh_port, $settings['ssh_port']
+
+        @tool_port = @usbmuxd.find_available_port
+        $log.debug "opening tool port #{@tool_port} for internal ssh connection"
+        @usbmuxd.proxy @tool_port, $settings['ssh_port']
+
+      end
+
+      start_port_forwarding
+    end
+
+    def ssh
+      @ops.ssh
+    end
+
+
+    def disconnect
+      @ops.disconnect
+    end
+
+    def device?
+      true
+    end
+
+    def arch
+      "armv7"
+    end
+
+    def start_port_forwarding
+      @port_forward_pid = Process.spawn("#{RbConfig.ruby} lib/helper/ssh_port_forwarder.rb"  )
+    end
+
+    def restart_port_forwarding
+      $log.info "Restarting SSH port forwarding"
+      Process.kill("INT", @port_forward_pid)
+      start_port_forwarding
+    end
+
+    def protection_class file
+      @ops.execute "#{pcviewer_path} '#{file}'"
+    end
+
+    def simulator?
+      false
+    end
+
+    def app_launch app
+      @ops.launch_app(open_path, app.bundle_id)
+    end
+
+
+    def dump_keychain
+      device_store_path = "/var/root/genp.plist"
+      local_dir = "#{$tmp_path}/device/"
+      local_path = "#{local_dir}/genp.plist"
+      FileUtils.mkdir_p local_dir unless Dir.exist? local_dir
+
+      $log.info "Dumping keychain..."
+      @ops.execute "#{keychain_dump_path}"
+      $log.info "Downloading dumped keychain..."
+      @ops.download device_store_path, local_path
+    end
+
+
+
+
+    def is_installed? tool
+      $log.info "Checking if #{tool} is installed..."
+      if path_for(tool).nil?
+        $log.warn "#{tool} not found."
+        false
+      else
+        $log.info "#{tool} found at #{path_for(tool)}."
+        true
+      end
+    end
+
+    def path_for tool
+      @device_app_paths[tool].each { |x|
+        if @ops.file_exists? x
+          return x
+        end
+      }
+      return nil
+    end
+
+
+    def install_dumpdecrypted
+      upload_dumpdecrypted
+    end
+
+    def install_dumpdecrypted_old
+      unless File.exist? "utils/dumpdecrypted/dumpdecrypted.dylib"
+        puts "[**] Warning: dumpdecrypted not compiled."
+        puts "[**] Due to licensing issue we cannot ship the compiled library with this tool."
+        puts "[**] Attempting compilation (requires a valid iOS SDK installation)..."
+        compile_dumpdecrypted
+
+        if File.exist? "utils/dumpdecrypted/dumpdecrypted.dylib"
+          puts "[**] Compilation successful."
+          upload_dumpdecryted
+        else
+          puts "[**] Error: Compilation failed."
+          puts "[**] Change into the utils/dumpdecrypted directory, adjust the makefile, and compile."
+        end
+      else
+        upload_dumpdecryted
+      end
+    end
+
+
+    def compile_dumpdecrypted
+      base_dir = '/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer'
+      unless Dir.exist? base_dir
+        puts "[**] Error, iOS Platform tools not found at #{base_dir}"
+        return
+      end
+
+
+      bin_dir = "#{base_dir}/usr/bin"
+      sdk_dir = Dir.glob("#{base_dir}/SDKs/iPhoneOS*.sdk/").first
+      puts "[*] Found SDK dir: #{sdk_dir}"
+
+      library_name = "dumpdecrypted.dylib"
+      gcc = "#{bin_dir}/gcc"
+
+      unless File.exist? gcc
+        puts "[**] Error: gcc not found at #{gcc}"
+        puts "[**] Ensure that the Command Line Utilities are installed in XCode 4."
+        puts "[**] XCode 5 does not ship with llvm-gcc anymore."
+        return
+      end
+
+
+
+      params = ["-arch armv7", # adjust if necessary
+                "-wimplicit",
+                "-isysroot #{sdk_dir}",
+                "-F#{sdk_dir}System/Library/Frameworks",
+                "-F#{sdk_dir}System/Library/PrivateFrameworks",
+                "-dynamiclib",
+                "-o #{library_name}"].join(' ')
+
+      compile_cmd = "#{gcc} #{params} dumpdecrypted.c"
+      puts "Running #{compile_cmd}"
+
+      Dir.chdir("utils/dumpdecrypted") do
+        `#{compile_cmd}`
+      end
+    end
+
+
+    def upload_dumpdecrypted
+      $log.info "Uploading dumpdecrypted library..."
+      @ops.upload("utils/dumpdecrypted/dumpdecrypted_armv6.dylib","/var/root/dumpdecrypted_armv6.dylib")
+      @ops.upload("utils/dumpdecrypted/dumpdecrypted_armv7.dylib","/var/root/dumpdecrypted_armv7.dylib")
+      $log.info "'dumpdecrypted' installed successfully."
+    end
+
+    def install_keychain_dump
+      if File.exist? "utils/keychain_dump/keychain_dump"
+        upload_keychain_dump
+      else
+        $log.error "keychain_dump not found at 'utils/keychain_dump/keychain_dump'."
+        false
+      end
+    end
+    def install_pcviewer
+      if File.exist? "utils/pcviewer/protectionclassviewer"
+        upload_pcviewer
+      else
+        $log.error "protectionclassviewer not found at 'utils/pcviewer/protectionclassviewer'."
+        false
+      end
+    end
+
+
+    def install_pbwatcher
+      if File.exist? "utils/pbwatcher/pbwatcher"
+        upload_pbwatcher
+      else
+        $log.error "pbwatcher not found at 'utils/pbwatcher/pbwatcher'."
+        false
+      end
+    end
+
+    def upload_pcviewer
+      begin
+        $log.info "Uploading pcviewer..."
+        @ops.upload "utils/pcviewer/protectionclassviewer", "/var/root/protectionclassviewer"
+        @ops.chmod "/var/root/protectionclassviewer", 0744
+        $log.info "'pcviewer' installed successfully."
+  #      true
+  #    rescue
+        $log.error "Exception encountered when uploading pcviewer"
+  #      false
+      end
+    end
+
+    def upload_keychain_dump
+      begin
+        $log.info "Uploading keychain_dump..."
+        @ops.upload "utils/keychain_dump/keychain_dump", "/var/root/keychain_dump"
+        @ops.chmod "/var/root/keychain_dump", 0744
+        $log.info "'keychain_dump' installed successfully."
+  #      true
+  #    rescue
+        $log.error "Exception encountered when uploading keychain_dump"
+  #      false
+      end
+    end
+    def upload_pbwatcher
+      begin
+        $log.info "Uploading pbwatcher..."
+        @ops.upload "utils/pbwatcher/pbwatcher", "/var/root/pbwatcher"
+        @ops.chmod "/var/root/pbwatcher", 0744
+        $log.info "'pbwatcher' installed successfully."
+  #      true
+  #    rescue
+        $log.error "Exception encountered when uploading pbwatcher"
+  #      false
+      end
+    end
+
+    def setup_clutch_sources
+      @ops.execute("echo “deb http://cydia.iphonecake.com ./“ > /etc/apt/sources.list.d/idb_clutch.list")
+    end
+
+    def install_from_cydia package
+      if apt_get_installed?
+        $log.info "Updating package repo..."
+        @ops.execute("#{apt_get_path} -y update")
+        $log.info "Installing #{package}..."
+        @ops.execute("#{apt_get_path} -y install #{package}")
+        return true
+      else
+        $log.error "apt-get or aptitude not found on the device"
+        return false
+      end
+    end
+
+    def install_open
+      install_from_cydia "com.conradkramer.open"
+    end
+
+    def install_clutch
+      install_from_cydia "com.iphonecake.clutch"
+    end
+
+    def install_rsync
+      install_from_cydia "rsync"
+    end
+
+    def install_cycript
+      install_from_cydia "cycript"
+    end
+
+    def close
+      $log.info "Terminating port forwarding helper..."
+      Process.kill("INT", @port_forward_pid)
+      $log.info "Stopping any SSH via USB forwarding"
+      @usbmuxd.stop_all
+    end
+
+    def open_url url
+      $log.info "Executing: #{openurl_path} #{url}"
+      @ops.execute "#{openurl_path} #{url}"
+    end
+
+    def ca_interface
+      DeviceCAInterface.new self
+    end
+
+    def kill_by_name process_name
+      @ops.execute "killall -9 #{process_name}"
+    end
+
+    def DEVICE_ID
+      $log.error "Not implemented"
+      nil
+    end
+
+    def configured?
+      if $settings['devices'].nil?
+        false
+      elsif $settings['devices'][device_id].nil?
+        false
+      else
+        true
+      end
+    end
+
+
+
+    def cycript_installed?
+      is_installed? :cycript
+    end
+
+    def keychain_dump_installed?
+      is_installed? :keychaindump
+    end
+
+    def pcviewer_installed?
+      is_installed? :pcviewer
+    end
+
+    def pbwatcher_installed?
+      is_installed? :pbwatcher
+    end
+
+    def dumpdecrypted_installed?
+      is_installed? :dumpdecrypted_armv6 and is_installed? :dumpdecrypted_armv7
+    end
+
+
+    def rsync_installed?
+      is_installed? :rsync
+    end
+
+    def open_installed?
+      is_installed? :open
+    end
+
+    def openurl_installed?
+      is_installed? :openurl
+    end
+
+    def apt_get_installed?
+      is_installed? :aptget
+    end
+
+    def clutch_installed?
+      is_installed? :clutch
+    end
+
+    def keychain_dump_path
+      path_for :keychaindump
+    end
+
+
+
+    def pcviewer_path
+      path_for  :pcviewer
+    end
+
+
+    def pbwatcher_path
+      path_for :pbwatcher
+    end
+
+
+    def dumpdecrypted_path
+      path_for :dumpdecrypted_armv7
+    end
+
+    def rsync_path
+      path_for :rsync
+    end
+
+
+    def open_path
+      path_for :open
+    end
+
+
+    def openurl_path
+      path_for :openurl
+    end
+
+
+    def apt_get_path
+      path_for :aptget
+    end
+
+    def clutch_path
+      path_for :clutch
+    end
+
+    def cycript_path
+      path_for :cycript
+    end
+
+  end
+end