|
| 1 | +--- |
| 2 | +title: iOS Modern Malware Persistence |
| 3 | +categories: [Post-Exploitation] |
| 4 | +tags: [seashell, persistence, ios, malware] |
| 5 | +pin: true |
| 6 | +author: enty8080 |
| 7 | +--- |
| 8 | + |
| 9 | +{% include embed/video.html src='https://raw.githubusercontent.com/EntySec/SeaShell/main/seashell/data/preview/hook.mp4' %}{: .w-50 .left} |
| 10 | + |
| 11 | +Since the development of [SeaShell](https://github.com/entysec/seashell) iOS post-exploitation framework started, I was thinking about persistence techniques that can be |
| 12 | +applicable to a non-jailbroken (or jailbroken but rootless) iOS systems. So, after few days of brainstorming I came with few ideas that can be used and that I have already implemented in SeaShell. |
| 13 | + |
| 14 | +## Persistence |
| 15 | + |
| 16 | +> Persistence technique explained below can be used in real malware so be careful |
| 17 | +{: .prompt-warning } |
| 18 | + |
| 19 | +Typically, we use `launchctl` to achieve persistence on iOS/macOS. However, on non-jailbroken iOS devices (and even on jailbroken ones nowadays, as they are rootless), the root directory (`/`) is not writable, which means that we cannot write to `/Library/LaunchAgents` or `/Library/LaunchDaemons`. Consequently, we are unable to install a `.plist` file that would launch the payload. |
| 20 | + |
| 21 | +Recognizing the need for a persistence installation method, I came up with an idea: What if we inject the payload into existing user applications? Initially, I considered inserting a dynamic library (`.dylib`) into the bundle executable of an application, but this would require re-signing the binary. Then, I had another idea: we can replace the bundle executable with a custom binary that will first execute the payload and then call the original executable. |
| 22 | + |
| 23 | +{: .w-50 .right} |
| 24 | +Essentially, our custom executable will use the `posix_spawn()` function to execute the payload and then use `execve()` to invoke the original executable. Since `execve()` replaces the current process image with a new one, this is the optimal approach to launch the application. Below, you can find a diagram illustrating this process using the `Calculator.app` as an example. |
| 25 | + |
| 26 | +To perform hooking we need: |
| 27 | + |
| 28 | +1. Patch `Info.plist` and add `CFBundleBase64Hash` containing base64 representation of `<host>:<port>` to connect back to. |
| 29 | +2. Move `Calculator` to `Calculator.hooked`. (`CFBundleExecutable` for other applications) |
| 30 | +3. Upload custom executable that will perform the loading and call it `Calculator` (`CFBundleExecutable` for other applications). |
| 31 | +4. Upload `mussel` payload that will call Pwny and perform connection. |
| 32 | +5. Perform `chmod` operations on both custom executable and `mussel`, otherwise `posix_spawn()` will die with `error 13` which is `Permission denied`. |
0 commit comments