From 631354c13192c71732643301a9efc76477a7af8b Mon Sep 17 00:00:00 2001 From: Nex Date: Tue, 16 Aug 2022 15:40:28 +0200 Subject: [PATCH] Properly checking any potential domains in Manifest.db records (fixes: #293) --- mvt/common/url.py | 24 ++++++++---------------- mvt/ios/cli.py | 1 - mvt/ios/modules/backup/manifest.py | 13 +++++++++++-- mvt/ios/modules/mixed/safari_history.py | 11 +++++++++-- 4 files changed, 28 insertions(+), 21 deletions(-) diff --git a/mvt/common/url.py b/mvt/common/url.py index 6494683..abb8a91 100644 --- a/mvt/common/url.py +++ b/mvt/common/url.py @@ -264,7 +264,7 @@ class URL: self.top_level = self.get_top_level() self.is_shortened = False - def get_domain(self) -> None: + def get_domain(self) -> str: """Get the domain from a URL. :param url: URL to parse @@ -273,15 +273,11 @@ class URL: :rtype: str """ - # TODO: Properly handle exception. - try: - return get_tld(self.url, - as_object=True, - fix_protocol=True).parsed_url.netloc.lower().lstrip("www.") - except Exception: - return None + return get_tld(self.url, + as_object=True, + fix_protocol=True).parsed_url.netloc.lower().lstrip("www.") - def get_top_level(self) -> None: + def get_top_level(self) -> str: """Get only the top-level domain from a URL. :param url: URL to parse @@ -290,13 +286,9 @@ class URL: :rtype: str """ - # TODO: Properly handle exception. - try: - return get_tld(self.url, - as_object=True, - fix_protocol=True).fld.lower() - except Exception: - return None + return get_tld(self.url, + as_object=True, + fix_protocol=True).fld.lower() def check_if_shortened(self) -> bool: """Check if the URL is among list of shortener services. diff --git a/mvt/ios/cli.py b/mvt/ios/cli.py index 7c3f916..90283f8 100644 --- a/mvt/ios/cli.py +++ b/mvt/ios/cli.py @@ -151,7 +151,6 @@ def extract_key(password, key_file, backup_path): @click.argument("BACKUP_PATH", type=click.Path(exists=True)) @click.pass_context def check_backup(ctx, iocs, output, fast, list_modules, module, backup_path): - print(backup_path) cmd = CmdIOSCheckBackup(target_path=backup_path, results_path=output, ioc_files=iocs, module_name=module, fast_mode=fast) diff --git a/mvt/ios/modules/backup/manifest.py b/mvt/ios/modules/backup/manifest.py index b295c93..0c3488c 100644 --- a/mvt/ios/modules/backup/manifest.py +++ b/mvt/ios/modules/backup/manifest.py @@ -13,6 +13,7 @@ from typing import Optional from mvt.common.module import DatabaseNotFoundError from mvt.common.utils import convert_datetime_to_iso, convert_unix_to_iso +from mvt.common.url import URL from ..base import IOSExtraction @@ -99,10 +100,18 @@ class Manifest(IOSExtraction): continue rel_path = result["relative_path"].lower() - for ioc in self.indicators.get_iocs("domains"): - if ioc["value"].lower() in rel_path: + parts = rel_path.split("_") + for part in parts: + try: + part_parsed = URL(part) + except: + continue + + ioc = self.indicators.check_domain(part) + if ioc: self.log.warning("Found mention of domain \"%s\" in a backup file with " "path: %s", ioc["value"], rel_path) + result["matched_indicator"] = ioc self.detected.append(result) def run(self) -> None: diff --git a/mvt/ios/modules/mixed/safari_history.py b/mvt/ios/modules/mixed/safari_history.py index 463e24b..4261953 100644 --- a/mvt/ios/modules/mixed/safari_history.py +++ b/mvt/ios/modules/mixed/safari_history.py @@ -60,14 +60,21 @@ class SafariHistory(IOSExtraction): if not result["redirect_destination"]: continue - origin_domain = URL(result["url"]).domain + try: + origin_domain = URL(result["url"]).domain + except: + origin_domain = "" # We loop again through visits in order to find redirect record. for redirect in self.results: if redirect["visit_id"] != result["redirect_destination"]: continue - redirect_domain = URL(redirect["url"]).domain + try: + redirect_domain = URL(redirect["url"]).domain + except: + redirect_domain = "" + # If the redirect destination is the same domain as the origin, # it's most likely an HTTPS upgrade. if origin_domain == redirect_domain: