search

mitre / sandcat

A CALDERA plugin
https://caldera.mitre.org/
Apache License 2.0
60 stars 36 forks source link

Sandcat Fails to Launch on 32bit Windows #409

Closed Will-Beninger closed 2 years ago

Will-Beninger commented 2 years ago

Describe the bug Based on reading a few of the issues in mitre/caldera sounds like a known issue/feature request. This specifically relates to the agent deployment as part of Caldera.

Discussion here mitre/caldera/pull/1091 & here mitre/caldera/issues/537 & here caldera/issues/2178, & here mitre/caldera/issues/61

However when attempting to deploy the agent on 32bit Windows 10 using the default Caldera commands, the deployment fails with the following message:

Start-Process : This command cannot be run due to the error: The specified executable is not a valid application for this OS platform..
At line:1 char:561
+ ...  | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -Argume ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

To Reproduce Steps to reproduce the behavior:

  1. Copy New Agent creation code from caldera into a 32bit Windows 10 host and run

Expected behavior Agent is deployed and sandcat is dynamically compiled or pulls from preset of payloads to support 32bit architecture

Screenshots image

Desktop (please complete the following information):

Will-Beninger commented 2 years ago

EDIT: Mistake was my own on how I was downloading the file, the x86 compilation works and see the client show up in Caldera

Attempting to manually build the sandcat binary with go as follows: GOARCH=386 GOOS=windows go build -o ../payloads/sandcat.go-windows-x86 -ldflags="-s -w" sandcat.go Gives the following file:

# file ../payloads/sandcat.go-windows-x86                                                           
../payloads/sandcat.go-windows-x86: PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows

Am able to launch the agent: image and appears in agents list: image

BCHarrell commented 2 years ago

@Will-Beninger Good morning Will, I just want to make sure I'm following since the original comment was edited -- based on your second comment, is this issue resolved? Or are you still looking for updates to the CALDERA provided download command?

Will-Beninger commented 2 years ago

@BCHarrell Good Morning and sorry for the delayed reply.

Apologies for confusing the issue. I had originally believed that even when compiling 32bit manually via Go it was not working as an agent, however I corrected my mistake and observed that it did work.

The issue/feature request I was hoping to raise here is support for 32bit clients requesting sandcat agents automatically through Caldera. By default, a 64bit package is built and is unable to be run (from my initial report). My second comment was intending to show that the code supports 32bit but the plugin is not allowing for the differentiation.

On my review of the project, Go build Architechure/Arch appears to be passed along to some functions however is not passed down by Caldera or as an optional parameter in this project.

BCHarrell commented 2 years ago

Got it, thanks for the clarification.

BCHarrell commented 2 years ago

We've noted this for future capability, but this given an existing work around (manual compilation) we're going to close this.