objection
objection copied to clipboard
Published
20 hours ago •
sensepost
sensepost
[bug] Explore crashing apps when launching using bundle ID on iOS
- Please, fill in all of the sections in this template.
- Please read each section carefully. Each has a description of what information will help.
- Windows support is limited. There is a good chance that a pull request would help!
- The more information you give, the better.
- Remove this section when you are done.
Describe the bug A clear and concise description of what the bug is.
To Reproduce Steps to reproduce the behavior:
- Run
objection -N -h 192.168.1.110 -g com.atebits.Tweetie2 explore
Expected behavior Objection should inject into the process properly.
Actual behavior It throws an exception and the app crashes.
Evidence / Logs / Screenshots
❯ objection --debug -N -h 192.168.1.110 -g com.atebits.Tweetie2 explore
[debug] Agent path is: /home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/objection/agent.js
[debug] Injecting agent...
Using networked device @`192.168.1.110:27042`
[debug] Attempting to attach to process: `com.atebits.Tweetie2`
[debug] Unable to find process: `com.atebits.Tweetie2`, attempting spawn
[debug] PID `1344` spawned, attaching...
Traceback (most recent call last):
File "/home/nyuszika7h/.local/bin/objection", line 8, in <module>
sys.exit(cli())
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/click/core.py", line 829, in __call__
return self.main(*args, **kwargs)
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/click/core.py", line 782, in main
rv = self.invoke(ctx)
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/click/core.py", line 1259, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/click/core.py", line 1066, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/click/core.py", line 610, in invoke
return callback(*args, **kwargs)
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/objection/console/cli.py", line 114, in explore
agent.inject()
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/objection/utils/agent.py", line 202, in inject
session = self.get_session()
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/objection/utils/agent.py", line 169, in get_session
self.session = self.device.attach(self.spawned_pid)
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/frida/core.py", line 26, in wrapper
return f(*args, **kwargs)
File "/home/nyuszika7h/.local/pipx/venvs/objection/lib/python3.9/site-packages/frida/core.py", line 156, in attach
return Session(self._impl.attach(self._pid_of(target), *args, **kwargs))
frida.ProcessNotRespondingError: unexpected early end-of-stream
Environment (please complete the following information):
- Device: iPhone X
- OS: iOS 14.3
- Jailbreak: unc0ver 6.1.1
- Frida Version: 14.2.13
- Objection Version: 1.10.1
Application Happens with any app.
Some more logs:
Mar 19 14:52:55 iPhone runningboardd(com.apple.runningboard.connection)[960] <Notice>: [daemon<re.frida.server>:957] handle lookup could not find a matching process
Mar 19 14:52:55 iPhone frida-server(com.apple.runningboard.shim)[957] <Notice>: BKSApplicationStateMonitor updated with invalid process
Mar 19 14:52:55 iPhone runningboardd(com.apple.runningboard.connection)[960] <Notice>: [daemon<re.frida.server>:957] handle lookup could not find a matching process
Mar 19 14:52:55 iPhone frida-server(com.apple.runningboard.shim)[957] <Notice>: BKSApplicationStateMonitor updated with invalid process
Mar 19 14:52:55 iPhone frida-server(com.apple.FrontBoard.Common)[957] <Notice>: [FBSSystemService][0x308b] Sending request to open "com.atebits.Tweetie2"
Mar 19 14:52:55 iPhone SpringBoard(com.apple.FrontBoard.Common)[1240] <Notice>: [FBSystemService][0x308b] Received request to open "com.atebits.Tweetie2" from frida-server:957.
Mar 19 14:52:55 iPhone SpringBoard(com.apple.FrontBoard.Common)[1240] <Notice>: [FBSystemService][0x308b] Trusting entitled client frida-server:957.
Mar 19 14:52:55 iPhone SpringBoard(com.apple.FrontBoard.workspace.Common)[1240] <Notice>: Received trusted open application request for "com.atebits.Tweetie2" from <FBProcess: 0x106d1c780; daemon<re.frida.server>:957(vAA3)>.
Mar 19 14:52:55 iPhone SpringBoard(com.apple.SpringBoard.Common)[1240] <Notice>: Executing request: <SBMainWorkspaceTransitionRequest: 0x2838f3840; eventLabel: OpenApplication(sceneID:com.atebits.Tweetie2-default)ForRequester(frida-server.957); display: Main; source: FBSystemService>
<SBMainWorkspaceTransitionRequest: 0x2838f3840; eventLabel: OpenApplication(sceneID:com.atebits.Tweetie2-default)ForRequester(frida-server.957); display: Main; source: FBSystemService> {
Mar 19 14:52:56 iPhone frida-server(com.apple.FrontBoard.Common)[957] <Notice>: [FBSSystemService][0x308b] Request successful: <BSProcessHandle: 0x10641c470; Twitter:1372; valid: YES>
Mar 19 14:52:56 iPhone kernel_task[0] <Notice>: AMFI: '/private/var/mobile/Containers/Data/Application/FA60F7E2-12EF-45E0-A318-463A0405714E/tmp/frida-L0QT00.dylib' has no CMS blob?
Mar 19 14:52:56 iPhone kernel_task[0] <Notice>: AMFI: '/private/var/mobile/Containers/Data/Application/FA60F7E2-12EF-45E0-A318-463A0405714E/tmp/frida-L0QT00.dylib': Unrecoverable CT signature issue, bailing out.
Mar 19 14:52:56 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:56 iPhone SpringBoard(com.apple.FrontBoard.Process)[1240] <Notice>: [application<com.atebits.Tweetie2>:1372] SpringBoard requested termination ("killed from Frida")
Mar 19 14:52:56 iPhone SpringBoard(com.apple.FrontBoard.Process)[1240] <Notice>: [application<com.atebits.Tweetie2>:1372] Received termination request: <FBSProcessTerminationRequest: 0x281f48140; label: "killed from Frida"; exceptionCode: "User Initiated Quit (0xDEADFA11)"; performGracefully: YES; reportType: (none); explanation: "killed from Frida">
Mar 19 14:52:56 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:56 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:56 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:56 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:57 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:57 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:57 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:57 iPhone frida-server(com.apple.runningboard.general)[957] <Notice>: Caching handle <private>, with ipc id 69d3d730000055c, and pid 1372
Mar 19 14:52:57 iPhone runningboardd(com.apple.runningboard.connection)[960] <Notice>: [daemon<re.frida.server>:957] handle lookup could not find a matching process
Mar 19 14:52:57 iPhone frida-server(com.apple.runningboard.shim)[957] <Notice>: BKSApplicationStateMonitor updated with invalid process
Never mind, works fine if I use the process name from frida-ps -H 192.168.1.110, which is Twitter. But with bundle ID it tries to launch the app but fails.
+1 I am facing the same issue with using bundle ID.
This worked for me.
First get the PID of the running application:
frida-ps -Ua
Then use the PID:
objection --gadget <PID> explore
