Fuzzing iOS URL schemes with furlzz

移动安全 10个月前 admin
150 0 0

Introduction 介绍

Today we will cover the tool I have created, furlzz which is an iOS URL scheme fuzzer. We will go over how to set up and actually start fuzzing. This will be done on the Bear app 2.0.10 which had a simple bug which caused the application to crash.
今天我们将介绍我创建的工具,furlzz,这是一个iOS URL方案模糊器。我们将介绍如何设置并实际开始模糊测试。这将在熊掌记应用程序 2.0.10 上完成,该应用程序有一个简单的错误,导致应用程序崩溃。

Tracing URLs using frida-trace
使用 frida-trace 跟踪 URL

The first step is we need to determine how the application actually opens the URLs, we can do that with frida-trace. We need some legitimate URL which will be opened inside the application and once we load that URL we will take a look at frida-trace output to determine which method is used.
第一步是我们需要确定应用程序实际打开 URL 的方式,我们可以使用 frida-trace .我们需要一些将在应用程序内部打开的合法 URL,一旦我们加载了该 URL,我们将查看 frida-trace 输出以确定使用哪种方法。

Run frida-trace -U Bear -m "*[* *openURL*]". 运行 frida-trace -U Bear -m "*[* *openURL*]" .

Fuzzing iOS URL schemes with furlzz

We can see that the URLs are opened using scene:openURLContexts and based on the furlzz, that is the method of scene_context (-m flag). We can also see that the name of the delegate is Bear.SFDefaultSceneDelegate (-d flag).
我们可以看到 URL 是使用 scene:openURLContexts 和 打开 furlzz 的,这是 ( -m 标志) 的方法 scene_context 。我们还可以看到委托人的名字是 Bear.SFDefaultSceneDelegate ( -d 标志)。

We need to determine one more thing before we can start fuzzing, that is the name of the scene class. We can do that by editing handler file that the Frida has created for that specific method.
在开始模糊测试之前,我们需要确定另一件事,那就是场景类的名称。我们可以通过编辑 Frida 为该特定方法创建的处理程序文件来做到这一点。

Type the following to edit the file.

$ vim __handlers__/Bear.SFDefaultSceneDelegate/scene_openURLContexts_.js`

Once the file is opened, we will convert args[2] to ObjC.Object followed by printing its description() and converting it to string by calling toString() and that will be enough to see all the information that we need.
打开文件后,我们将转换为 ObjC.Object ,然后打印它 description() 并通过调用 toString() 将其转换为 args[2] 字符串,这足以查看我们需要的所有信息。

Fuzzing iOS URL schemes with furlzz

If we now open the URL, we would see that the name of class for scene is SFDefaultScene.
如果我们现在打开 URL,我们会看到类 scene 的名称是 SFDefaultScene .

Fuzzing iOS URL schemes with furlzz

Fuzzing 模糊

Bear supports a couple of URL schemes, we can see whole list of them here. The one we will use is bear://x-callback-url/search?term=nemo&tag=movies. We will ignore that tag and just focus on term parameter.
熊掌记支持几个 URL 方案,我们可以在这里看到它们的完整列表。我们将使用的一个是 bear://x-callback-url/search?term=nemo&tag=movies .我们将忽略该标签,只关注 term 参数。

The only step that is left to create the directory for our inputs and create some of them.

$ mkdir bear_input
$ echo -n 'furlzz' > bear_input/1
$ echo -n 'fuzzing' > bear_input/2

To recap, we need to pass the following to furlzz:
回顾一下,我们需要将以下内容传递给 furlzz :

  • application => Bear 应用程序 => Bear
  • base URL => bear://x-callback-url/search?term=FUZZ 基本网址 => bear://x-callback-url/search?term=FUZZ
  • delegate => Bear.SFDefaultSceneDelegate 代表 => Bear.SFDefaultSceneDelegate
  • scene => SFDefaultScene 场景 => SFDefaultScene
  • method => scene_context 方法 => scene_context
  • function to post-process => url
    函数到后处理 => url
  • input dir => bear_input 输入目录 => bear_input

The full command is ./furlzz fuzz -a Bear -b "bear://x-callback-url/search?term=FUZZ" -f url -i bear_input/ -t1 -m scene_context -d Bear.SFDefaultSceneDelegate -s SFDefaultScene
完整的命令是 ./furlzz fuzz -a Bear -b "bear://x-callback-url/search?term=FUZZ" -f url -i bear_input/ -t1 -m scene_context -d Bear.SFDefaultSceneDelegate -s SFDefaultScene

Fuzzing iOS URL schemes with furlzz

We can now examine the URL that caused the crash, additionally when the crash occurs session file is written so you can easily replay the crash.
现在,我们可以检查导致崩溃的 URL,此外,还可以检查何时写入崩溃会话文件,以便您可以轻松地重播崩溃。

Fuzzing iOS URL schemes with furlzz

To replay the crash, we just call furlzz crash with the session and crash file.
要重播崩溃,我们只需调用 furlzz crash 会话和崩溃文件。

Fuzzing iOS URL schemes with furlzz

This bug got fixed in version 2.0.11.
此错误已在版本 2.0.11 中修复。

Fuzzing iOS URL schemes with furlzz

原文始发于NSEchoFuzzing iOS URL schemes with furlzz

版权声明:admin 发表于 2023年9月20日 上午12:40。
转载请注明:Fuzzing iOS URL schemes with furlzz | CTF导航