SeaShell Framework is an iOS post-exploitation framework that enables you to access the device remotely, control it and extract sensitive information.
Features
- IPA generator - All you need to do is generate an IPA file and install it on a target's device via TrollStore or other IPA installer that bypasses CoreTrust. After app was installed, a target simply need to run an app single time (he may close application completely after this).
- Powerful Implant - SeaShell Framework uses the advanced and powerful payload with lots of features. It is called Pwny. You can extend it by adding your own post-exploitation modules or plugins.
- Basic Set - SeaShell Framework comes with basic set of post-exploitation modules that may exfiltrate following user data: SMS, VoiceMail, Safari history and much more.
- Encrypted communication - Communication between device and SeaShell is encrypted using the TLS 1.3 encryption by default.
- Regular updates - SeaShell Framework is being actively updated, so don't hesitate and leave your feature request!
Installation
To install SeaShell Framework you just need to type this command in your terminal:
pip3 install git+https://github.com/EntySec/SeaShellAfter this SeaShell can be started with seashell command.
Updating
To update SeaShell and get new commands run this:
pip3 install --force-reinstall git+https://github.com/EntySec/SeaShellUsage
Generating IPA
Simply generate custom IPA file or patch existing one and install it on target's iPhone or iPad via TrollStore or other IPA installer that bypasses CoreTrust.
Starting listener
Then you will need to start a listener on a host and port you added to your IPA. Once the installed application opens, you will receive a connection.
Accessing device
Once you have received the connection, you will be able to communicate with the session through a Pwny interactive shell. Use devices -i <id> to interact and help to view list of all available commands. You can even extract Safari history like in the example below.
Available commands
Find the map of available commands. New commands/modules being added regularly so this list might be outdated.
Covering them All
A wide range of iOS versions are supported, being 14.0 beta 2 - 16.6.1, 16.7 RC, and 17.0 beta 1 - 17.0, as these versions are vulnerable to the CoreTrust bug.
Endless Capabilities
Pwny is a powerful implant with plenty of features including evasion, dynamic extensions and much more. It is embedded into the second phase of SeaShell Framework attack. These are all phases:
- 1. IPA file installed and opened.
- 2. Pwny is loaded through
posix_spawn(). - 3. Connection established and Pwny is ready to receive commands.
Issues and Bugs
SeaShell was just released and is in BETA stage for now. If you find a bug or some function that does not work we will be glad if you immediately submit an issue describing a problem. The more details the issue contains the faster we will be able to fix it.
External Resources
- Medium: SeaShell: iOS 16/17 Remote Access
- iDeviceCentral: iOS Malware Makes TrollStore Users Vulnerable To Monitoring, File Extraction & Remote Control on iOS 14 – iOS 17
- TheAppleWiki: SeaShell
- One Jailbreak: SeaShell Trojan Horse iOS
Legal Use
Note that the code and methods provided in this repository must not be used for malicious purposes and should only be used for testing and experimenting with devices you own. Please consider out Terms of Service before using the tool.