iOS Dropbear SSH
Switch branches/tags
Nothing to show
Clone or download
Latest commit 35ee1f8 Jan 5, 2017
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
debian changelogs Jul 21, 2016
libtomcrypt Support out-of-tree builds usign bundled libtom May 11, 2016
libtommath Support out-of-tree builds usign bundled libtom May 11, 2016
.hgsigs merge 2016.74 Jul 21, 2016
.hgtags merge 2016.74 Jul 21, 2016
.travis.yml Avoid osx "install" race Apr 12, 2016
CHANGES add CVEs and patch urls Sep 15, 2016
INSTALL Fix spelling typo Jul 19, 2007
LICENSE Fix no-writev fallback May 2, 2015
MULTI - Fix "inst_scp" target since there isn't a manpage Oct 9, 2013
Makefile.in Add generated header default_options.h to version control. May 4, 2016
README.md minor Jan 5, 2017
SMALL 0.44 release changes Jan 2, 2005
TODO 0.48 progress Mar 9, 2006
agentfwd.h Convert #ifdef to #if, other build changes May 4, 2016
algo.h Convert #ifdef to #if, other build changes May 4, 2016
atomicio.c upgrade atomicio Nov 15, 2016
atomicio.h upgrade atomicio Nov 15, 2016
auth.h Convert #ifdef to #if, other build changes May 4, 2016
bignum.c more hard tab Jan 1, 2016
bignum.h move m_burn and function attributes to dbhelpers Mar 17, 2016
buffer.c additional length checks Jul 11, 2016
buffer.h buf_getstring and buf_putstring now use non-unsigned char* Jun 4, 2015
build.sh introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
channel.h Convert #ifdef to #if, other build changes May 4, 2016
chansession.h Convert #ifdef to #if, other build changes May 4, 2016
circbuffer.c lazy allocation of circbuffer Nov 19, 2015
circbuffer.h Fix no-writev fallback May 2, 2015
cli-agentfwd.c upgrade atomicio Nov 15, 2016
cli-auth.c message about truncated banner May 4, 2016
cli-authinteract.c Convert #ifdef to #if, other build changes May 4, 2016
cli-authpasswd.c Convert #ifdef to #if, other build changes May 4, 2016
cli-authpubkey.c Convert #ifdef to #if, other build changes May 4, 2016
cli-channel.c Rearranged some more bits, marked some areas that need work. Oct 2, 2006
cli-chansession.c Convert #ifdef to #if, other build changes May 4, 2016
cli-kex.c Convert #ifdef to #if, other build changes May 4, 2016
cli-main.c merge 2016.74 Jul 21, 2016
cli-runopts.c Convert #ifdef to #if, other build changes May 4, 2016
cli-session.c Convert #ifdef to #if, other build changes May 4, 2016
cli-tcpfwd.c initialize variable and protect against NULL dereferencement Nov 15, 2016
common-algo.c merge 2016.74 Jul 21, 2016
common-channel.c remove duplicated include Nov 15, 2016
common-chansession.c Chantype handling is sorted Jun 2, 2004
common-kex.c Convert #ifdef to #if, other build changes May 4, 2016
common-runopts.c Convert #ifdef to #if, other build changes May 4, 2016
common-session.c introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
compat.c * document zsh issue Jan 5, 2017
compat.h * document zsh issue Jan 5, 2017
config.guess another new config.guess 2013-06-10 Nov 14, 2013
config.sub Update to 2013-10-01 Dec 3, 2013
configure.ac Use memset_s or explicit_bzero Mar 16, 2016
crypto_desc.c Convert #ifdef to #if, other build changes May 4, 2016
crypto_desc.h fix empty C prototypes Mar 16, 2016
curve25519-donna.c Fix for old compilers, variable declarations at beginning of functions Feb 24, 2015
dbclient.1 use exec for proxycommand Dec 18, 2015
dbhelpers.c move m_burn and function attributes to dbhelpers Mar 17, 2016
dbhelpers.h move m_burn and function attributes to dbhelpers Mar 17, 2016
dbmulti.c allow specifying dropbearmulti command as an argument Mar 10, 2016
dbrandom.c Convert #ifdef to #if, other build changes May 4, 2016
dbrandom.h fix empty C prototypes Mar 16, 2016
dbutil.c Use atomic key generation in all cases Nov 18, 2016
dbutil.h Use atomic key generation in all cases Nov 18, 2016
debug.h Convert #ifdef to #if, other build changes May 4, 2016
default_options.h introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
default_options.h.in Convert #ifdef to #if, other build changes May 4, 2016
dh_groups.c Fix whitespace missed in merge Mar 18, 2016
dh_groups.h Get rid of group15, move group16 to sha512. Mar 12, 2016
dropbear.8 Add manpage and log for forced_command Apr 12, 2016
dropbear.README introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
dropbearconvert.1 Fix minor manpage formatting issues Nov 25, 2015
dropbearconvert.c Convert #ifdef to #if, other build changes May 4, 2016
dropbearkey.1 Fix minor manpage formatting issues Nov 25, 2015
dropbearkey.c Use atomic key generation in all cases Nov 18, 2016
dss.c Convert #ifdef to #if, other build changes May 4, 2016
dss.h Convert #ifdef to #if, other build changes May 4, 2016
ecc.c Convert #ifdef to #if, other build changes May 4, 2016
ecc.h Convert #ifdef to #if, other build changes May 4, 2016
ecdsa.c Convert #ifdef to #if, other build changes May 4, 2016
ecdsa.h Convert #ifdef to #if, other build changes May 4, 2016
fake-rfc2553.c - Update fake-rfc2553.{c,h} from OpenSSH 5.5p1 Jul 21, 2010
fake-rfc2553.h DROPBEAR_ prefix for include guards to avoid collisions Feb 24, 2015
filelist.txt filelist.txt Aug 14, 2004
gendss.c Convert #ifdef to #if, other build changes May 4, 2016
gendss.h Convert #ifdef to #if, other build changes May 4, 2016
genrsa.c Convert #ifdef to #if, other build changes May 4, 2016
genrsa.h Convert #ifdef to #if, other build changes May 4, 2016
gensignkey.c Use atomic key generation in all cases Nov 18, 2016
gensignkey.h Use atomic key generation in all cases Nov 18, 2016
ifndef_wrapper.sh Convert #ifdef to #if, other build changes May 4, 2016
includes.h DROPBEAR_ prefix for include guards to avoid collisions Feb 24, 2015
install-sh Makefile.in contains updated files required Jun 1, 2004
kex.h Convert #ifdef to #if, other build changes May 4, 2016
keyimport.c merge 2016.74 Jul 21, 2016
keyimport.h DROPBEAR_ prefix for include guards to avoid collisions Feb 24, 2015
list.c list.c also has no trailing newline Jul 5, 2011
list.h fix empty C prototypes Mar 16, 2016
listener.c Free memory before exiting. Based on patch from Thorsten Horstmann. Feb 24, 2015
listener.h fix empty C prototypes Mar 16, 2016
loginrec.c upgrade atomicio Nov 15, 2016
loginrec.h remove unused loginrec_set_addr() Mar 15, 2016
ltc_prng.c Convert #ifdef to #if, other build changes May 4, 2016
ltc_prng.h Convert #ifdef to #if, other build changes May 4, 2016
netio.c make sure socket is of the right domain Jun 19, 2016
netio.h Convert #ifdef to #if, other build changes May 4, 2016
options.h introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
packet.c fix empty C prototypes Mar 16, 2016
packet.h fix empty C prototypes Mar 16, 2016
process-packet.c fix empty C prototypes Mar 16, 2016
progressmeter.c Update to scp from OpenSSH portable 4.3p2 Mar 8, 2006
progressmeter.h Makefile.in contains updated files required Jun 1, 2004
queue.c Move the more verbose TRACE() statements into TRACE2() Mar 31, 2013
queue.h DROPBEAR_ prefix for include guards to avoid collisions Feb 24, 2015
release.sh release.sh reminds how to sign Nov 25, 2015
rsa.c Convert #ifdef to #if, other build changes May 4, 2016
rsa.h Convert #ifdef to #if, other build changes May 4, 2016
runopts.h introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
scp.c Convert #ifdef to #if, other build changes May 4, 2016
scpmisc.c scp: Have `fatal()' append a newline to the message Jan 18, 2016
scpmisc.h upgrade atomicio Nov 15, 2016
service.h fix empty C prototypes Mar 16, 2016
session.h Convert #ifdef to #if, other build changes May 4, 2016
signkey.c Convert #ifdef to #if, other build changes May 4, 2016
signkey.h Convert #ifdef to #if, other build changes May 4, 2016
ssh.h propagate from branch 'au.asn.ucc.matt.dropbear' (head 0501e6f661b541… Mar 21, 2006
sshpty.c ignore I_PUSH if it isn't defined, for Android from Reimar Döffinger Mar 19, 2013
sshpty.h Makefile.in contains updated files required Jun 1, 2004
svr-agentfwd.c Convert #ifdef to #if, other build changes May 4, 2016
svr-auth.c Convert #ifdef to #if, other build changes May 4, 2016
svr-authpam.c Convert #ifdef to #if, other build changes May 4, 2016
svr-authpasswd.c introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
svr-authpubkey.c introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
svr-authpubkeyoptions.c Convert #ifdef to #if, other build changes May 4, 2016
svr-chansession.c introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
svr-kex.c introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
svr-main.c * document zsh issue Jan 5, 2017
svr-runopts.c introduce BYPASS_PASSWD and changes to enable dropbear in combination… Jan 3, 2017
svr-service.c buf_getstring and buf_putstring now use non-unsigned char* Jun 4, 2015
svr-session.c merge 2016.74 Jul 21, 2016
svr-tcpfwd.c Convert #ifdef to #if, other build changes May 4, 2016
svr-x11fwd.c Convert #ifdef to #if, other build changes May 4, 2016
sysoptions.h merge 2016.74 Jul 21, 2016
tcp-accept.c Convert #ifdef to #if, other build changes May 4, 2016
tcpfwd.h fix empty C prototypes Mar 16, 2016
termcodes.c add IUTF8 Apr 2, 2013
termcodes.h DROPBEAR_ prefix for include guards to avoid collisions Feb 24, 2015
x11fwd.h Convert #ifdef to #if, other build changes May 4, 2016

README.md

iOS Dropbear SSH

This is a modified version of Matt Johnston's dropbear ssh daemon to be used on iOS in combination with exploits such as Ian Beer's mach_portal.

Installation

The following description assumes that you followed the instructions to build and run mach_portal.

  • Download and unpack jtool
  • Run xcodebuild -showsdks to determine iOS SDK Version
  • Adjust JTOOL and SDK variables within build.sh (and ARCH if needed)
  • Run build.sh

Usage

As mach_portal spawns a listening shell on TCP port 4141, the easiest way to launch dropbear is to package it with mach_portal and launch if via netcat. Assuming you have installed the iosbinpack, you need the following steps:

  • Copy dropbear, dropbearkey, dbclient, and dropbearconvert to usr/local/bin within iosbinpack
  • Generate authorized_keys file and store it under etc/dropbear within iosbinpack
  • Recompile mach_portal

Use the -S option of dropbear to pass a chroot-like system environment, i.e. the iosbinpack directory, which is used as a root directory for /bin/sh on all logins.

The following is an example run:

❯ nc 10.0.20.44 4141
id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),20(staff),29(certusers),80(admin)
# let's start dropbear ssh
dropbear -S /var/containers/Bundle/Application/53860657-F635-4693-90F3-61A6FA550168/mach_portal.app/iosbinpack64/ -E -m -F
[233] Jan 03 15:49:20 Not backgrounding
[235] Jan 03 15:49:25 Child connection from 10.0.20.10:52228
[235] Jan 03 15:49:27 Pubkey auth succeeded for 'root' with key sha1!! 0e:4d:7c:54:8b:f7:b6:ce:5a:19:c6:29:53:9a:39:57:cb:a1:d5:ca from 10.0.20.10:52228
[235] Jan 03 15:49:27 User root executing login shell

Please note that you have to adjust the -S option here to match the iosbinpack within the bundle path of your mach_portal app. In case of mach_portal, the simplest way to do that is dropbear -m -E -S "$(echo $PATH | sed -e 's,/bin.*,,g')".

Moreover, /bin/sh is a copy of zsh, which expects modules to be present in /usr/local/bin. Unless you want to ignore the load error, replace bin/sh in iosbinpack with bash.

FAQ

Why are you releasing this?

With the release of mach_portal, Ian Beer and Google Project Zero have released a great opportunity for security researchers to conduct iOS research. At the same time, the TCP-bindshell is not very convenient when it comes to exploring the system using multiple sessions, copying files to and from the device etc. While iosbinpack includes a dropbear version that is compiled for iOS, it lacks modifications needed in order to make it work with jailbreaks such as mach_portal. Since only the iosbinpack binaries are distributed, changes can only be made on the binary version, which is not convenient either.

Especially if you are new in iOS research, exploring the system from a shell is a great way to get to know the system. At the same time we hope that this can serve as a simple example on how to build native code for iOS devices.

What are the changes?

In order to run, dropbear expects host keys to be present under a fix directory structure, which doesn't exist. Instead, we generate host keys under our chroot-like system environment (etc/dropbear). It also uses pwnam entries when determining the login shell, which on an iOS device would be the non-existent /bin/sh file. Based on the -S option, we instead look for bin/sh within that directory structure. Lastly, dropbear can authenticate using passwords and public keys.

Password authentication is sub-optimal as we either would need to allow arbitrary passwords or fall back to the infamous and insecure alpine system password. Public key authentication can be used, but requires key material to be deployed in user home directories. Instead, we simply load an authorized_keys file from within etc/dropbear in our system environment (-S) for all logins.

Why this and not yalu or ..?

We don't aim at providing similar functionality as contained in jailbreaks such as yalu or others that may already package Cydia and ship an ssh server. Instead, we focus on packaging an ssh server only that is useful for exploring the system, while keeping system modifications minimal. There are multiple reasons for this, but first and foremost our intention is to retain the original file system and not cause system changes by using additional vulnerabilities in order to achieve persistence.

Can I used password logins?

In case you insist on enabling password-based logins, remove the BYPASS_PASSWD ifdef in svr-authpasswd.c.

Isn't leaving the original environment a potential security problem?

Not scrubbing the environment can be a security issue. Similarly, not caring about authorized_keys file permissions can be. Since we assume that this is used in a research environment, we decided to leave the original environment for convenience. As mach_portal for example adjusts PATH to include iosbinpack binaries, we don't have to setup these paths again from within dropbear and drop the user into a decent shell environment.