The things I have previously tried are getting the socket fd from SSL_get_wfd and then passing it to getpeername. I also looked the the BIO object/functions but without any luck. Attempted to look at the openSSL implementation in /usr/include/openssl but then again with no luck.
Does anyone know how to get the remote IP address (and port) to which an openSSL socket is connected?
Some context:
socket fd: 64 // the file descriptor doesn't look incorrect (to me)
after getaddress, socklen: 28 // the length of the plausible address also looks correct
sockaddr ptr: 0x7b0b0fcac0, val: 0x0 // the pointer is empty despite being allocated :(
edit: the documentation I based my work on: https://docs.huihoo.com/doxygen/openssl/1.0.1c/structssl__st.html
Frida has nice features related to Sockets.
var address = Socket.peerAddress(fd);
// Assert address not null
console.log(fd, address.ip + ':' + address.port);
View Sockets activity;
Process
.getModuleByName({ linux: 'libc.so', darwin: 'libSystem.B.dylib', windows: 'ws2_32.dll' }[Process.platform])
.enumerateExports().filter(ex => ex.type === 'function' && ['connect', 'recv', 'send', 'read', 'write'].some(prefix => ex.name.indexOf(prefix) === 0))
.forEach(ex => {
Interceptor.attach(ex.address, {
onEnter: function (args) {
var fd = args[0].toInt32();
if (Socket.type(fd) !== 'tcp')
return;
var address = Socket.peerAddress(fd);
if (address === null)
return;
console.log(fd, ex.name, address.ip + ':' + address.port);
}
})
})
Output example
$ frida -Uf com.example.app -l script.js --no-pause
[Android Model-X::com.example.app]->
117 write 5.0.2.1:5242
117 read 5.0.2.1:5242
135 write 5.0.2.1:4244
135 read 5.0.2.1:4244
135 read 5.0.2.1:4244