raw payload doesnt work?

chvancooten / NimPlant

A light-weight first-stage C2 implant written in Nim.

MIT License

769 stars 107 forks source link

raw payload doesnt work? #32

Open dobin opened 5 months ago

dobin commented 5 months ago

[x] This issue is not about OPSEC or bypassing defensive products
[x] I have followed the steps in the Troubleshooting section

OS and version: Ubuntu 23, Win10 Python version: 3.11.4 Nim version: 2.0.2 Using Docker: No

Issue Description

After "NimPlant.py compile all", the exe works, but the .bin doesnt. Tried using shellcode runner https://github.com/hasherezade/pe_to_shellcode/tree/master/runshc compiled as 64bit, and a private one using fibers.

Screenshots

Start shellcode, then exe:

Result: Only exe gets a connection

Debugger doesnt show the actual line:

chvancooten commented 5 months ago

Hi @dobin, thank you for your report!

Unfortunately, I'm not able to reproduce this issue. On KUbuntu 23.10 (which should not be much different from Ubuntu) with Python 3.11.6 and Nim 2.0.2, I am able to compile the payload without issue:

Subsequently, all of the payloads seem to work:

For testing, I used Nimplant's shinject command to inject into Explorer, as follows:

shinject 1337 "C:\path\to\NimPlant.bin"

Could you try executing with the shinject command to see if that works? If not, please try to provide as much information as you can to reproduce the issue. Thanks!

dobin commented 5 months ago

Starting the exe, and then issuing the following command to inject into a notepad.exe:

Results in no more beacons:

When executing the command, a new notepad editor appeared. It seems the original one (pid 6636) crashed, and a new one was started? (pid 13236). Reproducible.

Trying to load it with my experimental loader: no connection

Re-compiled it with "nim-debug": Same result

Windows version:

Nimplant Config: (probably because of this? as its the only "different" thing) nimplantconfig.txt

dobin commented 5 months ago

[attachment removed by repository owner] The debug nimplant.bin

I use 1.3:

chvancooten commented 5 months ago

Hi @dobin, thanks for the additional debugging steps. I am still not able to reproduce this issue unfortunately. Your config looks alright for testing, so my best guess would be that it relates to the Windows version of the target. Although I did test 22H2 intensively prior, recent testing has been performed on later builds of Windows 11. Do you see any possibility of trying to reproduce your issue on different Windows builds? Potentially that could help us pinpoint where and why this crash is occurring.