SeaShell Framework is an iOS post-exploitation framework that enables you to access the device remotely, control it and extract sensitive information.
- IPA generator - All you need to do is generate an IPA file and install it on a target's device via TrollStore or other IPA installer that bypasses CoreTrust. After app was installed, a target simply need to run an app single time (he may close application completely after this).
- Powerful Implant - SeaShell Framework uses the advanced and powerful payload with lots of features. It is called Pwny. You can extend it by adding your own post-exploitation modules or plugins.
- Basic Set - SeaShell Framework comes with basic set of post-exploitation modules that may exfiltrate following user data: SMS, VoiceMail, Safari history and much more.
- Encrypted communication - Communication between device and SeaShell is encrypted using the TLS 1.3 encryption by default.
- Regular updates - SeaShell Framework is being actively updated, so don't hesitate and leave your feature request!
To install SeaShell Framework you just need to type this command in your terminal:
pip3 install git+https://github.com/EntySec/SeaShell
After this SeaShell can be started with seashell
command.
To update SeaShell and get new commands run this:
pip3 install --force-reinstall git+https://github.com/EntySec/SeaShell
Simply generate custom IPA file or patch existing one and install it on target's iPhone or iPad via TrollStore or other IPA installer that bypasses CoreTrust.
Then you will need to start a listener on a host and port you added to your IPA. Once the installed application opens, you will receive a connection.
Once you have received the connection, you will be able to communicate with the session through a Pwny interactive shell. Use devices -i <id>
to interact and help
to view list of all available commands. You can even extract Safari history like in the example below.
Wide range of iOS versions are supported, since all of them are vulnerable to CoreTrust bug. They can be iOS 14, 15, 16 or early 17.
Pwny is a powerful implant with plenty of features including evasion, dynamic extensions and much more. It is embedded into the second phase of SeaShell Framework attack. These are all phases:
- 1. IPA file installed and opened.
- 2. Pwny is loaded through
posix_spawn()
. - 3. Connection established and Pwny is ready to receive commands.
SeaShell was just released and is in BETA stage for now. If you find a bug or some function that does not work we will be glad if you immediately submit an issue describing a problem. The more details the issue contains the faster we will be able to fix it.
- Medium: SeaShell: iOS 16/17 Remote Access
- iDeviceCentral: iOS Malware Makes TrollStore Users Vulnerable To Monitoring, File Extraction & Remote Control on iOS 14 β iOS 17
- TheAppleWiki: SeaShell
Note that the code and methods provided in this repository must not be used for malicious purposes and should only be used for testing and experimenting with devices you own. Please consider out Terms of Service before using the tool.