iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...

More documents

Recommendations

Info

“All for naught”?Got it working. Super happy! Then it turned out to be a totalwaste of time. Or was it?• Comex released the source about a week after I’d finished testing myfirst PoCSee: http://github.com/comex/star• No use crying over spilled code. Now we just fork and patch thegithub projectSee: http://github.com/emonti/star• But I’d still had more fun the other way. My custom “star” reversingtools for historic sakeSee: http://github.com/emonti/star_reversing_toolsCopyright Trustwave 2010
My “Big Fat Rootkit”… so farCustom-written and patched 3 rd party code for backdoors and kit• I call it “Fat” because it weighs in too large to be considerd “stealthy”• Userland rockin’ it like it’s 1990• Why not: Apple did most of the hard work hiding the underlying system for us• Includes lots of the jailbreak base, but no cydia or other obvious signs of entry• MobileSubstrate and other components turn out to be very handy (more later)• UDP knockd called “bindwatch” fakes its name on argv[0]• Knockd Spawns a bind shell called, wait for it …. “bindshell” also fakes argv[0]• Patched “veency” to stay under the hood• Nice opensource iPhone VNC server by saurik• Runs via a DYLIB in MobileSubstrate• Mostly just removed the GUI config plist from System Preferences• Coded a trivial CLI tool to strap and start veency via darwin notifications without the GUI• Developing some targeted backdoors for “interesting” App Store application classes• More on this later…Copyright Trustwave 2010
Page 5 and 6: iPhone/iOS Security Overview
Page 7 and 8: Architecture OverviewApplications P
Page 9 and 10: Application SecurityCode signing•
Page 11 and 12: Jailbreaking Overview
Page 13 and 14: Jailbreakme.com A Thing to Behold
Page 15 and 16: What it looks likeVisit h'p://jailb
Page 17 and 18: Weaponizing
Page 19: Patch PlanReversing the installui.d
Page 23 and 24: Set-upA vanilla un-jailbroken iPhon
Page 25 and 26: Hardware: Mic and AudioAudio record
Page 27 and 28: Dumping Process DataSeveral interes
Page 29 and 30: Targeting iOS ApplicationsiOS isn
Page 31 and 32: Demo App Backdoor
Page 33 and 34: Binary Reversing Prep (continued…
Page 35 and 36: No More SecretsHint: find the LC
Page 37 and 38: Mach Binary Encryption (continued
Page 39 and 40: What’s your point?For starters…
Page 41 and 42: Objective-C Method HookingIt’s ca
Page 43 and 44: Objective-C Method Hook ExampleLets
Page 45 and 46: Injecting Our LibraryConventionally
Page 47 and 48: ConclusionsLots of security researc
Page 49 and 50: Reversing Redux: The Binary “star
Page 51 and 52: … continued: eggMalformed Times-
Page 53 and 54: class-dump on installui.dylib (aka

iPhone Rootkit? There's an App for that! - Reverse Engineering Mac ...

Create successful ePaper yourself

Delete template?

Save as template?