SeaShell

SeaShell Framework (GitHub) is an iOS post-exploitation framework developed by EntySec that enables you to access the device remotely, control it and extract sensitive information. All attacker needs to do is generate IPA file and start TCP listener. The IPA needs to be installed trough TrollStore or other application that exploits CoreTrust bug and launched single time. After this, if listener and connect-back host were configured correctly, attacker will receive an interactive session with the device. Moreover, SeaShell utilizes a sophisticated payload called Pwny. It has lots of features including evasion, TLS encryption, dynamic extensions and much more.

You can find more information and demonstrations on EntySec's Blog

How IPA works
So, basically IPA is a compressed application bundle for iOS application that contains main executable, icons,  and other files related to the program. SeaShell utilizes its own application bundle with a simple executable and other executable which launches the Pwny payload.

Interactive shell
The interactive shell offered by Pwny simplifies the process of interacting with a compromised device. It features a robust interface equipped with essential tools for various tasks, such as managing the file system, extracting confidential data, uploading files, running programs, and many more capabilities. Below, I have outlined some of the prominent features that are presently available in this interface.

Safari data
At present, it’s possible to extract sensitive data from Safari using a few commands. To access the web browsing history, the command  can be used. This command retrieves the database located at  and parses it for information. Similarly, the command  operates in the same manner, allowing you to view saved bookmarks by downloading and parsing the relevant Safari data.

SMS data
The interface also grants access to SMS data. You can list the chats present in the SMS application using the command. To extract the chat history with a specific contact, the command  can be used. Additionally, the  command allows for the retrieval of the contact list from the address book.

How to protect?
In response to numerous online requests, I’ve prepared a guide on how to reduce the likelihood of falling victim to an attack via the SeaShell framework. Below are my suggestions:


 * 1. Unzip IPA file that you want to install.
 * 2. Check of suspicious executables in the application bundle (e.g. SeaShell Framework adds executable called  to its application bundle which is a representation of Pwny payload).
 * 3. Read  and search for suspicious entries (e.g. SeaShell adds   to its , it contains a host pair   encoded with base64)
 * 4. Check MD5 hash sum of the file to check its integrity.