Closed johnjohnsp1 closed 3 years ago
Hey! I believe this is a limitation of CLRvoyance. The -s
flag enables "APC safe" shellcode, which they only support with the 32 bit architecture. Could you try again with -a 32
thanks for the fast the reply and the tools, is really nice !! actually i can confirm specifying -a 32 it works:
PS C:\temp\ThirdEye > python .\thirdeye.py C:\temp\cmdrbs.exe -e -p='currentluid' -s -a 32 msbuild wrapper/wrapper -p:TargetFrameworkVersion=v4.5 -p:Configuration="Release" -p:Platform="x86" /verbosity:quiet Namespace(assembly='C:\temp\cmdrbs.exe', architecture='32', encode=True, newdomain=False, outfile='./out.bin', parameters='currentluid', safe=True) Microsoft (R) Build Engine version 16.10.2+857e5a733 for .NET Framework Copyright (C) Microsoft Corporation. All rights reserved.
[+] 328192 byte assembly [+] 1759 byte bootstrap [+] 329950 byte shellcode written out (C:\temp\ThirdEye\wrapper\wrapper\bin\x86\Release\wrapper.exe.shellcode) Encoding with SGN, RWX memory required for initial shellcode execution
/ / () /__ / / _ ____ __ ()
(-</ \/ / '/ / __/ _
/ / `/ / / _ \/ _
/ /
///////_\_,/_/_,/ _, /_,/ ////_,//
========[Author:-Ege-Balcı-]====//=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[] Input: C:\temp\ThirdEye\wrapper\wrapper\bin\x86\Release\wrapper.exe.shellcode [] Input Size: 329950 [*] Outfile: C:\temp\ThirdEye\wrapper\wrapper\bin\x86\Release\wrapper.exe.shellcode.sgn [+] Final size: 329986 [+] All done \(^O^)/ Final payload written to ./out.bin
just one more question seems im getting lost about the usage of wrapper.exe , i mean, i generate the shellcode but that for donuttest.exe meanwhile the wrapper's output is just the helloworld text. how i can see my exe output (like your example) to see seatbelt output ?
thanks in advice
actually i did a try like this: -generate the donuttest.exe with the argument i need -renamed donuttest.exe and replaced the assembly.exe inside the folder thirdeye/wrapper/wrapper/ with donuttest.exe and then seems it works:
PS C:\temp\thirdeye\wrapper\wrapper\bin\x64\Release> .\wrapper.exe 15184 x64 Prot: True Really - v1.6.4
[*] Action: Display current LUID
[*] Current LogonID (LUID) : 0xa3e0b8 (10739896)
PS C:\temp\thirdeye\wrapper\wrapper\bin\x64\Release>
possible to use it like or im doing something wrong ?
thanks in advice
So wrapper.exe is not meant to be used directly. It is a temporary file managed by ThirdEye and passed to CLRvoyance for shellcode generation. The shellcode (out.bin) is the final product. Does that answer your question?
Yes Kyle, understood the flow, thanks once more for the answer and the tool is really awesome
Hello Kyle, awesome webinar, i was following with very interest and quickly tested your code. down below everything is running fine but if i use the swtich -s i get this error:
PS C:\temp\ThirdEye > python .\thirdeye.py C:\temp\cmdrbs.exe -e -s -p='currentluid' msbuild wrapper/wrapper -p:TargetFrameworkVersion=v4.5 -p:Configuration="Release" -p:Platform="x64" /verbosity:quiet Namespace(assembly='C:\temp\cmdrbs.exe', architecture='64', encode=True, newdomain=False, outfile='./out.bin', parameters='currentluid', safe=True) Microsoft (R) Build Engine version 16.10.2+857e5a733 for .NET Framework Copyright (C) Microsoft Corporation. All rights reserved.
Traceback (most recent call last): File "C:\temp\ThirdEye\thirdeye.py", line 67, in
clrvoyance.run(cvArgs)
File "C:\temp\ThirdEye\CLRvoyance\CLRvoyance\clrvoyance.py", line 64, in run
bootstrap = open("sc-%s-clr-apc" % options.platform, 'rb').read()
FileNotFoundError: [Errno 2] No such file or directory: 'sc-64-clr-apc'
actually i see inside the CLRvoiaynce folder and even at the original code from Accenture is really missing that file. environment is vm with windows 10 and vstudio 2019 , python 3.9.5 anything i do wrong ? thanks