Closed johnjohnsp1 closed 3 years ago
kyleavery
commented
3 years ago Hey! I believe this is a limitation of CLRvoyance. The -s flag enables "APC safe" shellcode, which they only support with the 32 bit architecture. Could you try again with -a 32
johnjohnsp1
commented
3 years ago thanks for the fast the reply and the tools, is really nice !! actually i can confirm specifying -a 32 it works:
PS C:\temp\ThirdEye > python .\thirdeye.py C:\temp\cmdrbs.exe -e -p='currentluid' -s -a 32 msbuild wrapper/wrapper -p:TargetFrameworkVersion=v4.5 -p:Configuration="Release" -p:Platform="x86" /verbosity:quiet Namespace(assembly='C:\temp\cmdrbs.exe', architecture='32', encode=True, newdomain=False, outfile='./out.bin', parameters='currentluid', safe=True) Microsoft (R) Build Engine version 16.10.2+857e5a733 for .NET Framework Copyright (C) Microsoft Corporation. All rights reserved.
[+] 328192 byte assembly [+] 1759 byte bootstrap [+] 329950 byte shellcode written out (C:\temp\ThirdEye\wrapper\wrapper\bin\x86\Release\wrapper.exe.shellcode) Encoding with SGN, RWX memory required for initial shellcode execution
/ / () /__ / / _ ____ __ ()
(-</ \/ / '/ / __/ _/ / `/ / / _ \/ _/ /
///////_\_,/_/_,/ _, /_,/ ////_,//
========[Author:-Ege-Balcı-]====//=======v2.0.0=========
┻━┻ ︵ヽ(`Д´)ノ︵ ┻━┻ (ノ ゜Д゜)ノ ︵ 仕方がない
[] Input: C:\temp\ThirdEye\wrapper\wrapper\bin\x86\Release\wrapper.exe.shellcode [] Input Size: 329950 [*] Outfile: C:\temp\ThirdEye\wrapper\wrapper\bin\x86\Release\wrapper.exe.shellcode.sgn [+] Final size: 329986 [+] All done \(^O^)/ Final payload written to ./out.bin
johnjohnsp1
commented
3 years ago just one more question seems im getting lost about the usage of wrapper.exe , i mean, i generate the shellcode but that for donuttest.exe meanwhile the wrapper's output is just the helloworld text. how i can see my exe output (like your example) to see seatbelt output ?
thanks in advice
actually i did a try like this: -generate the donuttest.exe with the argument i need -renamed donuttest.exe and replaced the assembly.exe inside the folder thirdeye/wrapper/wrapper/ with donuttest.exe and then seems it works:
PS C:\temp\thirdeye\wrapper\wrapper\bin\x64\Release> .\wrapper.exe 15184 x64 Prot: True Really - v1.6.4
[*] Action: Display current LUID
[*] Current LogonID (LUID) : 0xa3e0b8 (10739896)
PS C:\temp\thirdeye\wrapper\wrapper\bin\x64\Release>
possible to use it like or im doing something wrong ?
thanks in advice
kyleavery
commented
3 years ago So wrapper.exe is not meant to be used directly. It is a temporary file managed by ThirdEye and passed to CLRvoyance for shellcode generation. The shellcode (out.bin) is the final product. Does that answer your question?
johnjohnsp1
commented
3 years ago Yes Kyle, understood the flow, thanks once more for the answer and the tool is really awesome
Hello Kyle, awesome webinar, i was following with very interest and quickly tested your code. down below everything is running fine but if i use the swtich -s i get this error:
PS C:\temp\ThirdEye > python .\thirdeye.py C:\temp\cmdrbs.exe -e -s -p='currentluid' msbuild wrapper/wrapper -p:TargetFrameworkVersion=v4.5 -p:Configuration="Release" -p:Platform="x64" /verbosity:quiet Namespace(assembly='C:\temp\cmdrbs.exe', architecture='64', encode=True, newdomain=False, outfile='./out.bin', parameters='currentluid', safe=True) Microsoft (R) Build Engine version 16.10.2+857e5a733 for .NET Framework Copyright (C) Microsoft Corporation. All rights reserved.
Traceback (most recent call last): File "C:\temp\ThirdEye\thirdeye.py", line 67, in
clrvoyance.run(cvArgs)
File "C:\temp\ThirdEye\CLRvoyance\CLRvoyance\clrvoyance.py", line 64, in run
bootstrap = open("sc-%s-clr-apc" % options.platform, 'rb').read()
FileNotFoundError: [Errno 2] No such file or directory: 'sc-64-clr-apc'
actually i see inside the CLRvoiaynce folder and even at the original code from Accenture is really missing that file. environment is vm with windows 10 and vstudio 2019 , python 3.9.5 anything i do wrong ? thanks