Lucas Jackson / Version 3.0.0 released January 10th 2018

EggShell

Star Download

Overview

EggShell is a post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine. EggShell gives you the power and convenience of uploading/downloading files, tab completion, taking pictures, location tracking, shell command execution, persistence, escalating privileges, password retrieval, and much more. All commands are written in a modular fashion which makes adding and creating your own very easy. This is project is a proof of concept, intended for use on machines you own.

The idea for eggshell started back in 2014 while I was learning about reverse shells and the desire to create something. Reverse shells in bash are extremely small payloads and allow you to execute system commands on a remote machine. Reverse shells are spawned after the target machine has ran a piece of code crafted to connect back to the server and are quite useful for connecting to a machine that is hidden behind a firewall. After spawning a reverse shell, the user now under control of the remote server. Being limited to just shell commands I decided to write my own command shell entirely. This eventually turned into EggShell.


Installation

Eggshell's server is written in Python2.7 making it very portable across devices. You can clone the project from GitHub and get it running in seconds.

macOS and Linux
			                $ git clone https://github.com/neoneggplant/eggshell
			                $ cd eggshell && python eggshell.py
		                
iOS (Jailbroken Only)

Installing on iOS is somewhat more of a novelty but I have had a huge amount of requests to do this. I have created a Cydia package for installing on jailbroken iOS devices on my repo. This package installs native python as well as eggshell as a command line tool. To run in mobile terminal or over ssh simply run the command eggshell.

Cydia repository:

http://lucasjackson.io/repo

Creating A Payload

The payload is what is ran on the target machine that will establish a session between it and your EggShell server. EggShell gives you 2 different payload options. You can either choose a payload in form of a shell script (bash) or an Arduino script.

Bash

When selecting a payload in bash (shell script), you will be prompted to enter your EggShell server ip address and port the payload will connect back to. A payload shell script will then be generated on the terminal screen.

Teensy (macOS)

When selecting a Teensy payload, you will be prompted to enter your EggShell server ip address and port the payload will connect back to, just as you would for a bash payload. An Arduino based payload for the teensy board will then be generated for you in the folder teensy_macOS relative from where you ran EggShell. This payload will tell your Teensy micro controller to emulate keystrokes via usb when plugged. These keystrokes will open the target device's terminal and then paste a bash payload in just a few seconds.


Sessions

The first thing that happens after a payload is ran on a target machine is to download instructions from our server and send back the device type. After we determine which device has connected an executable payload corresponding to the device is send back to the target machine. After the target receives the executable, it gets ran with arguments containing the ip and port of our server. The executable will then connect to our server transmit all proceeding data over an ssl wrapped socket.


Tab Completion

Similar to most command line interfaces, EggShell supports tab completion. When you start typing the path to a directory or filename, we can complete the rest of the path using the tab key.


MultiHandler

The MultiHandler option lets us handle multiple sessions. We can choose to interact with different devices while listening for new connections in the background.

Similar to a command session interface, we can type "help" to show MultiHandler commands.


Taking Pictures

Both iOS and macOS sessions support taking photos. The macOS picture command will take a picture through the front facing iSight camera while the iOS version will require 1 argument specifying 'front' or 'back' facing camera.


Recording Audio

Both iOS and macOS sessions support recording audio in the same way. The argument for this command will specify the 'record' or 'stop' action. Recording audio through the mic will run in the background allowing you to execute additional commands during the recording. Once you stop recording, the audio file will be downloaded and saved.


Locating an iOS Device

The locate command will retrieve the device coordinates using location services. This command will send back the latitude and longitude as well as a google maps link showing where the device is located.

Even when location services are turned off, EggShell has the ability to turn them back on to retrieve location data without the user knowing.


Retrieving iOS Passcode

EggShell can obtain the target device's password after we have installed the EggShel Cydia Substrate library. After the library is uploaded and installed to the device, it will hook into the lockscreen functionality and log the passcode in memory upon successful password entry. We can then view the logged passcode with the getpasscode command.


Running System Commands

Any command that is not EggShell specific will be ran as a system command. This allows you to execute commands just as if you were in a regular reverse shell however stdin on a spawned process is not yet supported.


Safari Exploit + EggShell

Soon after iOS security researcher Luca Todesco released his browser based 9.3.3 jailbreak, I reused some of his code to demonstrate taking over a device from Safari. I had made some hex edits to the executable that was loaded in order to run the eggshell payload after the jailbreak process had completed. You can view the demo here along with EverythingApplePro narrating my demo.


Arduino + EggShell

Inspired by Samy Kamkar's USBdriveby, I wanted to do something similar with EggShell. USBdriveby used a teensy microcontroller to emulate keyboard strokes on a macos device to bypass security features and gain remote access. I chose to use a similar but not as powerful Digispark development board that costs less than 2 dollars. Teensy has a lot more memory and speed for larger payloads but since EggShell's payload is so small we have much more flexibility when it comes to embedding it in programs. I hollowed out a realistic Galaxy S6 dummy phone and placed the Digispark development board where the usb port would have been on the phone. This adds a nice social engineering improvement to the microcontroller to make it look as if a phone were just charging when in reality it could be exploiting your mac's usb port. The time it takes the dummy phone to emulate the necessary keyboard strokes to deploy the EggShell payload is less than 10 seconds. However, if you replace the digispark with a Teensy it almost cuts this time in half. The code for both of these devices is almost the same depending on which keyboard libraries you chose to use.


Universal Commands

EggShell has a set of commands that can be executed across macOS, iOS, and Linux payloads.

ls

List directory

cd

Change working directory

pwd

Show current directory

pid

Show process id of eggshell session on target machine

download

Download a file

upload

Upload a file


macOS Commands

Below are the specific commands that can be executed in a macOS session.

brightness

Brightness takes a single argument that requires a value from 0 to 1. This number specifies the screen brightness, 0 being the lowest and 1 being the highest.

getfacebook

This command will parse the binary cookies on the target device and retrieve the session corresponding to a logged in Facebook account as well as a link to the profile. I found that this is possible because Safari does not keep it's cookies encrypted and are accessible to any user. I suggest using a browser like chrome instead where the cookie file is encrypted.

getpaste

Get target device's current pasteboard contents.

getvol

Get the current output volume. This will return a number between 0 and 100.

idletime

Get the amount of time in seconds since the keyboard/cursor were touched.

imessage

Send message to another phone number through the target device's messages app.

itunes

iTunes controller for play, pause, next, and skip functions.

keyboard

Perform keystrokes on the target machine.

lazagne

Retrieve stored username and passwords from Firefox.

mic

Record audio through device mic.

persistence

This command installs a launch daemon onto the device making it try to reconnect every 5 seconds, even if the device reboots.

picture

Take and retrieve picture through iSight camera.

prompt

Show a pop up prompting the user for password input. This prompt will not go away until the user has entered a value. After the user has typed a password we are asked if we want to try and escalate privileges with that password.

screenshot

Takes and retrieves a screenshot of the screen.

setvol

Sets the output volume and takes one argument specifying a number from 0 to 100.

sleep

Puts the target device into sleep mode.

su

Prompts target for password input and attempts to upgrade a session's permissions to root based on the password entered.

suspend

Suspends logged in user and goes back to the login screen.


iOS Commands

Below are the specific commands that can be executed in an iOS session.

alert

This command will prompt you for a title and a message and then proceed to display a pop up alert on the device.

battery

Get the battery level of the device.

bundleids

List bundle identifiers of installed applications.

dhome

Simulate a double home button press.

dial

Dial and call a phone number.

getcontacts

Download addressbook database.

getnotes

Download notes database.

getpasscode

Retrieve the device passcode but only if the user has unlocked the device since the last springboard load.

getsms

Download SMS database

getvol

Get the current output volume. This will return a number between 0 and 100.

home

Simulate a home button press.

installpro

Install Cydia Substrate library for extended functionality

ipod

Control music player with play, pause, next, and skip functions.

islocked

Check if the device is in a locked state.

lastapp

Get last opened application bundle id

locate

This command will get the device location coordinates along with a google maps link showing where the device is.

locationservice

Toggle location services on and off.

lock

Lock the target device.

mic

Record audio through device mic.

mute

Update and view mute status.

open

Launch an installed application on the device using a bundle id.

openurl

Open a url on the target device.

persistence

This command installs a launch daemon onto the device making it try to reconnect every 5 seconds, even if the device reboots.

picture

Take picture through front or back camera. This command will take 1 argument 'front' or 'back'.

respring

Restart springboard.

safemode

Put device into safe mode.

say

Similar to the macOS command 'say', this will make the target device generate audio for a given text input.

setvol

Sets the device output volume and takes one argument specifying a number from 0 to 100.

sysinfo

View system information.

vibrate

Vibrate the target device.