Not working with CobaltStrike payloads

[PocketDC]

Hello! Entirely possible I'm missing something here but just wanted to say that I can't seem to get it to work with cobaltstrike at the moment. Using the up-to-date master.

Steps:

1. Stand up cobaltstrike server
2. Generate following stageless x64 payloads: raw (.bin), windows executable (.exe), windows executable (.bin), windows dll (.dll)
3. clone and build donut (tried on both Kali and Win10)
4. ./donut -i path/to/payload
5. take loader.bin output, use the inject.exe example, no callback or errors
6. take the loader.bin output, use the inject-local.exe example, no callback or errors

The hiccup must be with the loader generation in donut because I'm able to execute the unobfuscated payloads just fine (.exe and .dll) and able to use the inject.exe to execute the unobfuscated .bin files too

[TheWover]

I do not have access to Cobalt Strike to test this out, but can provide some guidance.

1) Donut will not be able to load the raw payload (.bin). It can load the PEs. 2) The issue may be with your donut parameters. I would suggest the following to test:

• -a, to specify the architecture;
• -b 1, to disable bypasses;
• -k 2, preserve the PE headers;
• -z 1, to turn off compression;
• -x 3, this is the important one because it will prevent donut from exiting when the payload returns from being called. I don't know exactly how Beacon works, but some C2 implant's have an entry point that immediately create a new thread and then returns to caller. That will cause donut to return/exit unless you have this -x 3 option set to have it block indefinitely after invoking the payload.

[PocketDC]

Oh man that absolutely fixed it thank you! It must have been the -x 3 that did it because I looked through my history and I had tried all of the others but was using -x 2. You're a legend; thank you sir