A first step into other people's apps

Transcript

1. Evil Things with apps that might not be yours NSLondon

   @Daniel1of1

2. setup [[UIApplication sharedApplication] beginEvilsWithArray:EvilsArray]]

3. Jailbreak your device

4. http://evasion7.com/ OK for 7.0.X *maybe not the one you use

   every day

5. · Install openSSH from cydia · (optional) install cydia Substrate

6. extract debug server from xcode

7. cd /tmp

8. hdiutil attach /Applications/Xcode.app/Contents/... Developer/Platforms/iPhoneOS.platform/... DeviceSupport/7.0/DeveloperDiskImage.dmg

9. cp /Volumes/DeveloperDiskImage/usr/ bin/debugserver .

10. re sign it

11. vim

12. entitlements.plist <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">

    <dict> <key>com.apple.springboard.debugapplications</key> <true/> <key>get-task-allow</key> <true/> <key>task_for_pid-allow</key> <true/> <key>run-unsigned-code</key> <true/> </dict> </plist>

13. codesign -s - --entitlements entitlements.plist -f debugserver

14. Copy the debug server to the device

15. scp ./debugserver root@[ip_of_ios_device]:/usr/bin/ *the password is 'alpine'

16. Setup summary 1. Jailbreak device 2. Install openSSH on the

    device 3. extract debugserver from xcode 4. sign debugserver to allow it to attach to any process 5. copy over debugserver to device

17. Setup summary 1. Jailbreak device 2. Install openSSH on the

    device 3. extract debugserver from xcode 4. sign debugserver to allow it to attach to any process 5. copy over debugserver to device 6. ??? 7. ??? 8. PROFIT

18. The fun stuff

19. ssh root@[ip_of_ios_device]

20. Daniel-Haights-iPod:~ root#

21. ps -ax | grep .app 26 ?? 9:45.26 /System/Library/CoreServices/SpringBoard.app/SpringBoard 40

    ?? 0:45.37 /System/Library/PrivateFrameworks/IDSCore.framework/identityservicesd.app/identityservicesd 41 ?? 0:36.34 /System/Library/PrivateFrameworks/IMCore.framework/imagent.app/imagent 219 ?? 0:00.53 /System/Library/PrivateFrameworks/CloudServices.framework/Support/EscrowSecurityAlert.app/EscrowSecurityAlert 248 ?? 0:11.39 /Applications/MobileMail.app/MobileMail 405 ?? 0:57.57 /Applications/MobileSMS.app/MobileSMS 1267 ?? 0:15.45 /Applications/AppStore.app/AppStore 1277 ?? 4:53.17 com.apple.imdpersistence.IMDPersistenceAgent 1354 ?? 0:00.19 /System/Library/PrivateFrameworks/CommunicationsFilter.framework/CMFSyncAgent.app/CMFSyncAgent 1496 ?? 0:05.21 com.apple.StreamingUnzipService 1535 ?? 0:02.09 /var/mobile/Applications/ECFB614C-F996-47A9-A32F-96303DA0C49C/UppTalk.app/UppTalk 1542 ?? 0:00.10 /usr/libexec/afcd --xpc --service-name com.apple.crashreportcopymobile -d /private/var/mobile/Library/Logs/CrashReporter 1575 ?? 0:07.00 /Applications/Preferences.app/Preferences 1582 ?? 0:00.54 com.apple.facebook.xpc 1600 ?? 0:20.77 /var/mobile/Applications/C31CF7B6-9B92-4158-9DAD-F1F1897D0B61/Citymapper.app/Citymapper 1605 ?? 0:22.20 /var/mobile/Applications/C019C106-5764-4385-8E48-19DB12A50490/Tweetbot.app/Tweetbot 1632 ?? 0:08.88 /var/mobile/Applications/5F09A19A-469B-4F31-8DB2-9DCE92530940/Paper.app/Paper

22. 1632 ?? 0:08.88 /var/mobile/Applications/ 5F09A19A-469B-4F31-8DB2-9DCE92530940/ Paper.app/Paper

23. debugserver host:port --attach=<pid> debugserver host:port --attach=<process_name>

24. debugserver *:1234 -a "paper"

25. debugserver-300.2 for armv7. Attaching to process paper... Spawning general listening

    thread. Spawning kqueue listening thread. Listening to port 1234 for a connection from *...

26. lldb (lldb)platform select remote-ios (lldb)process connect connect://[ip_of_ios_device]:1234

27. None
28. None

29. po [[UIApplication sharedApplication] delegate]

30. (lldb) po [[UIApplication sharedApplication] delegate] <GFGAppDelegate: 0x14547f40>

31. (lldb) po [[[UIApplication sharedApplication] delegate] window] <UIWindow: 0x146d15a0; frame =

    (0 0; 320 568); autoresize = W+H; gestureRecognizers = <NSArray: 0x146d1bf0>; layer = <UIWindowLayer: 0x146d1680>>
32. None

33. dlopen dlopen -- load and link a dynamic library or

    bundle

34. scp -r /Applications/Reveal.app/Contents/SharedSupport/... iOS-Libraries/Reveal.framework root@localhost:... /System/Library/Frameworks

35. scp /Applications/Reveal.app/Contents/... SharedSupport/iOS-Libraries/libReveal.dylib root@[ip_of_ios_device]:/path/to/ (lldb)expr (void*)dlopen("/path/to/libReveal.dylib", 0x4)

36. scp /Applications/Reveal.app/Contents/SharedSupport/... iOS-Libraries/libReveal.dylib root@[ip_of_ios_device]:/Library/... MobileSubstrate/DynamicLibraries/

37. None

38. Lets make something and put it in someone else's app!

39. None

40. Xcode Can't Handle My dylib

41. clang -dynamiclib -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.1.sdk/ -arch armv7 -framework Foundation NSObject+introspect.m -o

    awesome.dylib

42. export SYSROOT=/Applications/Xcode.app/Contents/... Developer/Platforms/iPhoneOS.platform/... Developer/SDKs/iPhoneOS7.1.sdk/

43. clang -dynamiclib -isysroot ${SYSROOT} -arch armv7 -framework Foundation NSObject+introspect.m -o

    awesome.dylib

44. scp ./awesome.dylib root@[ip_of_ios_device]:... /Library/MobileSubstrate/DynamicLibraries

45. (lldb) po [[[[[UIApplication sharedApplication] delegate] window] rootViewController] propertiesDict]

46. None

47. { findContainer = "<UIView: 0x16ed9ca0; frame = (40 248; 241

    90); autoresize = RM+BM; layer = <CALayer: 0x16ed9d00>>"; findContainerFrame = "NSRect: {{0, 0}, {0, 0}}"; findTadeawaysBttn = "<CSDPlainColorButton: 0x16ed5250; baseClass = UIButton; frame = (1 50; 240 40); opaque = NO; autoresize = RM+TM+BM; layer = <CALayer: 0x16ed0660>>"; joinBttn = "<UIButton: 0x16ed6480; frame = (40 438; 118 30); clipsToBounds = YES; opaque = NO; autoresize = RM+TM+BM; layer = <CALayer: 0x16ed4660>>"; locationBttn = "<UIButton: 0x16dfa250; frame = (218 12; 16 16); opaque = NO; autoresize = RM+TM+BM; layer = <CALayer: 0x16dfa3f0>>"; postCodeTextField = "<UITextField: 0x16ec6050; frame = (20 0; 190 40); text = ''; clipsToBounds = YES; opaque = NO; autoresize = RM+TM+BM; gestureRecognizers = <NSArray: 0x16ed8ae0>; layer = <CALayer: 0x16ed20d0>>"; postCodeTextFieldBG = "<UIView: 0x16ed9d30; frame = (0 0; 241 40); clipsToBounds = YES; alpha = 0.25; autoresize = RM+TM+BM; layer = <CALayer: 0x16ed9d90>>"; signInBttn = "<CSDPlainColorButton: 0x16eb0200; baseClass = UIButton; frame = (163 438; 118 30); opaque = NO; autoresize = RM+TM+BM; layer = <CALayer: 0x16ec5ec0>>"; }

48. (lldb) expr (void) [[[[[[UIApplication sharedApplication] delegate] window]... rootViewController] findTadeawaysBttn] setTitle:@"Maybe

    Just Eat" forState:0] (lldb) c
49. None

50. Qestions?