Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Design Notes
Furtive Syringe (bootstrapper)
needs to uninstall command if elinit fails.
Exploitation with Persistence (on-disk)
- use EVE to exploit browser
- use SOL to break out of sandbox and escalate privileges
- fetch NightSkies, mount system partition as writable, write to flash
- use DYONEDO to add FurtiveSyringe hash to trustcache and run it
- add NS to, and interpose, locationd by impersonating launchctl client and talking to launchd
- NS is run by DYLD_INSERT_LIBRARIES method when running locationd
NS
dlopen()
s its modules- unpriv
Exploitation without Persistence (in-memory)
- use EVE to exploit browser
- use SOL to break out of sandbox and escalate privileges
- fetch NightSkies, write to memory
- use SAL to inject NS pre-core into a process (locationd)
- NS pre-core uses Machinjection to
shootup()
NS core - NS pre-core uses Machinjection to load NS modules from memory into process