Compile Error: b''

[dlimanov]

Getting the below error on Win10 x64 with latest Python 3.9.2:

python builder.py -s c:\temp\shellcode.bin -p {redacted} -o c:\temp\shellcode.exe [i] Key, IV Generation: Successful  [+] Key: 76a4bdc4d17ef05116bd8c122841aef093e75eb701ff68628ceece84ce37e547  [+] IV: 871b56e90419ec41c0e01fd6bd93a589  [+] Salt: b35a686992959641a2668b9d731c567d [i] Encrypt Shellcode: Successful [i] Variable Swap: Successful Compile Error: b''

[mrothbart]

this is also true of PoshC2 shellcode. See below.

It's possible this has to do with the size of the shellcode. Is there a defined upper limit? Can it be overcome?

[joshfaust]

I'm very confident this is due to the sizing issue seen here. I will test it on my end. If either of you (@mrothbart @dlimanov ) could send your shellcode that is throwing this exception, I would greatly appreciate it.

[dlimanov]

I'm using a default Covenant shellcode payload. Let me know what's the best way to send it to you.

[mrothbart]

Same with default PoshC2 shellcode. I linked the repo in my comment so you can generate it yourself and use the excellent framework. I am of course happy to send it to you as well. What's the best way to send it over?

[joshfaust]

@mrothbart try: https://github.com/cribdragg3r/Alaris/tree/builder_patch

You will have to pip3 install -r requirements.txt again

I'm guessing it's too large. And there seem to be ways to bypass that via a custom data struct which, I will build into Alaris (Hopefully this week) to mitigate this issue.

[mrothbart]

[dlimanov]

Same here:

python.exe builder.py -s c:\temp\GruntHTTP.bin -p pass123 -o c:\temp [i] Key, IV Generation: Successful  [+] Key: f4a76d3b9d980a3db3a6c73367c67941f97a9e6f94ddb4c82ee83c63500cc47e  [+] IV: d893325678310dace7599153baf5cdf2  [+] Salt: 3941242bb17da618b20aff44c4571b8a [i] Encrypt Shellcode: Successful [!] Shellcode Too Large, a string can't be longer than 16380 single-byte characters. [i] https://docs.microsoft.com/en-us/cpp/error-messages/compiler-errors-1/compiler-error-c2026?view=msvc-160&viewFallbackFrom=vs-2019

[joshfaust]

Okay, that's expected behavior. I will review the MSDN docs tonight and see if there isn't a easy way around this by breaking up the string.

[joshfaust]

@mrothbart @dlimanov This "Should" fix it, mind having a go to test on your system? https://github.com/cribdragg3r/Alaris/tree/builder_patch

[mrothbart]

[joshfaust]

You're on the builder_patch branch?

[joshfaust]

[mrothbart]

[mrothbart]

Sorry for the screens, its just a much more effective way of getting over the info. I think the posh shellcode is quite a bit larger than 17k...

[joshfaust]

I'm not having the same issues on my end which, is odd. I thought for sure when I hit the max string size of 65,535 bytes I would get the same exception but I'm not. Could you check the loader.cpp source to see how big the shellcode string object is?

[mrothbart]

Mine is 222596 for some reason. Posh_v4_x64_Shellcode.zip I've uploaded my posh shellcode here. The password is alaris You should use 7z to unzip it as it is aes and not zip crypto.

If this shellcode works for you, then there is a local issue that we need to pin down.

[mrothbart]

If you like I can upload my loader.cpp tomorrow as well.

[dlimanov]

New builder_batch worked for me, was able to generate a binary from a 43kb shellcode.

[mrothbart]

Yeah that doesn't hit the 65k limit like the posh shellcode does.