search

gen0cide / gscript

framework to rapidly implement custom droppers for all three major operating systems
https://github.com/gen0cide/gscript
GNU Affero General Public License v3.0
671 stars 105 forks source link

Runtime Error when running ExecuteCommand multiple times #102

Closed apscott closed 5 years ago

apscott commented 5 years ago

Whenever I compile a script that has multiple calls to ExecuteCommand, I get a runtime error. For example the following script:

function Deploy() {
    G.exec.ExecuteCommand("powershell", ["ls", "-recurse"]);
    G.exec.ExecuteCommand("powershell", ["ls", "-recurse"]);
    return true;
}

The first call to ExecuteCommand runs as expected. The second call will generate the following error:

[engine:t1083-2.gs] ERROR runtime error: could not create multiple assignment structure - (anonymous): Line 1:4 Unexpected token ILLEGAL (and 1 more errors)
[engine:t1083-2.gs]  INFO console.log >>> runtime: could not create multiple assignment structure - (anonymous): Line 1:4 Unexpected token ILLEGAL (and 1 more errors)

I traced this error message to line 301 of gscript/compiler/templates/vm_file.go.tmpl

I've tried making changes to the template file and recompiling, but the changes aren't taking effect. I'm using the commands from the docs to compile:

cd ~/go/src/github.com/gen0cide/gscript/cmd/gscript
go build
cp ./gscript /usr/local/bin/

I have two questions for this issue. A) Is there a workaround for the error I am getting? and B) Why are my changes to the template file not working? Is that file being pulled from somewhere else or am I doing something wrong with my build?

ahhh commented 5 years ago

Hey @apscott, I'm not able to recreate this. Perhaps it's specific to windows, but I just tried a basic MacOS example and do not encounter this error. Further, I'm not sure why it would be a golang runtime error. 

// Example gscript template
// Title: Double Exec Example
// Author: ahhh
// Purpose: 
// Gscript version: 1.0.0

//go_import:os/user as user

//priority:120
//timeout:150

function Deploy() {  
    console.log("starting execution of double exec xample");
    // Whoami
    var response = G.exec.ExecuteCommand("ls", ["-al", "/private/var/"]);
    console.log("Exec 1 Pid: "+response[0]);
    console.log("Exec 1 stdout: "+response[1]);
    console.log("Exec 1 stderr: "+response[2]);
    console.log("Exec 1 exit code: "+response[3]);
    console.log("Exec 1 go errors: "+response[4]);
    var response2 = G.exec.ExecuteCommand("ls", ["-al", "/private/tmp/"]);
    console.log("Exec 2 Pid: "+response2[0]);
    console.log("Exec 2 stdout: "+response2[1]);
    console.log("Exec 2 stderr: "+response2[2]);
    console.log("Exec 2 exit code: "+response2[3]);
    console.log("Exec 2 go errors: "+response2[4]);

    console.log("Done  double exec xample");
    return true;
}

Which resulted in the following output

ML-C02X31LCJGH7:Desktop dborges$ gscript compile --enable-logging --obfuscation-level=3 -o ~/Desktop/example_test.macho example.gs 
[gscript:cli]  INFO *** COMPILER OPTIONS ***
[gscript:cli]  INFO 
[gscript:cli]  INFO                        OS: darwin                                                                  
[gscript:cli]  INFO                      Arch: amd64                                                                   
[gscript:cli]  INFO               Output File: /Users/dborges/Desktop/example_test.macho                               
[gscript:cli]  INFO      Keep Build Directory: [DISABLED]                                                              
[gscript:cli]  INFO           UPX Compression: [DISABLED]                                                              
[gscript:cli]  INFO           Logging Support: [ENABLED]                                                               
[gscript:cli]  INFO          Debugger Support: [DISABLED]                                                              
[gscript:cli]  INFO       Human Redable Names: [DISABLED]                                                              
[gscript:cli]  INFO   Import All Native Funcs: [DISABLED]                                                              
[gscript:cli]  INFO          Skip Compilation: [DISABLED]                                                              
[gscript:cli]  INFO         Obfuscation Level: ALL OBFUSCATION DISABLED                                                
[gscript:cli]  INFO 
[gscript:cli]  INFO ***  SOURCE SCRIPTS  ***
[gscript:cli]  INFO 
[gscript:cli]  INFO     Script : example.gs                                                              
[gscript:cli]  INFO 
[gscript:cli]  INFO ************************
[gscript:cli]  INFO 
[gscript:cli]  INFO Compiled binary located at:

/Users/dborges/Desktop/example_test.macho

ML-C02X31LCJGH7:Desktop dborges$ ./example_test.macho 
[engine:example.gs]  INFO console.log >>> starting execution of double exec xample
[engine:example.gs]  INFO console.log >>> Exec 1 Pid: 14514
[engine:example.gs]  INFO console.log >>> Exec 1 stdout: total 0
drwxr-xr-x  26 root          wheel          832 Oct 16 12:49 .
drwxr-xr-x   6 root          wheel          192 Jul  3 22:54 ..
drwx------   2 root          wheel           64 Oct 12  2017 agentx
drwxr-xr-x   8 daemon        wheel          256 Jul  3 22:55 at
drwx------  11 root          wheel          352 Dec  5 18:18 audit
drwx------   2 root          wheel           64 Apr  9  2018 backups
drwxr-xr-x  86 root          wheel         2752 Dec  7 08:06 db
drwxr-xr-x   2 root          sys             64 Apr  9  2018 empty
drwxr-xr-x   4 root          wheel          128 Oct 16 12:47 folders
drwx------   2 root          wheel           64 Dec  5 14:09 install
drwxr-x---   2 _jabber       _jabber         64 Oct  6  2017 jabberd
drwxr-xr-x   3 root          wheel           96 Feb 11  2018 lib
drwxr-xr-x  50 root          wheel         1600 Dec  7 08:05 log
drwxr-x---   2 _mobileasset  _mobileasset    64 Apr  9  2018 ma
drwxrwxr-x   2 root          mail            64 Apr  9  2018 mail
drwxr-xr-x   3 root          wheel           96 Apr  9  2018 msgs
drwxr-xr-x   2 root          wheel           64 Apr  9  2018 netboot
drwxr-xr-x   6 _networkd     _networkd      192 Oct 16 12:43 networkd
drwxr-x---   6 root          wheel          192 Oct 17 08:57 root
drwxr-xr-x   4 root          wheel          128 Oct  6  2017 rpc
drwxrwxr-x  47 root          daemon        1504 Dec  7 08:06 run
drwxr-xr-x   2 daemon        wheel           64 Apr  9  2018 rwho
drwxr-xr-x   6 root          wheel          192 Jul  3 22:55 spool
drwxrwxrwt   4 root          wheel          128 Dec  7 08:06 tmp
drwxr-xr-x   5 root          wheel          160 Dec  7 08:03 vm
drwxr-xr-x   3 root          wheel           96 Apr  9  2018 yp

[engine:example.gs]  INFO console.log >>> Exec 1 stderr: 
[engine:example.gs]  INFO console.log >>> Exec 1 exit code: 0
[engine:example.gs]  INFO console.log >>> Exec 1 go errors: undefined
[engine:example.gs]  INFO console.log >>> Exec 2 Pid: 14515
[engine:example.gs]  INFO console.log >>> Exec 2 stdout: total 0
drwxrwxrwt  9 root     wheel  288 Dec  7 08:06 .
drwxr-xr-x  6 root     wheel  192 Jul  3 22:54 ..
-rw-rw-rw-@ 1 dborges  wheel    0 Dec  5 18:19 .keystone_install_lock
drwx------  3 dborges  wheel   96 Dec  5 18:19 com.apple.launchd.JVqdlUm2o0
drwx------  3 dborges  wheel   96 Dec  5 18:19 com.apple.launchd.mGqw2GMwWJ
drwxr-xr-x  3 root     wheel   96 Dec  7 08:06 nsbranding
-rw-r--r--  1 root     wheel    0 Dec  5 18:18 postImagingConfigstderr.log
-rw-r--r--  1 root     wheel    0 Dec  5 18:18 postImagingConfigstdout.log
drwxr-xr-x  2 root     wheel   64 Dec  5 18:18 powerlog

[engine:example.gs]  INFO console.log >>> Exec 2 stderr: 
[engine:example.gs]  INFO console.log >>> Exec 2 exit code: 0
[engine:example.gs]  INFO console.log >>> Exec 2 go errors: undefined
[engine:example.gs]  INFO console.log >>> Done Disable Firewall

I'll try it again on windows using your exact example now

ahhh commented 5 years ago

Just tested the same example on windows and works fine there as well. 

// Example gscript template
// Title: Double Exec Example
// Author: ahhh
// Purpose: 
// Gscript version: 1.0.0

//go_import:os/user as user

//priority:120
//timeout:150

function Deploy() {  
    console.log("starting execution of double exec xample");
    // Whoami
    var response = G.exec.ExecuteCommand("powershell.exe", ["ls", "C:\\Sysinternals\\"]);
    console.log("Exec 1 Pid: "+response[0]);
    console.log("Exec 1 stdout: "+response[1]);
    console.log("Exec 1 stderr: "+response[2]);
    console.log("Exec 1 exit code: "+response[3]);
    console.log("Exec 1 go errors: "+response[4]);
    var response2 = G.exec.ExecuteCommand("powershell.exe", ["ls", "C:\\tools\\"]);
    console.log("Exec 2 Pid: "+response2[0]);
    console.log("Exec 2 stdout: "+response2[1]);
    console.log("Exec 2 stderr: "+response2[2]);
    console.log("Exec 2 exit code: "+response2[3]);
    console.log("Exec 2 go errors: "+response2[4]);

    console.log("Done double exec xample");
    return true;
}
ML-C02X31LCJGH7:Desktop dborges$ gscript compile --os=windows --arch=386 --enable-logging --obfuscation-level=3 -o ~/Desktop/example_test.exe example.gs 
[gscript:cli]  INFO *** COMPILER OPTIONS ***
[gscript:cli]  INFO 
[gscript:cli]  INFO                        OS: windows                                                                 
[gscript:cli]  INFO                      Arch: 386                                                                     
[gscript:cli]  INFO               Output File: /Users/dborges/Desktop/example_test.exe                                 
[gscript:cli]  INFO      Keep Build Directory: [DISABLED]                                                              
[gscript:cli]  INFO           UPX Compression: [DISABLED]                                                              
[gscript:cli]  INFO           Logging Support: [ENABLED]                                                               
[gscript:cli]  INFO          Debugger Support: [DISABLED]                                                              
[gscript:cli]  INFO       Human Redable Names: [DISABLED]                                                              
[gscript:cli]  INFO   Import All Native Funcs: [DISABLED]                                                              
[gscript:cli]  INFO          Skip Compilation: [DISABLED]                                                              
[gscript:cli]  INFO         Obfuscation Level: ALL OBFUSCATION DISABLED                                                
[gscript:cli]  INFO 
[gscript:cli]  INFO ***  SOURCE SCRIPTS  ***
[gscript:cli]  INFO 
[gscript:cli]  INFO     Script : example.gs                                                              
[gscript:cli]  INFO 
[gscript:cli]  INFO ************************
[gscript:cli]  INFO 
[gscript:cli]  INFO Compiled binary located at:

/Users/dborges/Desktop/example_test.exe
C:\Users\dso>C:\Users\dso\Desktop\example_test.exe
[engine:example.gs]  INFO console.log >>> starting execution of double exec xample
[engine:example.gs]  INFO console.log >>> Exec 1 Pid: 3740
[engine:example.gs]  INFO console.log >>> Exec 1 stdout:

    Directory: C:\Sysinternals

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
------       11/16/2017   1:27 PM         792208 accesschk.exe
------       11/16/2017   1:25 PM         409760 accesschk64.exe
------        11/1/2006   1:06 PM         174968 AccessEnum.exe
------        7/12/2007   6:26 AM          50379 AdExplorer.chm
------       11/14/2012  10:22 AM         479832 ADExplorer.exe
------       10/26/2015   4:06 PM         401616 ADInsight.chm
------       10/26/2015   4:15 PM        2425496 ADInsight.exe
------        11/1/2006   1:05 PM         150328 adrestore.exe
------        8/27/2016  11:54 AM         138920 Autologon.exe
------        5/24/2018   9:25 AM          50512 autoruns.chm
------        5/24/2018   9:33 AM         730256 Autoruns.exe
------        5/24/2018   9:52 AM         747672 Autoruns64.dll
------        5/24/2018   9:45 AM         861328 Autoruns64.exe
------        5/24/2018   9:38 AM         645776 autorunsc.exe
------        5/24/2018   9:49 AM         761504 autorunsc64.exe
------        1/17/2018   1:42 PM        3001480 Bginfo.exe
------        1/17/2018   1:38 PM        4216976 Bginfo64.exe
------        11/1/2006   1:06 PM         154424 Cacheset.exe
------        5/27/2016   1:58 AM         139944 Clockres.exe
------        5/27/2016   1:55 AM         154792 Clockres64.exe
------        5/27/2016   2:05 AM         253600 Contig.exe
------        5/27/2016   2:02 AM         268960 Contig64.exe
------        8/18/2014  12:29 PM         892088 Coreinfo.exe
------        9/27/2006   6:04 PM          10104 ctrl2cap.amd.sys
------        11/1/2006   1:05 PM         150328 ctrl2cap.exe
------       11/21/1999   5:20 PM           2864 ctrl2cap.nt4.sys
------       11/21/1999   6:46 PM           2832 ctrl2cap.nt5.sys
------        9/15/2005   9:49 AM          68539 dbgview.chm
------        12/3/2012  10:10 AM         468056 Dbgview.exe
------       10/17/2012   6:28 PM         116824 Desktops.exe
------       12/17/2013  11:46 AM          40717 Disk2vhd.chm
------        1/20/2014   2:16 PM        7134400 disk2vhd.exe
------        6/12/2016   9:17 AM         143008 diskext.exe
------        6/12/2016   9:14 AM         158376 diskext64.exe
------        11/1/2006   1:06 PM         224056 Diskmon.exe
------        12/8/2003   9:40 AM           9519 DISKMON.HLP
------        3/24/2010   2:00 PM         580984 DiskView.exe
------       10/14/1999   2:45 PM          11728 DMON.SYS
------        1/20/2018  10:12 AM         169072 du.exe
------        1/20/2018  10:06 AM         191616 du64.exe
------        11/1/2006   1:05 PM         146232 efsdump.exe
------        7/18/2018   1:57 PM           7490 Eula.txt
------        5/28/2016   8:28 AM         147112 FindLinks.exe
------        5/28/2016   8:26 AM         169136 FindLinks64.exe
------       12/10/2017  12:20 PM         425608 handle.exe
------       12/10/2017  12:16 PM         226448 handle64.exe
------        6/12/2016   9:24 AM         150176 hex2dec.exe
------        6/12/2016   9:21 AM         164520 hex2dec64.exe
------        6/12/2016   9:39 AM         216736 junction.exe
------        6/12/2016   9:36 AM         236200 junction64.exe
------        11/1/2006   1:06 PM         154424 ldmdump.exe
------        5/27/2016   2:30 AM         424096 Listdlls.exe
------        5/27/2016   2:28 AM         220336 Listdlls64.exe
------        5/16/2017  11:42 AM         641184 livekd.exe
------        5/16/2017  11:35 AM         418976 livekd64.exe
------        5/28/2016   8:43 AM         141472 LoadOrd.exe
------        5/28/2016   8:42 AM         156840 LoadOrd64.exe
------        5/28/2016   8:48 AM         173216 LoadOrdC.exe
------        5/28/2016   8:47 AM         188584 LoadOrdC64.exe
------        6/12/2016   9:57 AM         224952 logonsessions.exe
------        6/12/2016   9:54 AM         249536 logonsessions64.exe
------        6/12/2016  10:20 AM         139936 movefile.exe
------        6/12/2016  10:15 AM         154792 movefile64.exe
------         6/8/2017   7:47 PM         242344 notmyfault.exe
------         6/8/2017   7:44 PM         265400 notmyfault64.exe
------         6/8/2017   7:58 PM         250032 notmyfaultc.exe
------         6/8/2017   7:56 PM         270520 notmyfaultc64.exe
------        6/12/2016  10:29 AM         139432 ntfsinfo.exe
------        6/12/2016  10:26 AM         158896 ntfsinfo64.exe
------        11/1/2006   1:06 PM         215928 pagedfrg.exe
------        7/23/2000   7:58 PM           8419 pagedfrg.hlp
------        6/12/2016  10:19 AM         141480 pendmoves.exe
------        6/12/2016  10:14 AM         156336 pendmoves64.exe
------        6/12/2016  10:44 AM         213160 pipelist.exe
------        6/12/2016  10:41 AM         234160 pipelist64.exe
------        7/30/1999   4:28 PM            422 PORTMON.CNT
------        1/13/2012   4:35 PM         451392 portmon.exe
------        1/31/2000   8:20 AM          43428 PORTMON.HLP
------        4/25/2017   4:43 AM         651424 procdump.exe
------        4/25/2017   4:37 AM         341672 procdump64.exe
------         5/1/2017   7:19 AM          72154 procexp.chm
------         5/1/2017   7:31 AM        2724512 procexp.exe
------         5/1/2017   7:25 AM        1458856 procexp64.exe
------        2/12/2018   2:22 PM          63582 procmon.chm
------        2/12/2018   2:30 PM        2164360 Procmon.exe
------        6/28/2016  11:44 AM         339096 PsExec.exe
------        6/28/2016  11:41 AM         374944 PsExec64.exe
------        6/28/2016  11:35 AM         149664 psfile.exe
------        6/28/2016  11:32 AM         168608 psfile64.exe
------        1/23/2018   8:21 PM         297104 PsGetsid.exe
------        1/23/2018   7:58 PM         329880 PsGetsid64.exe
------         7/5/2016   5:32 PM         313496 PsInfo.exe
------         7/5/2016   5:27 PM         351904 PsInfo64.exe
------        6/28/2016  10:57 AM         284320 pskill.exe
------        6/28/2016  10:52 AM         318624 pskill64.exe
------        6/28/2016  10:44 AM         178848 pslist.exe
------        6/28/2016  10:42 AM         202400 pslist64.exe
------        6/28/2016   9:51 AM         151728 PsLoggedon.exe
------        6/28/2016   9:49 AM         170160 PsLoggedon64.exe
------        4/27/2010  11:04 AM         178040 psloglist.exe
------         7/5/2016   4:53 PM         149664 pspasswd.exe
------         7/5/2016   4:50 PM         168616 pspasswd64.exe
------        6/29/2016   3:58 AM         255648 psping.exe
------        6/29/2016   3:55 AM         293032 psping64.exe
------        6/28/2016   9:43 AM         188584 PsService.exe
------        6/28/2016   9:41 AM         210608 PsService64.exe
------        12/4/2006   4:53 PM         207664 psshutdown.exe
------        6/28/2016  10:06 AM         289448 pssuspend.exe
------        6/28/2016  10:01 AM         321704 pssuspend64.exe
------        10/1/2012   9:23 AM          66582 Pstools.chm
------        11/6/2007   8:17 AM             39 psversion.txt
------        5/31/2018   2:12 PM         643720 RAMMap.exe
------        12/7/2011  11:07 AM           7903 readme.txt
------        5/28/2016  11:57 AM         149168 RegDelNull.exe
------        5/28/2016  11:54 AM         164024 RegDelNull64.exe
------        1/27/2016   7:34 PM         117920 regjump.exe
------         7/5/2016   3:56 PM         142472 ru.exe
------         7/5/2016   3:54 PM         160920 ru64.exe
------         1/7/2018  11:49 AM         156296 sdelete.exe
------         1/7/2018  11:46 AM         167056 sdelete64.exe
------        11/1/2006   1:07 PM         260976 ShareEnum.exe
------        2/27/2008   5:51 PM         103464 ShellRunas.exe
------       11/16/2017   1:06 PM         371856 sigcheck.exe
------       11/16/2017   1:03 PM         863384 sigcheck64.exe
------        5/28/2016  12:28 PM         135840 streams.exe
------        5/28/2016  12:25 PM         153768 streams64.exe
------         7/5/2016   6:33 PM         149152 strings.exe
------         7/5/2016   6:30 PM         164008 strings64.exe
------        6/12/2016   7:10 PM         143512 sync.exe
------        6/12/2016   7:07 PM         158360 sync64.exe
------        7/18/2018   1:25 PM        2858440 Sysmon.exe
------        7/18/2018   1:23 PM        1545864 Sysmon64.exe
------        7/28/2010   3:47 PM         199544 Tcpvcon.exe
------         7/2/2010   4:03 PM          41074 tcpview.chm
------        7/25/2011  12:40 PM         300832 Tcpview.exe
------         9/2/2002   1:13 PM           7983 TCPVIEW.HLP
------       11/18/2016   6:40 AM         231584 Testlimit.exe
------       11/18/2016   6:38 AM         243888 Testlimit64.exe
------        6/29/2015  10:40 AM          51747 Vmmap.chm
------        6/29/2015  10:47 AM        1194128 vmmap.exe
------        6/12/2016   7:18 PM         233640 Volumeid.exe
------        6/12/2016   7:15 PM         169648 Volumeid64.exe
------       11/16/2017   1:41 PM         154248 whois.exe
------       11/16/2017   1:38 PM         169616 whois64.exe
------        2/14/2011  11:37 AM         729464 Winobj.exe
------       12/30/1999  10:26 AM           7653 WINOBJ.HLP
------        6/18/2013   3:12 PM         596160 ZoomIt.exe

[engine:example.gs]  INFO console.log >>> Exec 1 stderr:
[engine:example.gs]  INFO console.log >>> Exec 1 exit code: 0
[engine:example.gs]  INFO console.log >>> Exec 1 go errors: undefined
[engine:example.gs]  INFO console.log >>> Exec 2 Pid: 4672
[engine:example.gs]  INFO console.log >>> Exec 2 stdout:

    Directory: C:\tools

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       10/18/2018   6:57 PM                cmdermini

[engine:example.gs]  INFO console.log >>> Exec 2 stderr:
[engine:example.gs]  INFO console.log >>> Exec 2 exit code: 0
[engine:example.gs]  INFO console.log >>> Exec 2 go errors: undefined
[engine:example.gs]  INFO console.log >>> Done double exec xample

C:\Users\dso>

Can you please provide more debug details, like maybe your full gscript?

ahhh commented 5 years ago

I also tried a script more similar to your exact script and this runs successfully on windows, however the output is very large so I'm not including that

// Example gscript template
// Title: Double Exec Example
// Author: ahhh
// Purpose: 
// Gscript version: 1.0.0

//priority:120
//timeout:150

function Deploy() {  
    console.log("starting execution of double exec xample");
    // Whoami
    var response = G.exec.ExecuteCommand("powershell", ["ls", "-recurse"]);
    console.log("Exec 1 Pid: "+response[0]);
    console.log("Exec 1 stdout: "+response[1]);
    console.log("Exec 1 stderr: "+response[2]);
    console.log("Exec 1 exit code: "+response[3]);
    console.log("Exec 1 go errors: "+response[4]);
    var response2 = G.exec.ExecuteCommand("powershell", ["ls", "-recurse"]);
    console.log("Exec 2 Pid: "+response2[0]);
    console.log("Exec 2 stdout: "+response2[1]);
    console.log("Exec 2 stderr: "+response2[2]);
    console.log("Exec 2 exit code: "+response2[3]);
    console.log("Exec 2 go errors: "+response2[4]);

    console.log("Done double exec xample");
    return true;
}
apscott commented 5 years ago

Thanks for the quick response. After some more testing, it looks like an issue with the Windows VM I was testing on. I've run it on a couple other VMs and it works fine.

thebleucheese commented 5 years ago

Just an FYI for this, encountered the same errors with files compiled this way. It looks like something to do with the flags. Once we used the flags in your example like

"gscript compile --os=windows --arch=386 --enable-logging --obfuscation-level=3 -o ~/Desktop/example_test.exe example.gs"

It started running more consistently without errors after compilation. Without those, we'd get the error.