search

BishopFox / sliver

Adversary Emulation Framework
GNU General Public License v3.0
7.89k stars 1.05k forks source link

Stager shellcode generation fails on Kali VM on Apple Silicon (ARM) Mac #1706

Open j-mie opened 3 weeks ago

j-mie commented 3 weeks ago

Describe the bug Running stage-listener with a TCP url on a Apple Mac creates a TCP listener which servers no shellcode.

INFO[2024-06-03T17:52:36+01:00] [sliver/server/certs/certs.go:140] Generating TLS certificate (ECC) for 'QUIET_WINNER' ... 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/certs/certs.go:65] Saving certificate for cn = 'QUIET_WINNER' 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/configs/server.go:155] Saving config to /root/.sliver/configs/server.json 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/gogo/go.go:162] go cmd: '/root/.sliver/go/bin/go tool dist list' 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/assets/assets-helpers.go:276] Creating GOPATH directory: /root/.sliver/slivers/windows/amd64/QUIET_WINNER/src 
WARN[2024-06-03T17:52:36+01:00] [sliver/server/generate/canaries.go:71] No parent domains 
WARN[2024-06-03T17:52:36+01:00] [sliver/server/generate/canaries.go:71] No parent domains 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/generate/binaries.go:553] Rendering native encoder assets ... 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/generate/binaries.go:561] Embed english dictionary (4.9 KiB, 3.2 KiB compressed) 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/generate/binaries.go:489] Rendering go.mod file ... 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/gogo/go.go:162] go cmd: '/root/.sliver/go/bin/go tool dist list' 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/gogo/go.go:162] go cmd: '/root/.sliver/go/bin/go tool dist list' 
INFO[2024-06-03T17:52:36+01:00] [sliver/server/gogo/go.go:123] garble cmd: '/root/.sliver/go/bin/garble -seed=random -literals -tiny build -trimpath -ldflags  -H=windowsgui -buildmode=pie -o /root/.sliver/slivers/windows/amd64/QUIET_WINNER/bin/QUIET_WINNER.bin .' 

INFO[2024-06-03T17:52:44+01:00] [sliver/server/generate/implants.go:141] f0b4b042-6545-48ab-b986-dded71153bf6 -> QUIET_WINNER 
INFO[2024-06-03T17:52:44+01:00] [github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/options.go:220] finished unary call with code OK 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/rpc/rpc-shellcode.go:37] [rpc] Shellcode encoder request for: SHIKATA_GA_NAI 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:93] [sgn] EncodeShellcode: 22837336 bytes 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:199] [sgn] input file: /tmp/sgn11946290 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:77] sgn cmd: '/root/.sliver/go/bin/sgn -a 64 -c 1 -max 20 -o /tmp/sgn3696634141 /tmp/sgn11946290' 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:80] --- env ---    
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:82] PATH=/root/.sliver/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:84] --- stdout ---
       __   _ __        __                               _ 
  ___ / /  (_) /_____ _/ /____ _  ___ ____ _  ___  ___ _(_)
 (_-</ _ \/ /  '_/ _ `/ __/ _ `/ / _ `/ _ `/ / _ \/ _ `/ / 
/___/_//_/_/_/\_\\_,_/\__/\_,_/  \_, /\_,_/ /_//_/\_,_/_/  
========[Author:-Ege-Balcı-]====/___/=======v2.0.0=========  
    ┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻           (ノ ゜Д゜)ノ ︵ 仕方がない

|  
INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:85] --- stderr ---
2024/06/03 17:52:44 [MAIN] ERROR: random garbage instruction assembly failed

INFO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:86] exit status 1  
ERRO[2024-06-03T17:52:44+01:00] [sliver/server/sgn/sgn.go:130] exit status 1 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/rpc/rpc-shellcode.go:46] [rpc] Successfully encoded shellcode (0 bytes) 
INFO[2024-06-03T17:52:44+01:00] [github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/options.go:220] finished unary call with code OK 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/rpc/rpc-generate.go:241] Saving new profile with name "win-shellcode" 
INFO[2024-06-03T17:52:44+01:00] [github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/options.go:220] finished unary call with code OK 
INFO[2024-06-03T17:52:44+01:00] [sliver/server/c2/tcp-stager.go:34] Starting Raw TCP listener on 0.0.0.0:9000 
INFO[2024-06-03T17:52:44+01:00] [github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/options.go:220] finished unary call with code OK

To Reproduce Steps to reproduce the behavior:

  1. profiles new --mtls 10.10.14.40:443 --format shellcode win-shellcode
  2. stage-listener --url tcp://10.10.14.40:9000 --profile win-shellcode
  3. nc 10.10.14.40 9000 | wc -l

Expected behavior Ideally it shouldn't error, but the fact that there's no sign that this has failed in the client until you connect to the stager and receive no output is a little confusing

Desktop (please complete the following information):

j-mie commented 3 weeks ago

Strangely pulling down the latest version of https://github.com/moloch--/sgn and compiling from source works fine (copying the file from go build -ldflags="-extldflags=-static" to the Sliver .sliver/go/bin/sgn path works fine) - I wonder if it's a keystone issue

moloch-- commented 3 weeks ago

That is weird, thanks for running it down I can probably just push out a new build.