search

guervild / uru

GNU General Public License v3.0
79 stars 9 forks source link

Shellcode index out of range #6

Closed cmprmsd closed 1 year ago

cmprmsd commented 2 years ago

The execution of shellcode fails for me in any case. The example config fails silently in debug mode with garble enabled.

When creating a new config with only sleep 2 and xor the program does not execute correctly:

PS C:\Users\user\Desktop> .\20220704_9qul_main.exe
[INFO]    Sleep for 2 seconds
[INFO]    Sleep finished
[INFO]    XOR payload data
[INFO]    Loading kernel32.dll
[INFO]    Loading VirtualAlloc, VirtualProtect procedures...
[INFO]    Calling VirtualAlloc for shellcode...
[INFO]    Length of the shellcode: 9415388 bytes
[INFO]    Allocated 9415388 bytes
[DEBUG]   Copying shellcode to memory...
panic: runtime error: index out of range [1890000] with length 1890000

goroutine 1 [running]:
main.run({0xc003200000, 0x8faadc, 0xa12000?})
        lxdlspnq/20220704_9qul_main.go:123 +0x6b7
main.main()
        lxdlspnq/20220704_9qul_main.go:169 +0xff

unobfuscated shellcode comes from sliver: generate --os windows --http https://domain --format shellcode -l

config (tested with and without xor)

payload:
  artifacts:
    - name: sleep
      type: evasion
      args:
        - name: delay
          value: "2"
    - name: xor
      type: encoder
      args:
        - name: Key
          value: "ohmymy"
    - name: windows/native/local/go-shellcode-syscall
      type: injector
  #sgn: false #must be decommented in the code to be used
  type: exe
  arch: x64
  debug: true
  obfuscation: false #need garble to be installed

AV is turned off

matt-moses commented 1 year ago

I ran into this issue as well using shellcode from Sliver. I believe the issue is because Sliver can produce some pretty large shellcode payloads and the injection templates in this project cap the shellcode at 1890000 bytes (https://github.com/guervild/uru/blob/main/data/templates/injector/windows/native/local/go-shellcode-syscall/functions.go.tmpl#L70).

Here's a stacktrace that I was able to capture.

image

Changing the size in the template and rebuilding the project with go build . got me up and running. This project is awesome but the code base is very new to me. I'm thinking about doing a PR but if someone beats me to all the better. 👍

cmprmsd commented 1 year ago

Sounds plausible! In my case it was also a sliver payload 👍

guervild commented 1 year ago

Hello!

Thank you for the feedback ! I pushed a fix on this branch.

Do not hesitate to tell me if the commit fix the issue, i will merge it in the v0.0.3.

matt-moses commented 1 year ago

Tested that branch and confirmed it works for me! Thanks!

cmprmsd commented 1 year ago

Great thank you @guervild and @matt-moses for remediating this issue!