目前 bfinject 的项目源码仅支持 Dylib 注入的系统为 iOS 11.0 - 11.1.2, 但是现在手头有一台最新越狱的 iOS 11.3,那么怎样使用 bfinject 来脱壳呢?
源码地址:https://github.com/BishopFox/bfinject
Electra 越狱用户:
下载 bfinject 的 tar 压缩包,https://github.com/BishopFox/bfinject/raw/master/bfinject.tar
安装后运行
bash bfinject
会报错:
[!] Unknown jailbreak. Aborting.
查看源码:
#
# Detect LiberiOS vs Electra
#
if[ -f /bootstrap/inject_criticald ];then
# This is Electra
echo"[+] Electra detected."
cp jtool.liberios /bootstrap/usr/local/bin/
chmod +x /bootstrap/usr/local/bin/jtool.liberios
JTOOL=/bootstrap/usr/local/bin/jtool.liberios
cp bfinject4realz /bootstrap/usr/local/bin/
INJECTOR=/bootstrap/usr/local/bin/bfinject4realz
elif[ -f /jb/usr/local/bin/jtool ];then
# This is LiberiOS
echo"[+] Liberios detected"
JTOOL=jtool
INJECTOR=`pwd`/bfinject4realz
else
echo"[!] Unknown jailbreak. Aborting."
exit1
fi
目前最新的 Electra 越狱后系统里找不到文件路径:/bootstrap/inject_criticald,搜索一下inject_reiticald确实存在该文件。
原来如此,bootstrap 目录名更改为 electra 了,
tree-flys-iPhone-7:~ root# ls /electra/
amfid_payload.dylib helloworld inject_criticald jailbreakd jailbreakd_client libjailbreak.dylib pspawn_payload.dylib
考虑到向低版本 iOS 兼容性,尽量减少修改源代码
创建软连接
ln -s /electra /bootstrap
手动创建代码中的文件夹
mkdir /bootstrap/usr
mkdir /bootstrap/usr/local
mkdir /bootstrap/usr/local/bin
完毕后,执行命令 bash bfinject -P AVPlayer.app -L test
tree-flys-iPhone-7:~/bfinject root# bash bfinject -P AVPlayer.app -L test
[+] Electra detected.
bfinject: md5:commandnot found
bfinject: md5:commandnot found
[+] Injecting into'/var/containers/Bundle/Application/B36F534E-DF04-4BBF-987B-EED3E4B3A6AC/AVPlayer.app/AVPlayer'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID DR9UPY28XM and platform entitlements...
jtool /bootstrap/usr/local/bin/ signing error. barfing.
报错的代码行:
# Use random filenames to avoid cached binaries causing "Killed: 9" messages.
RAND=`ddif=/dev/random bs=1 count=16 2>/dev/null | md5`
RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`"
看上去 md5 文件缺失,这个比较好解决
tree-flys-iPhone-7:~/bfinject root# md5
bash: md5:commandnot found
方法比较多,编译一个 md5 即可;或者采纳 openssl,如openssl md5, 或者使用 GNU 工具命令如md5sum, 注意处理下前缀或后缀。
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | md5sum
a24c26e8ba09235dab371b04e5b58936 -
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | md5sum | sed 's/ .*//'
a24c26e8ba09235dab371b04e5b58936
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | openssl md5
(stdin)= a24c26e8ba09235dab371b04e5b58936
tree-flys-iPhone-7:~/bfinject root# echo 'itreefly.com' | openssl md5 | sed 's/.* //'
a24c26e8ba09235dab371b04e5b58936
尝试使用md5sum替代md5, 修正下代码:
#RAND=`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`
RAND=`ddif=/dev/random bs=1 count=16 2>/dev/null | md5sum | sed's/ .*//'`
#RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5`"
RANDOM_NAME="${INJECTOR%/*}/`dd if=/dev/random bs=1 count=16 2>/dev/null | md5sum | sed 's/ .*//'`"
# Debug info
echo"*** RAND =$RAND"
echo"*** RANDOM_NAME =$RANDOM_NAME"
tree-flys-iPhone-7:~/bfinject root# bash bfinject -P AVPlayer.app -L test
[+] Electra detected.
*** RAND = 1c9cf2572f0064d69005b0e4bd2ae5a2
*** RANDOM_NAME = /bootstrap/usr/local/bin/91432177bcba40fb1d026bcf83203e13
[+] Injecting into'/var/containers/Bundle/Application/B36F534E-DF04-4BBF-987B-EED3E4B3A6AC/AVPlayer.app/AVPlayer'
[+] Getting Team ID from target application...
[+] Thinning dylib into non-fat arm64 image
[+] Signing injectable .dylib with Team ID DR9UPY28XM and platform entitlements...
[bfinject4realz] Calling task_for_pid()forPID 2627.
[bfinject4realz] Calling thread_create() on PID 2627
[bfinject4realz] LookingforROP gadget... found at 0x1849b7118
[bfinject4realz] Fake stack frame at 0x108998000
[bfinject4realz] Calling _pthread_set_self() at 0x184c8471c...
[bfinject4realz] Returned from'_pthread_set_self'
[bfinject4realz] Calling dlopen() at 0x1849b6e7c...
[bfinject4realz] Returned from'dlopen'
[bfinject4realz] Success! Library was loaded at 0x1c0167bc0
[+] So long and thanksforall the fish.
再测试脱壳功能,一切 OK👌
网友评论