SeaShell

SeaShell Framework is an iOS post-exploitation framework developed by EntySec that enables you to access a device remotely, control it, and extract sensitive information. The attacker generates an IPA file, and starts a TCP listener. The IPA needs to be installed through TrollStore or another app that exploits a similar CoreTrust bug and launched to execute the payload. The attacker will then receive an interactive session with the device. Its default payload is Pwny, with features including evasion, TLS encryption, and dynamic extensions.

Payload
SeaShell uses an application bundle with a simple main executable, and other executables, which launch the Pwny payload. The interactive shell offered by Pwny simplifies the process of interacting with a compromised device. It features a robust interface equipped with essential tools for various tasks, such as managing the file system, extracting confidential data, uploading files, running programs, and many more capabilities. Below, I have outlined some of the prominent features that are presently available in this interface.

Basic information
Basic functionality includes collecting essential information about the connected device. might be called to retrieve basic system information and  can be used to check the lock status (device   or  ).

Safari data
At present, it is possible to extract sensitive data from Safari using a few commands. To access the web browsing history, the command  can be used. This command retrieves the database located at  and parses it for information. Similarly, the command  operates in the same manner, allowing you to view saved bookmarks by downloading and parsing the relevant Safari data.

SMS data
The interface also grants access to SMS data. You can list the chats present in the SMS application using the command. To extract the chat history with a specific contact, the command  can be used. Additionally, the  command allows for the retrieval of the contact list from the address book.

Hooking to other applications
Interface provides its own persistence method. Since on non-jailbroken phones (and rootless) launchctl is useless, interface uses "hooking". This means that payload is being injected inside a desired application's bundle and next time application is launched, attacker gets new remote connection. The hook can be installed via  command and removed via. Below I install hook to Calculator.app:

Protecting against this attack
In response to numerous online requests, I have prepared a guide on how to reduce the likelihood of falling victim to an attack via the SeaShell framework. Below are my suggestions:


 * 1) Unzip IPA file that you want to install.
 * 2) Check of suspicious executables in the application bundle (e.g. SeaShell Framework adds executable called   to its application bundle which is a representation of Pwny payload).
 * 3) Read   and search for suspicious entries (e.g. SeaShell adds   to its , it contains a host pair   encoded with base64)
 * 4) Check hash sum of the file to confirm its integrity.