tree_fly 发表于 2018-7-19 01:43:16

iOS 11.3 系统如何使用bfinject脱壳

目前bfinject的项目源码仅支持Dylib注入的系统为iOS 11.0 - 11.1.2, 但是现在手头有一台最新越狱的iOS 11.3,那么怎样使用bfinject来脱壳呢?
安装bfinject源码地址:https://github.com/BishopFox/bfinjectElectra越狱用户:下载bfinject的tar压缩包,https://github.com/BishopFox/bfinject/raw/master/bfinject.tar安装后运行 bash bfinject会报错:[!] Unknown jailbreak. Aborting.
分析Unknown jailbrek报错原因
查看源码:#
# Detect LiberiOS vs Electra
#
if [ -f /bootstrap/inject_criticald ]; then
    # This is Electra
    echo "[+] Electra detected."
    cp jtool.liberios /bootstrap/usr/local/bin/
    chmod +x /bootstrap/usr/local/bin/jtool.liberios
    JTOOL=/bootstrap/usr/local/bin/jtool.liberios
    cp bfinject4realz /bootstrap/usr/local/bin/
    INJECTOR=/bootstrap/usr/local/bin/bfinject4realz
elif [ -f /jb/usr/local/bin/jtool ]; then
    # This is LiberiOS
    echo "[+] Liberios detected"
    JTOOL=jtool
    INJECTOR=`pwd`/bfinject4realz
else
    echo "[!] Unknown jailbreak. Aborting."
    exit 1
fi

目前最新的Electra越狱后系统里找不到文件路径:/bootstrap/inject_criticald,搜索一下inject_criticald确实存在该文件。原来如此,bootstrap目录名更改为electra了,
tree-flys-iPhone-7:~ root# ls /electra/
amfid_payload.dylibhelloworldinject_criticaldjailbreakdjailbreakd_clientlibjailbreak.dylibpspawn_payload.dylib
FIX 1考虑到向低版本iOS兼容性,尽量减少修改源代码创建软连接ln -s /electra /bootstrap
手动创建代码中的文件夹mkdir /bootstrap/usr
mkdir /bootstrap/usr/local
mkdir /bootstrap/usr/local/bin
完毕后,执行命令 bash bfinject -P AVPlayer.app -L testtree-flys-iPhone-7:~/bfinject root# bash bfinject -P AVPlayer.app -L test
[+] Electra detected.
bfinject: md5: command not found
bfinject: md5: command not found
[+] Injecting into '/var/containers/Bundle/Application/B36F534E-DF04-4BBF-987B-EED3E4B3A6AC/AVPlayer.app/AVPlayer'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID DR9UPY28XM and platform entitlements...
jtool /bootstrap/usr/local/bin/ signing error. barfing.
分析 md5: command not found原因报错的代码行:    # Use random filenames to avoid cached binaries causing "Killed: 9" messages.
    RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`
    RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`"
看上去md5文件缺失,这个比较好解决
tree-flys-iPhone-7:~/bfinject root# md5
bash: md5: command not found
方法比较多,编译一个md5即可;或者采纳openssl,如openssl md5,或者使用GNU工具命令如md5sum,注意处理下前缀或后缀。tree-flys-iPhone-7:~/bfinject root# echo 'chinapyg.com' | md5sum
a24c26e8ba09235dab371b04e5b58936-
tree-flys-iPhone-7:~/bfinject root# echo 'chinapyg.com' | md5sum | sed 's/ .*//'
a24c26e8ba09235dab371b04e5b58936
tree-flys-iPhone-7:~/bfinject root# echo 'chinapyg.com' | openssl md5
(stdin)= a24c26e8ba09235dab371b04e5b58936
tree-flys-iPhone-7:~/bfinject root# echo 'chinapyg.com' | openssl md5 | sed 's/.* //'
a24c26e8ba09235dab371b04e5b58936



FIX 2
尝试使用md5sum替代md5,修正下代码:#RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`
RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum | sed 's/ .*//'`
#RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`"
RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum | sed 's/ .*//'`"

# Debug info
echo "*** RAND = $RAND"
echo "*** RANDOM_NAME = $RANDOM_NAME"
测试注入功能
tree-flys-iPhone-7:~/bfinject root# bash bfinject -P AVPlayer.app -L test
[+] Electra detected.
*** RAND = 1c9cf2572f0064d69005b0e4bd2ae5a2
*** RANDOM_NAME = /bootstrap/usr/local/bin/91432177bcba40fb1d026bcf83203e13
[+] Injecting into '/var/containers/Bundle/Application/B36F534E-DF04-4BBF-987B-EED3E4B3A6AC/AVPlayer.app/AVPlayer'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID DR9UPY28XM and platform entitlements...
Calling task_for_pid() for PID 2627.
Calling thread_create() on PID 2627
Looking for ROP gadget... found at 0x1849b7118
Fake stack frame at 0x108998000
Calling _pthread_set_self() at 0x184c8471c...
Returned from '_pthread_set_self'
Calling dlopen() at 0x1849b6e7c...
Returned from 'dlopen'
Success! Library was loaded at 0x1c0167bc0
[+] So long and thanks for all the fish.
http://itreefly-image.oss-cn-hongkong.aliyuncs.com/Blog-itreefly.com/2018/11531931963_.pic.jpg再测试脱壳功能,一切OK👌

wgz001 发表于 2018-7-19 06:49:18

飞树博士带我们iOS起航

small-q 发表于 2018-7-19 09:37:12

感谢飞树,好文章

MAYL8822 发表于 2018-7-19 09:51:43

666 ios脱壳来一波

phm335 发表于 2018-7-19 14:27:28

12的有希望了

Anakin 发表于 2018-7-19 23:26:54

学习下谢谢楼主分享支持点赞

xiong7799 发表于 2018-7-21 06:53:22

感谢飞树,好文章

Rayor 发表于 2018-7-28 11:36:10

膜拜,好文章

masm 发表于 2018-9-2 10:46:49

本帖最后由 masm 于 2018-9-2 10:48 编辑

楼主见过我这种情况吗? ios 11.2.1

tree_fly 发表于 2018-9-2 17:43:28

masm 发表于 2018-9-2 10:46
楼主见过我这种情况吗? ios 11.2.1

这里的场景是脱App Store里下载的APP的壳。检查下签名信息看看。
页: [1] 2
查看完整版本: iOS 11.3 系统如何使用bfinject脱壳