API tools faq
paste
Advertisement
xosski

GhostSurface

xosski
Apr 6th, 2025
55
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.62 KB | None | 0 0
raw download clone embed print report
  1. ╔══════════════════════════════════════╗
  2. ║ G H O S T C O R E V E R S I O N ║
  3. ╚══════════════════════════════════════╝
  4. » CumulusTap – Red Team Extension Loader
  5. » v1.0.0 / "Umbra Seed"
  6.  
  7. "Inject the silence. Speak in memory."
  8. 🧬 PURPOSE
  9. This is a modular red team extension designed to leverage Chromium’s offscreen rendering, IndexedDB storage, and controlled memory corruption to stage and detonate shellcode inside the browser runtime. Stealth-first. Sandbox-aware. Persistence-optional.
  10.  
  11. 📁 FILE STRUCTURE
  12. manifest.json – Core config. Declares offscreen context, background script, permissions.
  13.  
  14. offscreen.html – Hidden execution layer. Stages JS & WASM away from prying eyes.
  15.  
  16. offscreen_compiled.js – Memory logic lives here. JS primitives + RWX mapping.
  17.  
  18. background_compiled.js – Trigger orchestration. Could be reactive or scheduled.
  19.  
  20. exploit.js – Runtime detonation. Precision memory abuse + WebAssembly trampoline.
  21.  
  22. verified_contents.json – Cosmetic. Mimics Chrome signing for legitimacy.
  23.  
  24. messages.json – Filler. Gives the extension a mundane face.
  25.  
  26. 🔧 HOW IT WORKS
  27. Stage: JS primitives open a memory playground using offscreen contexts.
  28.  
  29. Exploit: RWX page via WebAssembly. Shellcode mapped and written.
  30.  
  31. Execute: Trampoline invoked through JIT spray or Function call.
  32.  
  33. Persist (Optional): SQL memory dumps. Extension reloads rehydrate.
  34.  
  35. 🌑 FEATURES
  36. Offscreen memory manipulation
  37.  
  38. IndexedDB persistence layer
  39.  
  40. Arbitrary memory read/write via JS
  41.  
  42. WebAssembly RWX trampoline
  43.  
  44. Chrome-native extension shellcode launch
  45.  
  46. Fully client-side
  47.  
  48. 💀 USE CASES
  49. Internal red team ops
  50.  
  51. Post-exploitation browser persistence
  52.  
  53. Payload staging via browser extension
  54.  
  55. Sandbox-aware shellcode execution
  56.  
  57. ⚠️ OPERATIONAL NOTES
  58. Chrome sandbox remains unless chained w/ LPE
  59.  
  60. File access must be disabled for dev load
  61.  
  62. Chrome may log offscreen activity – monitor DevTools
  63.  
  64. Memory offsets may shift per Chrome version – validate pre-deploy
  65.  
  66. Deployment-
  67. $ chrome.exe --disable-extensions-file-access-check \
  68. --load-extension=/path/to/ghostcore_bundle
  69. 📝 DISCLAIMER
  70. This tool is designed for authorized adversary simulation only. If you’re using this without permission, you already know you're the problem.
  71.  
  72. GhostCore doesn’t babysit. It leaves no fingerprints.
  73.  
  74. "Malware is noisy. Ghosts don’t scream." – GhostCore Manifesto, Line 0x00
  75. https://drive.proton.me/urls/MZNG3H1P9C#E6B3tjHJ0m16
Tags: ChromeExploit BrowserExtensionAbuse OffscreenExploit WASMInjection IndexedDBPayload RedTeamTools GhostCore ChromeRWX StealthPayloads SecurityResearch
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!