Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Design Notes
Furtive Syringe (bootstrapper)
needs to uninstall command if elinit fails.
Remote Exploitation with Persistence (on-disk)
- use EVE to exploit browser
- use SOL to break out of sandbox and escalate privileges
- mount system partition as writable,
- fetch NightSkies,
- write to flash (dyonedo(fs))
- add cdhash to trustcache
- posix_spawn(furtivesyringe)
- FurtiveSyringe
- add NS.precore to trustcache
- use launchctl api to set DYLD_INSERT_LIBRARIES=NS.precore and reload locationd
- New option is to use SAL instead of launchctl method to inject code directly into locationd.
- Caveats: hooks/interposing that depended on DYLD_FORCE_FLAT_NAMESPACE can no longer be used.
- New option is to use SAL instead of launchctl method to inject code directly into locationd.
-
NS
dlopen()
s its modules- interpose/hook notification to prevent gps pop ups
- exit
Remote Exploitation without Persistence (in-memory)
- use EVE to exploit browser
- use SOL to break out of sandbox and escalate privileges
- fetch NightSkies, write to memory
- use SAL to inject NS pre-core into a process (locations)
- Map NS database into NS pre-core process
- NS pre-core uses Machinjection to
shootup()
NS core from in-memory database - NS pre-core uses Machinjection to load NS modules from in-memory database into process