-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathotool_analyze.py
More file actions
227 lines (194 loc) · 10 KB
/
otool_analyze.py
File metadata and controls
227 lines (194 loc) · 10 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/usr/bin/env python3
import os.path
import subprocess
import importlib
import sys
import shlex
TOOL_NAME = "Otool Analyze"
FONT = "big"
def install_libraries(lib_name):
"""Install additional libraries."""
print(f"Installing missing package: {lib_name}...")
try:
subprocess.run(
[sys.executable, "-m", "pip", "install", lib_name],
check=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
print(f"Successfully installed {lib_name}.")
return importlib.import_module(lib_name)
except subprocess.CalledProcessError as e:
print(f"Error installing {lib_name}:")
print(f" {e.stderr.decode()}")
sys.exit(1)
except ImportError:
print(f"Error importing {lib_name} after installation.")
sys.exit(1)
def print_banner(text, font):
"""Display the banner."""
try:
import pyfiglet
except ImportError:
pyfiglet = install_libraries("pyfiglet")
try:
from blessed import Terminal
except ImportError:
install_libraries("blessed")
from blessed import Terminal # Now the import should succeed
print("All dependencies are now imported successfully.")
term = Terminal()
current_width = term.width
margin = 4
art_text = pyfiglet.figlet_format(text, font=font, width=current_width - margin)
print(term.cyan(art_text))
print("\n" * 2)
def check_args():
# Check for correct number of arguments
if len(sys.argv) != 2:
print("Error: Incorrect syntax.")
print(f"Usage: python {os.path.basename(sys.argv[0])} <input_file_path>")
sys.exit(1)
# Check if provided file is a valid IPA file
ipa_file = sys.argv[1]
ipa_file_check = subprocess.getoutput("file " + ipa_file)
if "Zip" not in ipa_file_check:
print("\033[91m {}\033[00m".format("Incorrect file format. Please provide a valid IPA file for analysis."))
sys.exit(1)
return ipa_file
def path_retrieval(ipa_file):
# Retrieve Mach-O binary file path
ipa_file_name = ipa_file.split('.')[0]
zip_file = ipa_file_name + '.zip'
subprocess.run(['cp', ipa_file, zip_file], check=True)
subprocess.run(['unzip', zip_file], check=True)
ipa_folder = 'Payload'
app_bundle = subprocess.getoutput('ls ' + ipa_folder)
app_bundle_name = app_bundle.split('.')[0]
file_path = f'{ipa_folder}/{app_bundle}/{app_bundle_name}'
app_binary_path = os.path.realpath(file_path)
return app_binary_path
def filecheck(app_binary_path):
# Check if provided file can be analyzed
file_check = subprocess.check_output(['file', app_binary_path], text=True)
if "Mach-O" in file_check:
print("\033[95m {}\033[00m".format("\nAnalyzing our target iOS application binary.\n"))
else:
print("\033[91m {}\033[00m".format("Provided app binary is not suitable for analysis."))
sys.exit()
def check1(app_binary_path):
# Check 1: Does the iOS app binary have ASLR (Address Space Layout Randomization) enabled?
aslr_check = subprocess.getoutput("otool -hv " + shlex.quote(app_binary_path) + " | grep PIE")
if "PIE" in aslr_check:
print('[+] ASLR enabled:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
else:
print('[+] ASLR enabled:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check2(app_binary_path):
# Check 2: Does the iOS app binary have stack smashing protection enabled?
canary_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep stack_chk")
if "stack_chk_guard" and "stack_chk_fail" in canary_check:
print('[+] Stack canaries enabled:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
else:
print('[+] Stack canaries enabled:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check3(app_binary_path):
# Check 3: Does the iOS app binary have ARC (Automatic Reference Counting) enabled?
arc_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep objc_release")
if "objc_release" in arc_check:
print('[+] ARC enabled:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
else:
print('[+] ARC enabled:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check4(app_binary_path):
# Check 4: Is the iOS app binary encrypted?
crypt_check = subprocess.getoutput("otool -arch all -Vl " + shlex.quote(app_binary_path) + " | grep -A5 LC_ENCRYPT")
if "cryptid 1" in crypt_check:
print('[+] Binary Encrypted:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
else:
print('[+] Binary Encrypted:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check5(app_binary_path):
# Check 5: Does the iOS app binary have weak hashing algorithms enabled?
MD5_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_CC_MD5'")
SHA1_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_CC_SHA1'")
if "_CC_MD5" in MD5_check or "_CC_SHA1" in SHA1_check:
print('[+] Weak Hashing Algorithms present:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
hashes = {MD5_check: 'MD5', SHA1_check: 'SHA1'}
alg = []
for check in hashes:
if check:
alg.append(hashes[check])
print('\n')
print(' [-] Algorithms: ', "\033[92m {}\033[00m".format(', '.join(alg)))
else:
print('[+] Weak Hashing Algorithms present:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check6(app_binary_path):
# Check 6: Does the iOS app binary use insecure random number generator?
random_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_random'")
srand_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_srand'")
rand_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_rand'")
if "_random" in random_func_check or "_srand" in srand_func_check or "_rand" in rand_func_check:
print('[+] Insecure Random Number Generator functions present:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
rand_gen = {random_func_check: '_random', srand_func_check: '_srand', rand_func_check: '_rand'}
insec_rand = []
for check in rand_gen:
if check:
insec_rand.append(rand_gen[check])
print('\n')
print(' [-] Functions: ', "\033[92m {}\033[00m".format(', '.join(insec_rand)))
else:
print('[+] Insecure Random Number Generator functions present:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check7(app_binary_path):
# Check 7: Does the iOS app binary use insecure malloc function?
malloc_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_malloc'")
if "_malloc" in malloc_check:
print('[+] Insecure Malloc Function present:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
else:
print('[+] Insecure Malloc Function present:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def check8(app_binary_path):
# Check 8: Does the iOS app binary use deprecated APIs?
gets_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_gets'")
memcpy_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_memcpy'")
strncpy_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_strncpy'", )
strlen_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_strlen'")
vsnprintf_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_vsnprintf'")
sscanf_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_sscanf'")
strtok_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_strtok'")
alloca_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_alloca'")
sprintf_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_sprintf'")
printf_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_printf'")
vsprintf_func_check = subprocess.getoutput("otool -Iv " + shlex.quote(app_binary_path) + " | grep -w '_vsprintf'")
if "_gets" in gets_func_check or "_memcpy" in memcpy_func_check or "_strncpy" in strncpy_func_check or "_strlen" in strlen_func_check or "_vsnprintf" in vsnprintf_func_check or "_sscanf" in sscanf_func_check or "_strtok" in strtok_func_check or "_alloca" in alloca_func_check or "_sprintf" in sprintf_func_check or "_printf" in printf_func_check or "_vsprintf" in vsprintf_func_check:
print('[+] Insecure and Vulnerable Functions present:', "\033[92m {}\033[00m".format('Yes'), sep=' ')
funcs = {gets_func_check: '_gets', memcpy_func_check: '_memcpy', strncpy_func_check: '_strncpy',
strlen_func_check: '_strlen', vsnprintf_func_check: '_vsnprintf', sscanf_func_check: '_sscanf',
strtok_func_check: '_strtok', alloca_func_check: '_alloca', sprintf_func_check: '_sprintf',
printf_func_check: '_printf', vsprintf_func_check: '_vsprintf'}
vuln_funcs = []
for check in funcs:
if check:
vuln_funcs.append(funcs[check])
print('\n')
print(' [-] Functions: ', "\033[92m {}\033[00m".format(', '.join(vuln_funcs)))
else:
print('[+] Insecure and Vulnerable Functions present:', "\033[91m {}\033[00m".format('No'), sep=' ')
print('\n')
def main():
print_banner(TOOL_NAME, FONT)
ipa = check_args()
binary_path = path_retrieval(ipa)
filecheck(binary_path)
check1(binary_path)
check2(binary_path)
check3(binary_path)
check4(binary_path)
check5(binary_path)
check6(binary_path)
check7(binary_path)
check8(binary_path)
if __name__ == main():
main()