Killing Apps on a jailbroken phone - ios

I am trying to create an app that kills other apps on my jailbroken phone. I have tried many different kill commands but none of them seem to do the trick. I am wondering if anybody has found a kill command that works?

There's a handful of ways to get root privileges on Unix systems; I don't know what would be most appropriate for your jail-broken iOS device, but I can at least outline what's possible on the underlying platform:
Install your program setuid root:
chown root:root /path/to/program/executable
chmod 04755 /path/to/program/executable
When your program runs, it will run as root and have the full privileges and responsibilities of root.
Use a setuid root helper program, such as su(1) or sudo(8) to run your program as root:
sudo /path/to/program/executable
Configure the system startup tools to run your program with root privileges at boot time; this is much more complicated for me to describe, since system boot is extremely system dependent. Look for /etc/inittab or /etc/rc* as starting points. (Maybe iOS uses the newer launchd?)

Related

FATAL: Running as root without --no-sandbox is not supported using Electron 7.1.3. on Debian 8, 9

I installed Electron 7.1.3, when I try to run the app this error appears:
FATAL:atom_main_delegate.cc(211)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180
This happens when I use Debian 8 or 9. I used it on Windows and this runs with no problem. I was searching info about this problem but I didn't find something concrete with Electron and Debian, only run: electron --no-sandbox
If someone knows how to solve this, I wanna use Debian here.
I had a similar issue when I run my electron app with sudo:
sudo ./MyElectronApp
[5612:0301/101026.813638:FATAL:electron_main_delegate.cc(211)] Running as root without --no-sandbox is not supported. See https://crbug.com/638180.
so In order to add --no-sandbox parameter I did:
sudo ./MyElectronApp --no-sandbox
and it worked!! :)
I thought I had to build my app with parameter but it does not work.
Quote from Process Sandboxing to explain what a sandbox does:
One key security feature in Chromium is that processes can be executed within a sandbox. The sandbox limits the harm that malicious code can cause by limiting access to most system resources — sandboxed processes can only freely use CPU cycles and memory. To perform operations requiring additional privilege, sandboxed processes use dedicated communication channels to delegate tasks to more privileged processes.
In Chromium, sandboxing is applied to most processes other than the main process. This includes renderer processes, as well as utility processes such as the audio service, the GPU service, and the network service.
And quote from Disabling Chromium's sandbox (testing only):
You can also disable Chromium's sandbox entirely with the --no-sandbox CLI flag, which will disable the sandbox for all processes (including utility processes). We highly recommend that you only use this flag for testing purposes, and never in production.
To disable it, run <your-app-name> --no-sandbox.

I2C device not available as /dev/i2c-1 (Preview 5 and 6/6.1)

Google has changed and removed the i2c device from the /dev/ path.
They add/remove the device I you are using this:
I2cDevice dev = pService.openI2cDevice("I2C1", 0x68)
And the /dev/i2c-1 is gone if you disconnect the I2C device: dev.close();
This is the reason why you do not have access via:
open("/dev/i2c-1", O_RDWR);
(this was possible in the Version 4.1 without issues)
So, now google made it complicated... and the question is, how I can bring back the device i2c-1 after boot?
#Kyle what you're doing may work, but it definitely isn't supported by Android Things. When Android Things leaves developer preview, you may no longer be able to directly access device files at all (due to the device being in SELinux enforcing mode).
In the meantime, you can probably execute the following to recreate the device node. At best this is a temporary solution, since you'll have to run these commands every boot (unless you add them to one of the init scripts).
$ adb shell
rpi3:/ $ su
rpi3:/ # mknod /dev/i2c-1 c 89 1

Bash on iOS issue

When any application that uses bash to launch their executables as root, iOS registers the bash script as the main executable instead of the intended executable.
The problem is that I cannot turn off cellular access to these applications because iOS calls the script rather than the applications executable and nothing happens.
I found a partial method that works, but it's not practical because the application looses root capabilities, but it will allow the setting's app to disable cellular data for the application;
Remove the bash script,
Rename the apps main executable to the bash scrips name,
Reboot.
Can I do anything to solve this?
Thanks, Jason.

Install non-UI app on jailbroken device via AFC2

I am trying to install an app to a jailbroken iPhone from PC via USB (using AFC2), for personal research. The app is actually an installer, so it has no UI.
My biggest 2 problems are: I don't know any API to run a command via an USB services, to run the binary after copying.
Then, I installed a LaunchDaemon plist to start my installer, but it seems that the binary is copied with no execution rights (maybe a limitation in AFC2), so the launch daemon fails.
So now I am stucked. Do you have any ideeas?
UPDATE
Thanks to creker I made some steps into achieving my goal. He provided me with several solutions, but I chosen the automatically install DEB via Cydia, since it looks the most simple and elegant method of all.
Nevertheless, I hit some bumps with this method also:
now I am able to succesfully install the .deb file via Cydia; I load the app and a launch daemon in the deb, but the launch daemon is unable to start the app, since installd fails to validate the app, which was fake-signed with ldid (I thought ldid signing is sufficient for running in jailbroken environment); so I guess either I sign it for real or I use a tweak like AppSync, to bypass validation
I also tried the following formula: a launch daemon to launch a bash script, which then starts the app, since I saw that cydia and OpenSSH registers some launch daemons like that, but my script / launch daemon is ignored, so I presume there should be a trick somewhere. Am I missing something here?
Do you have a WiFi? If not, you can use USB tunneling. Then you can SCP your app on a device and install it with SSH (give it persmissions you need and then launch). That's enough for testing. Or you can pack it into debian package with postinst script that will do all the installation. Debian packages can be installed manually through ssh and deb -i command. Or you can copy it into /var/root/Media/Cydia/AutoInstall and it will be installed automatically on device boot.
As for root:wheel, you can do this in your postinst script. The script by default is executed with root permissions. Just set all necessary permissions in it for all your files. If it's a daemon, you can even manually add it to launchd and launch immediatelly.

How do you run CMD.exe under the Local System Account?

I'm currently running Vista and I would like to manually complete the same operations as my Windows Service. Since the Windows Service is running under the Local System Account, I would like to emulate this same behavior. Basically, I would like to run CMD.EXE under the Local System Account.
I found information online which suggests lauching the CMD.exe using the DOS Task Scheduler AT command, but I received a Vista warning that "due to security enhancements, this task will run at the time excepted but not interactively." Here's a sample command:
AT 12:00 /interactive cmd.exe
Another solution suggested creating a secondary Windows Service via the Service Control (sc.exe) which merely launches CMD.exe.
C:\sc create RunCMDAsLSA binpath= "cmd" type=own type=interact
C:\sc start RunCMDAsLSA
In this case the service fails to start and results it the following error message:
FAILED 1053: The service did not respond to the start or control request in a timely fashion.
The third suggestion was to launch CMD.exe via a Scheduled Task. Though you may run scheduled tasks under various accounts, I don't believe the Local System Account is one of them.
I've tried using the Runas as well, but think I'm running into the same restriction as found when running a scheduled task.
Thus far, each of my attempts have ended in failure. Any suggestions?
Though I haven't personally tested, I have good reason to believe that the above stated AT COMMAND solution will work for XP, 2000 and Server 2003. Per my and Bryant's testing, we've identified that the same approach does not work with Vista or Windows Server 2008 -- most probably due to added security and the /interactive switch being deprecated.
However, I came across this article which demonstrates the use of PSTools from SysInternals (which was acquired by Microsoft in July, 2006.) I launched the command line via the following and suddenly I was running under the Local Admin Account like magic:
psexec -i -s cmd.exe
PSTools works well. It's a lightweight, well-documented set of tools which provides an appropriate solution to my problem.
Many thanks to those who offered help.
Download psexec.exe from Sysinternals.
Place it in your C:\ drive.
Logon as a standard or admin user and use the following command: cd \. This places you in the root directory of your drive, where psexec is located.
Use the following command: psexec -i -s cmd.exe where -i is for interactive and -s is for system account.
When the command completes, a cmd shell will be launched. Type whoami; it will say 'system"
Open taskmanager. Kill explorer.exe.
From an elevated command shell type start explorer.exe.
When explorer is launched notice the name "system" in start menu bar. Now you can delete some files in system32 directory which as admin you can't delete or as admin you would have to try hard to change permissions to delete those files.
Users who try to rename or deleate System files in any protected directory of windows should know that all windows files are protected by DACLS while renaming a file you have to change the owner and replace TrustedInstaller which owns the file and make any user like a user who belongs to administrator group as owner of file then try to rename it after changing the permission, it will work and while you are running windows explorer with kernel privilages you are somewhat limited in terms of Network access for security reasons and it is still a research topic for me to get access back
Found an answer here which seems to solve the problem by adding /k start to the binPath parameter. So that would give you:
sc create testsvc binpath= "cmd /K start" type= own type= interact
However, Ben said that didn't work for him and when I tried it on Windows Server 2008 it did create the cmd.exe process under local system, but it wasn't interactive (I couldn't see the window).
I don't think there is an easy way to do what you ask, but I'm wondering why you're doing it at all? Are you just trying to see what is happening when you run your service? Seems like you could just use logging to determine what is happening instead of having to run the exe as local system...
Using Secure Desktop to run cmd.exe as system
We can get kernel access through CMD in Windows XP/Vista/7/8.1 easily by attaching a debugger:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Run CMD as Administrator
Then use this command in Elevated:
CMD REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
Then run osk (onscreenkeyboard). It still does not run with system Integrity level if you check through process explorer, but if you can use OSK in service session, it will run as NT Authority\SYSTEM
so I had the idea you have to run it on Secure Desktop.
Start any file as Administrator. When UAC prompts appear, just press Win+U and start OSK and it will start CMD instead. Then in the elevated prompt, type whoami and you will get NT Authority\System. After that, you can start Explorer from the system command shell and use the System profile, but you are somewhat limited what you can do on the network through SYSTEM privileges for security reasons. I will add more explanation later as I discovered it a year ago.
A Brief Explanation of how this happens
Running Cmd.exe Under Local System Account Without Using PsExec. This method runs Debugger Trap technique that was discovered earlier, well this technique has its own benefits it can be used to trap some crafty/malicious worm or malware in the debugger and run some other exe instead to stop the spread or damage temporary. here this registry key traps onscreen keyboard in windows native debugger and runs cmd.exe instead but cmd will still run with Logged on users privileges, however if we run cmd in session0 we can get system shell. so we add here another idea we span the cmd on secure desktop remember secure desktop runs in session 0 under system account and we get system shell. So whenever you run anything as elevated, you have to answer the UAC prompt and UAC prompts on dark, non interactive desktop and once you see it you have to press Win+U and then select OSK you will get CMD.exe running under Local system privileges. There are even more ways to get local system access with CMD
an alternative to this is Process hacker if you go into run as... (Interactive doesnt work for people with the security enhancments but that wont matter) and when box opens put Service into
the box type and put SYSTEM into user box and put C:\Users\Windows\system32\cmd.exe leave the rest click ok and boch you have got a window with cmd on it and run as system now do the other steps for yourself because im suggesting you know them
There is another way. There is a program called PowerRun which allows for elevated cmd to be run. Even with TrustedInstaller rights. It allows for both console and GUI commands.
(Comment)
I can't comment yet, so posting here... I just tried the above OSK.EXE debug trick but regedit instantly closes when I save the filled "C:\windows\system32\cmd.exe" into the already created Debugger key so Microsoft is actively working to block native ways to do this. It is really weird because other things do not trigger this.
Using task scheduler does create a SYSTEM CMD but it is in the system environment and not displayed within a human user profile so this is also now defunct (though it is logical).
Currently on Microsoft Windows [Version 10.0.20201.1000]
So, at this point it has to be third party software that mediates this and further tricks are being more actively sealed by Microsoft these days.
if you can write a batch file that does not need to be interactive, try running that batch file as a service, to do what needs to be done.
I use the RunAsTi utility to run as TrustedInstaller (high privilege). The utility can be used even in recovery mode of Windows (the mode you enter by doing Shift+Restart), the psexec utility doesn't work there. But you need to add your C:\Windows and C:\Windows\System32 (not X:\Windows and X:\Windows\System32) paths to the PATH environment variable, otherwise RunAsTi won't work in recovery mode, it will just print: AdjustTokenPrivileges for SeImpersonateName: Not all privileges or groups referenced are assigned to the caller.
Using task scheduler, schedule a run of CMDKEY running under SYSTEM with the appropriate arguments of /add: /user: and /pass:
No need to install anything.
i used Paul Harris recommendation and created a batch file .cmd or .bat with what ever command i needed to run under system and used the schedule task run one time.
than trigger it as needed. and updated the batch as needed. so any command i need to run under system i just update the batch.

Resources