Closed dlimanov closed 3 years ago
this is also true of PoshC2 shellcode. See below.
It's possible this has to do with the size of the shellcode. Is there a defined upper limit? Can it be overcome?
I'm very confident this is due to the sizing issue seen here. I will test it on my end. If either of you (@mrothbart @dlimanov ) could send your shellcode that is throwing this exception, I would greatly appreciate it.
I'm using a default Covenant shellcode payload. Let me know what's the best way to send it to you.
Same with default PoshC2 shellcode. I linked the repo in my comment so you can generate it yourself and use the excellent framework. I am of course happy to send it to you as well. What's the best way to send it over?
@mrothbart try: https://github.com/cribdragg3r/Alaris/tree/builder_patch
You will have to pip3 install -r requirements.txt
again
I'm guessing it's too large. And there seem to be ways to bypass that via a custom data struct which, I will build into Alaris (Hopefully this week) to mitigate this issue.
Same here:
python.exe builder.py -s c:\temp\GruntHTTP.bin -p pass123 -o c:\temp [36m[i] Key, IV Generation:[32m Successful[39m [36m [+] Key:[35m f4a76d3b9d980a3db3a6c73367c67941f97a9e6f94ddb4c82ee83c63500cc47e[39m [36m [+] IV:[35m d893325678310dace7599153baf5cdf2[39m [36m [+] Salt:[35m 3941242bb17da618b20aff44c4571b8a[39m [36m[i] Encrypt Shellcode:[32m Successful[39m [31m[!] Shellcode Too Large, a string can't be longer than 16380 single-byte characters. [36m[i] https://docs.microsoft.com/en-us/cpp/error-messages/compiler-errors-1/compiler-error-c2026?view=msvc-160&viewFallbackFrom=vs-2019
Okay, that's expected behavior. I will review the MSDN docs tonight and see if there isn't a easy way around this by breaking up the string.
@mrothbart @dlimanov This "Should" fix it, mind having a go to test on your system? https://github.com/cribdragg3r/Alaris/tree/builder_patch
You're on the builder_patch
branch?
Sorry for the screens, its just a much more effective way of getting over the info. I think the posh shellcode is quite a bit larger than 17k...
I'm not having the same issues on my end which, is odd. I thought for sure when I hit the max string size of 65,535 bytes I would get the same exception but I'm not. Could you check the loader.cpp
source to see how big the shellcode
string object is?
Mine is 222596 for some reason. Posh_v4_x64_Shellcode.zip I've uploaded my posh shellcode here. The password is alaris You should use 7z to unzip it as it is aes and not zip crypto.
If this shellcode works for you, then there is a local issue that we need to pin down.
If you like I can upload my loader.cpp tomorrow as well.
New builder_batch worked for me, was able to generate a binary from a 43kb shellcode.
Yeah that doesn't hit the 65k limit like the posh shellcode does.
Getting the below error on Win10 x64 with latest Python 3.9.2:
python builder.py -s c:\temp\shellcode.bin -p {redacted} -o c:\temp\shellcode.exe [36m[i] Key, IV Generation:[32m Successful[39m [36m [+] Key:[35m 76a4bdc4d17ef05116bd8c122841aef093e75eb701ff68628ceece84ce37e547[39m [36m [+] IV:[35m 871b56e90419ec41c0e01fd6bd93a589[39m [36m [+] Salt:[35m b35a686992959641a2668b9d731c567d[39m [36m[i] Encrypt Shellcode:[32m Successful[39m [36m[i] Variable Swap:[32m Successful[39m Compile Error: b''