Error trying to use scarecrow_wrapper with Apollo Implant

[b1k3]

Hi there,

Just trying to experiment with using the scarecrow wrapper but whenever I add a payload using an Apollo implant I get the following error:

STDERR:
Traceback (most recent call last):
  File "/Mythic/mythic/builder.py", line 84, in build
    f.write(base64.b64decode(self.wrapped_payload))
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/base64.py", line 83, in b64decode
    s = _bytes_from_decode_data(s)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/base64.py", line 45, in _bytes_from_decode_data
    raise TypeError("argument should be a bytes-like object or ASCII "
TypeError: argument should be a bytes-like object or ASCII string, not 'NoneType'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/mythic_container/agent_utils.py", line 69, in buildWrapper
    build_resp = await agent_builder.build()
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Mythic/mythic/builder.py", line 144, in build
    raise Exception(str(e) + "\n" + output)
Exception: argument should be a bytes-like object or ASCII string, not 'NoneType'

argument should be a bytes-like object or ASCII string, not 'NoneType'

Mythic Version: v3.3.1-rc6 Apollo Version: 2.2.13

This occurs no matter which options I attempt to configure in the parameters for the scarecrow_wrapper.

Possibly me misconfiguring things...

[its-a-feature]

I think it's because it was still on Mythic2.3 for the main branch. Try doing sudo ./mythic-cli install github https://github.com/mythicagents/scarecrow_wrapper -f and then trying to build again

[b1k3]

Hi @its-a-feature,

Tested this today but still getting the same error as above.

Could this be due to the plural wrapped_payloads vs wrapped_payload?

Line 16 being wrapped_payloads = [] Line 84 references the following f.write(base64.b64decode(self.wrapped_payload))

[its-a-feature]

That line of code isn't even in the repo anymore, so I think there's just an issue with the volume staying around. Try this:

sudo ./mythic-cli stop scarecrow_wrapper
sudo ./mythic-cli volume rm scarecrow_wrapper_volume
sudo ./mythic-cli build scarecrow_wrapper

Those two lines you're referencing are talking about two different things, so that's not the issue. The first one is talking about which different kinds of payload types this wrapper supports, and the second one is during the build process and refers to the specific instance of a payload that you're trying to wrap.

The issue is that during a recent update, the need to base64 decode the wrapped payload when building is no longer needed (self.wrapped_payload is already the raw bytes).

[b1k3]

Ok so I've followed the above, it's picked up the code change but is now failing with this very similar error.

STDERR:
Traceback (most recent call last):
  File "/Mythic/mythic/builder.py", line 84, in build
    f.write(self.wrapped_payload)
TypeError: a bytes-like object is required, not 'NoneType'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/mythic_container/agent_utils.py", line 69, in buildWrapper
    build_resp = await agent_builder.build()
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Mythic/mythic/builder.py", line 144, in build
    raise Exception(str(e) + "\n" + output)
Exception: a bytes-like object is required, not 'NoneType'

a bytes-like object is required, not 'NoneType'

Steps to Reproduce

1. Build Apollo payload config as below:

   {
   "description": "Created by b1k3 at 2024-10-07 13:05:51 Z",
   "payload_type": "apollo",
   "c2_profiles": [
       {
           "c2_profile": "http",
           "c2_profile_is_p2p": false,
           "c2_profile_parameters": {
               "AESPSK": {
                   "dec_key": "JZEJsaF6C+DbkxxzkSbCJ+625XuapfhHRwJXgOciSXI=",
                   "enc_key": "JZEJsaF6C+DbkxxzkSbCJ+625XuapfhHRwJXgOciSXI=",
                   "value": "aes256_hmac"
               },
               "callback_host": "http://<c2_ip>",
               "callback_interval": 10,
               "callback_jitter": 23,
               "callback_port": 80,
               "encrypted_exchange_check": true,
               "get_uri": "index",
               "headers": {
                   "User-Agent": "Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko"
               },
               "killdate": "2024-10-04",
               "post_uri": "data",
               "proxy_host": "",
               "proxy_pass": "",
               "proxy_port": "",
               "proxy_user": "",
               "query_path_name": "q"
           }
       }
   ],
   "build_parameters": [
       {
           "name": "output_type",
           "value": "Shellcode"
       }
   ],
   "commands": [
       "run",
       "ticket_cache_purge",
       "ticket_store_purge",
       "ticket_cache_list",
       "ticket_cache_extract",
       "upload",
       "exit",
       "ticket_cache_add",
       "ps",
       "shell",
       "download",
       "ticket_store_list",
       "load",
       "wmiexecute",
       "ticket_store_add"
   ],
   "selected_os": "Windows",
   "filename": "b1k3_scarecrow_test",
   "wrapped_payload": ""
   }

2. Generate New Wrapper Payload

3. Select Target OS as Windows

4. Payload Type as scarecrow_wrapper

   • Console: False
   • Domain: www.microsoft.com
   • ETW: True
   • Injection: Empty
   • Loader: Control
   • Sandbox: True
   • Unmodified: False

5. Select payload as b1k3_scarecrow_test.

6. Provide payload name and select "Create Payload"

7. On pressing "Create Payload" this is where the error appears.

Note: This occurs no matter what options I select or even if I try creating a wrapper payload from the create payload option. It also occurs if I create a payload using Merlin.

[its-a-feature]

I just checked it out and it appears that the Dockerfile it was using was pretty outdated. I just updated it, so can you try those three steps again?

[b1k3]

Hi there - performed the steps again and it is now building the payload wrapper 👍