I was hoping that invoking other modules directly with a SET APP would bypass the list_apps function. However, it did not. It would still crash the NeedleAgent as it still invokes list_apps.
e.g.
[needle] > set APP com.xyz
APP => com.xyz
[needle] > use shared_libraries
[needle][shared_libraries] > run
[*] Checking connection with device...
[+] Already connected to: 192.168.4.187
[D] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[+] Target app: com.xyz
[*] Retrieving app's metadata...
[D] [AGENT] Executing command: list_apps
Very likely to be related to #142 and #242
Expected behaviour
list_apps should be invoked correctly and return list of apps.
Actual behaviour
NeedleAgent on foreground closes when the following modules are run "metadata", "shared_libraries" or anything that invokes the list_apps function
Steps to reproduce
Run Needle on workstation. SET options to be as follows:
[needle] > show options
Name Current Value Required Description
------------------------ ------------- -------- -----------
AGENT_PORT 4444 yes Port on which the Needle Agent is listening
APP no Bundle ID of the target application (e.g., com.example.app). Leave empty to launch wizard
DEBUG True yes Enable debugging output
HIDE_SYSTEM_APPS False yes If set to True, only 3rd party apps will be shown
IP 192.168.4.187 yes IP address of the testing device (set to localhost to use USB)
OUTPUT_FOLDER /root/.needle/output yes Full path of the output folder, where to store the output of the modules
PASSWORD ******** yes SSH Password of the testing device
PORT 22 yes Port of the SSH agent on the testing device (needs to be != 22 to use USB)
PUB_KEY_AUTH True yes Use public key auth to authenticate to the device. Key must be present in the ssh-agent if a passphrase is used
SAVE_HISTORY True yes Persists command history across sessions
SKIP_OUTPUT_FOLDER_CHECK False no Skip the check that ensures the output folder does not already contain other files. It will automatically overwrite any file
USERNAME root yes SSH Username of the testing device
VERBOSE True yes Enable verbose output
use METADATA
run
(Refer to debug and system logs below)
needle error logs
Ensure verbose and debug mode are enabled:
[needle][metadata] > run
[D] Setup local output folder: /root/.needle/output
[?] Attention! The folder chosen to store local output is not empty: /root/.needle/output
[?] Do you want to back it up first?
[?] Y: the content will be archived in a different location, then the folder will be emptied
[?] N: no action will be taken (destination files might be overwritten in case of filename clash)
[y/n]: n
[D] Setting up issues database...
[D] [DB] QUERY: CREATE TABLE IF NOT EXISTS issues (app TEXT, module TEXT, name TEXT, content TEXT, confidence TEXT, outfile TEXT)
[*] Checking connection with device...
[V] Connection not present, creating a new instance
[V] [AGENT] Connecting to agent (192.168.4.187:4444)...
[+] [AGENT] Successfully connected to agent (192.168.4.187:4444)...
[D] [AGENT] Executing command: os_version
[V] [SSH] Connecting (192.168.4.187:22)...
[+] [SSH] Connected (192.168.4.187:22)
[D] Creating temp folder: /var/root/needle/
[D] [REMOTE CMD] Remote Command: if [ -d /var/root/needle/ ]; then echo "yes"; else echo "no" ; fi
[D] [AGENT] Executing command: os_versionpi
[*] Target app not selected. Launching wizard...
[D] [AGENT] Executing command: list_apps
System logs from iTools:
Jul 18 11:13:13 device-ios NeedleAgent[13801] <Notice>: MS:Notice: Injecting: mwr.needle.agent [NeedleAgent] (1290.11)
Jul 18 11:13:13 device-ios NeedleAgent[13801] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/SSLKillSwitch2.dylib
Jul 18 11:13:13 device-ios NeedleAgent[13801] <Warning>: === SSL Kill Switch 2: Preference set to 1.
Jul 18 11:13:13 device-ios NeedleAgent[13801] <Warning>: === SSL Kill Switch 2: Subtrate hook enabled.
Jul 18 11:13:13 device-ios NeedleAgent[13801] <Error>: MS:Error: binary does not support this cpu type
Jul 18 11:13:13 device-ios NeedleAgent[13801] <Error>: MS:Error: failure to check iap.dylib
Jul 18 11:13:59 device-ios NeedleAgent[13801] <Warning>: Handle Command: OS_VERSION, (
)
Jul 18 11:13:59 device-ios NeedleAgent[13801] <Warning>: RES: 9
Jul 18 11:13:59 device-ios wifid[2505] <Error>: WiFi:[553576439.938159]: Enable WoW requested by "UserEventAgent"
Jul 18 11:14:02 device-ios NeedleAgent[13801] <Warning>: Handle Command: OS_VERSION, (
)
Jul 18 11:14:02 device-ios NeedleAgent[13801] <Warning>: RES: 9
Jul 18 11:14:02 device-ios NeedleAgent[13801] <Warning>: Handle Command: LIST_APPS, (
)
Jul 18 11:14:02 device-ios NeedleAgent[13801] <Error>: *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '*** -[__NSPlaceholderDictionary initWithObjects:forKeys:count:]: attempt to insert nil object from objects[1]'
*** First throw call stack:
(0x1820bedb0 0x181723f80 0x181fa777c 0x181fa7614 0x10009e888 0x10009ed8c 0x10009f0e8 0x10009efdc 0x10009de10 0x100116bd4 0x181b094bc 0x181b0947c 0x181b154c0 0x181b0cf80 0x181b17390 0x181b170b0 0x181d21470 0x181d21020)
Jul 18 11:14:02 device-ios SpringBoard[2476] <Warning>: HW kbd: Failed to set (null) as keyboard focus
Jul 18 11:14:02 device-ios wifid[2505] <Error>: WiFi:[553576442.519770]: Disable WoW requested by "UserEventAgent"
Jul 18 11:14:02 device-ios com.apple.xpc.launchd[1] (UIKitApplication:mwr.needle.agent[0x9709][13801]) <Notice>: Service exited due to signal: Abort trap: 6
Jul 18 11:14:02 device-ios ReportCrash[13807] <Notice>: MS:Notice: Injecting: com.apple.CrashReporter [ReportCrash] (1290.11)
Jul 18 11:14:02 device-ios ReportCrash[13807] <Notice>: MS:Notice: Loading: /Library/MobileSubstrate/DynamicLibraries/RocketBootstrap.dylib
Jul 18 11:14:02 device-ios ReportCrash[13807] <Error>: MS:Error: binary does not support this cpu type
Jul 18 11:14:02 device-ios ReportCrash[13807] <Error>: MS:Error: failure to check iap.dylib
Jul 18 11:14:02 device-ios diagnosticd[2447] <Error>: unable to find offset 0x81b2f98c in shared cache for arch 'arm64'
Jul 18 11:14:02 device-ios ReportCrash[13807] <Notice>: platform_thread_get_unique_id matched 955862
Jul 18 11:14:02 device-ios ReportCrash[13807] <Notice>: Formulating report for corpse[13801] NeedleAgent
Jul 18 11:14:02 device-ios ReportCrash[13807] <Warning>: Saved type '109(109_NeedleAgent)' report (13 of max 25) at /var/mobile/Library/Logs/CrashReporter/NeedleAgent-2018-07-18-111402.ips
Jul 18 11:14:02 device-ios SpringBoard[2476] <Warning>: Application 'UIKitApplication:mwr.needle.agent[0x9709]' crashed.
Jul 18 11:14:02 device-ios UserEventAgent[2589] <Warning>: 14588038879318: id=mwr.needle.agent pid=13801, state=0
Jul 18 11:14:02 device-ios NeedleAgent[13810] <Notice>: MS:Notice: Injecting: mwr.needle.agent [NeedleAgent] (1290.11)
Jul 18 11:14:02 device-ios NeedleAgent[13810] <Notice>: MS:Notice: Loading:
Environment
Needle Version
Framework (on your machine): 1.3.2
Agent (on your device): 1.0.5
Workstation Operating System
Kali, Linux kali 4.12.0-kali2-686 #1 SMP Debian 4.12.12-2kali1 (2017-09-13) i686 GNU/Linux
marco-lancini
commented
6 years ago
Issue
Modules invoking list_apps are not usable.
I was hoping that invoking other modules directly with a SET APP would bypass the list_apps function. However, it did not. It would still crash the NeedleAgent as it still invokes list_apps.
e.g.
Very likely to be related to #142 and #242
Expected behaviour
list_apps should be invoked correctly and return list of apps.
Actual behaviour
NeedleAgent on foreground closes when the following modules are run "metadata", "shared_libraries" or anything that invokes the list_apps function
Steps to reproduce
Run Needle on workstation. SET options to be as follows:
needle error logs
Ensure verbose and debug mode are enabled:
System logs from iTools:
Environment
Needle Version
Workstation Operating System
Kali, Linux kali 4.12.0-kali2-686 #1 SMP Debian 4.12.12-2kali1 (2017-09-13) i686 GNU/Linux
Python Version
2.7.13
Python Packages (
pip freeze)adns-python==1.2.1 anyjson==0.3.3 argcomplete==1.8.1 argh==0.26.2 asn1crypto==0.22.0 attrs==17.2.0 Automat==0.6.0 backdoor-factory==0.0.0 backports-abc==0.5 backports.shutil-get-terminal-size==1.0.0 backports.ssl-match-hostname==3.5.0.1 BBQSQL==1.0 BeautifulSoup==3.2.1 beautifulsoup4==4.6.0 biplist==1.0.3 BlindElephant==1.0 blinker==1.3 brotlipy==0.6.0 capstone==3.0.4 Cerberus==1.1 certifi==2017.4.17 chardet==3.0.4 CherryTree==0.38.2 chirp===daily-20170714 click==6.7 colorama==0.3.7 ConfigArgParse==0.11.0 configobj==5.0.6 configparser==3.5.0 constantly==15.1.0 construct==2.5.2 cookies==2.2.1 couchdbkit==0.6.5 crackmapexec==3.1.5 cryptography==1.9 cssutils==1.0 cycler==0.10.0 decorator==4.1.1 dicttoxml==1.7.4 dissy==9 distorm3==3.3.4 dnslib==0.9.7 dnspython==1.15.0 docutils==0.13.1 easygui==0.96 EasyProcess==0.2.3 Elixir==0.7.1 enum34==1.1.6 feedparser==5.1.3 Flask==0.12.2 ftputil==3.3.1 funcsigs==1.0.2 functools32==3.2.3.post2 fuse-python==0.2.1 future==0.15.2 futures==3.1.1 fuzzywuzzy==0.15.0 GDAL==2.2.1 GeoIP==1.3.2 gevent==1.1.2 greenlet==0.4.12 h2==2.5.2 hpack==3.0.0 html2text==2016.9.19 html5lib==0.999999999 http-parser==0.8.3 httplib2==0.9.2 httpretty==0.8.14 hyperframe==4.0.1 hyperlink==17.3.1 idna==2.5 impacket==0.9.15 incremental==16.10.1 ipaddr==2.1.11 ipaddress==1.0.17 ipwhois==0.15.1 IPy==0.83 ipython==5.1.0 ipython-genutils==0.2.0 itsdangerous==0.24 jdcal==1.0 Jinja2==2.9.6 jsbeautifier==1.6.4 jsonpickle==0.9.5 jsonrpclib==0.1.3 keepnote==0.7.8 keyring==10.4.0 keyrings.alt==2.2 killerbee==1.0 logutils==0.3.3 lxml==3.8.0 M2Crypto==0.24.0 Mako==1.0.7 MarkupSafe==1.0 matplotlib==2.0.0 mechanize==0.2.5 mercurial==4.0 metaconfig==0.1.4a1 mitmproxy==0.18.2 mock==2.0.0 mockito==0.5.2 msgpack-python==0.4.8 mysqlclient==1.3.10 nassl==0.12 netaddr==0.7.18 NfSpy==1.0 nose==1.3.7 numpy==1.13.1 olefile==0.44 openpyxl==2.3.0 PAM==0.4.2 paramiko==2.0.0 passlib==1.7.1 pathlib2==2.3.0 pathtools==0.1.2 pbr==1.10.0 pcapy==0.10.8 pefile==2017.9.3 pexpect==4.2.1 pickleshare==0.7.4 Pillow==4.2.1 prettytable==0.7.2 prompt-toolkit==1.0.14 psutil==5.0.1 psycopg2==2.7.3 py==1.4.34 pyasn1==0.1.9 pyasn1-modules==0.0.7 pycrypto==2.6.1 pycurl==7.43.0 pydns==2.3.6 pyenchant==1.6.7 Pygments==2.2.0 pygobject==3.24.1 pygtkspellcheck==4.0.5 pyinotify==0.9.6 PyInstaller==3.1.1+4529aa2 pylibemu==0.3.3 pymongo==3.5.1 pymssql==2.1.3 pyodbc==3.0.10 pyOpenSSL==16.2.0 pyparsing==2.1.10 PyPDF2==1.26.0 pyperclip==1.5.27 pyrit==0.5.1 pyscard==1.9.6 pyserial==3.4 pysmb==1.1.19 pysnmp==4.3.2 pysnmp-apps==0.3.2 pysnmp-mibs==0.1.3 PySocks==1.6.5 pyspatialite==3.0.1 pysqlite==2.7.0 pytest==3.2.1 python-dateutil==2.6.1 python-Levenshtein==0.12.0 python-libnmap==0.7.0 python-nmap==0.6.1 pytz==2017.2 pyusb==1.0.0b2 PyVirtualDisplay==0.2.1 PyX==0.12.1 pyxdg==0.25 PyYAML==3.12 qrcode==5.3 qt4reactor==1.0 requests==2.18.1 responses==0.5.1 restkit==4.2.2 rfidiot==1.0 roman==2.0.0 rsa==3.4.2 scandir==1.5 scapy===unknown.version SecretStorage==2.3.1 selenium==2.53.2 service-identity==16.0.0 Shapely==1.6.1 shodan==1.0.2 simplegeneric==0.8.1 simplejson==3.11.1 singledispatch==3.4.0.3 six==1.10.0 slowaes==0.1a1 socketpool==0.5.3 SQLAlchemy==1.1.11 sshtunnel==0.1.4 subprocess32==3.2.7 symmetricjsonrpc==0.1.0 tabulate==0.7.7 tcpwatch==1.3.1 termcolor==1.1.0 tornado==4.5.1 traitlets==4.3.2 Twisted==17.5.0 typing==3.6.1 unicodecsv==0.14.1 urllib3==1.21.1 urwid==1.3.1 uTidylib==0.3 vinetto==0.7b0 volatility==2.6 wafw00f==0.9.3 wapiti==2.3.0 watchdog==0.8.3 wcwidth==0.1.7 webencodings==0.5 webunit==1.3.10 Werkzeug==0.12.2.dev0 wfuzz==0.0.0 whois==0.7 Whoosh==2.7.4 wxPython==3.0.2.0 wxPython-common==3.0.2.0 XlsxWriter==0.9.6 xmlbuilder==1.0 yara-python==3.6.1 yattag==1.7.2 zenmap==7.60 zim==0.67 zope.interface==4.3.2
Device iOS Version
9.3.3