iOSbd - Install a Persistent Backdoor on Jailbroken iOS Devices

Dyme · 06-29-2015, 11:39 PM

Started this project over a year ago... and finally got around to making the video today.

Brief Overview:
iOSbd is a simple yet practical tool that will allow you to place a persistent backdoor inside of any cydia package desired. iOSbd relies on metasploit for it's payload, and LaunchDaemons for it's persistence.

Video (Skip to 8:44 for live demo):

Github repo: https://github.com/Prochainezo/iOSbd

Reiko · 06-30-2015, 12:29 AM

hehe.. I had something like this a long time ago that would just run an IRC bot through launchd. Nice job.

Dyme · 06-30-2015, 12:48 AM

(06-30-2015, 12:29 AM)Reiko Wrote: hehe.. I had something like this a long time ago that would just run an IRC bot through launchd. Nice job.

huehuehue I may have a version that does exactly that. It's a bit clunky and taped together, so I decided that this would be the 'official' release as it's lighter, cleaner, and more straight forward. Thanks for the approval it means a lot from you sensei.

m0dals0ul · 06-30-2015, 03:20 AM

And this is the reason why I removed my jailbreak packages~
Backdoors are scurrrrrry.

op4nnw3314 · 09-21-2015, 11:45 AM

great post m8.. ive found this quite interesting to read

spjallþráð · 10-04-2015, 06:21 PM

On jailbroken iDevices with Cydia, if you can compile your bit of malware as a dynamically linked/shared library (dylib) for iOS (doable, there are toolchains out there for it, and xCode will do it), you can simply use the bundled cynject dynamically linked/shared library injection tool (how Cydia injects Springboard), to inject your library into an arbitrary process for extra stealth. Just have the __init function in the library call launch a new thread with the backdoor code in it. Obviously, you add this to launchd for post-reboot persistence. Or, you could just recompile a backdoored Springboard library...

Dyme · 10-07-2015, 04:21 AM

(10-04-2015, 06:21 PM)spjallþráð Wrote: On jailbroken iDevices with Cydia, if you can compile your bit of malware as a dynamically linked/shared library (dylib) for iOS (doable, there are toolchains out there for it, and xCode will do it), you can simply use the bundled cynject dynamically linked/shared library injection tool (how Cydia injects Springboard), to inject your library into an arbitrary process for extra stealth. Just have the __init function in the library call launch a new thread with the backdoor code in it. Obviously, you add this to launchd for post-reboot persistence. Or, you could just recompile a backdoored Springboard library...

Thanks for this information; that's a very good idea that I will implement for sure when I have time. I'm working on a much more functional and stealthy version now anyway, so this will help.

Skryptec · 10-07-2015, 01:54 PM

Nice done mate! Smile

11:24 hauahuaah

Penis · 10-08-2015, 05:58 PM

Nice work, much better than my ghetto setup I used to use, launchd for persistence I always wish I found something better but don't know enough about iOS exploitation or internals to figure it out, oh well.

1supercooldude · 05-13-2016, 02:27 AM

it gives me an error when i try to run it on line 54