search

mitre / sandcat

A CALDERA plugin
https://caldera.mitre.org/
Apache License 2.0
60 stars 36 forks source link

shellcode_amd64 executor crashes agent #433

Open heyquentin opened 11 months ago

heyquentin commented 11 months ago

Describe the bug The sandcat agent crashes and the connection between it and Caldera is lost (no heartbeat) when executing shellcode using the shellcode_amd64 executor on a Windows 10 system.

To Reproduce Steps to reproduce the behavior: Target system: Windows 10 22H2 vmware_RUpIoEkAbU Caldera: latest (4.2.0) Sandcat: latest

  1. Open Powershell on the Windows machine and exec sandcat.exe to get a callback to Caldera
  2. Make an ability using the shellcode_amd64 executor and put in a simple nop vmware_VMeNJ9uN4z
  3. Execute the operation. The agent will crash, the heartbeats will cease and an error will be displayed in Powershell vmware_Z6GpgR5pyd

Here is the text

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0xa688b9]

goroutine 28 [running]:
syscall.(*Proc).Call(0x2?, {0xc0000cfa40?, 0x64d6a514?, 0x36699b4c?})
        /usr/local/go/src/syscall/dll_windows.go:190 +0x19
github.com/mitre/gocat/execute/shellcode.Runner({0xc0000a3e30, 0x1, 0x28034c30598?})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode_windows.go:28 +0x65
github.com/mitre/gocat/execute/shellcode.(*Shellcode).Run(0x0?, {0xc0000a3e28?, 0x0?}, 0x100000000000000?, {0xc00014ea50, 0xc00014e9f0, {0x0, 0x0, 0x0}, 0xc00014ea20})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode.go:34 +0xe5
github.com/mitre/gocat/execute.RunCommand({0xc00014ea50, 0xc00014e9f0, {0x0, 0x0, 0x0}, 0xc00014ea20})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/execute.go:80 +0x436
github.com/mitre/gocat/agent.(*Agent).runInstructionCommand(0x0?, 0xc00014e9f0)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:282 +0x157
github.com/mitre/gocat/agent.(*Agent).RunInstruction(0xc0000cab60, 0x0?, 0x1)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:263 +0x3f
created by github.com/mitre/gocat/core.runAgent
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/core/core.go:100 +0xcea

Expected behavior The given shellcode is executed.

Desktop (please complete the following information):

Additional context I tested the shellcode functionality on Linux (Kali) and it seemed to work fine. The same error code is also shown in a cmd prompt vmware_g2lCpBa738

heyquentin commented 11 months ago

In the msg above I was using Go version 1.20.5. I saw mention of 1.11 in a config file so I installed that version. Same error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0xa688b9]

goroutine 7 [running]:
syscall.(*Proc).Call(0x2?, {0xc000024cc0?, 0x64d6c715?, 0x3190c564?})
        /usr/local/go/src/syscall/dll_windows.go:190 +0x19
github.com/mitre/gocat/execute/shellcode.Runner({0xc00001d448, 0x1, 0x22047530108?})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode_windows.go:28 +0x65
github.com/mitre/gocat/execute/shellcode.(*Shellcode).Run(0xa30585?, {0xc00001d440?, 0x200000003?}, 0x10000c000085380?, {0xc00015be00, 0xc00015bda0, {0x0, 0x0, 0x0}, 0xc00015bdd0})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode.go:34 +0xe5
github.com/mitre/gocat/execute.RunCommand({0xc00015be00, 0xc00015bda0, {0x0, 0x0, 0x0}, 0xc00015bdd0})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/execute.go:80 +0x436
github.com/mitre/gocat/agent.(*Agent).runInstructionCommand(0x0?, 0xc00015bda0)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:282 +0x157
github.com/mitre/gocat/agent.(*Agent).RunInstruction(0xc000084340, 0x0?, 0x1)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:263 +0x3f
created by github.com/mitre/gocat/core.runAgent
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/core/core.go:100 +0xcea

@elegantmoose Can you shed any light on this?

RiccardoAncarani commented 6 months ago

Hey, I had the same problem. Inspecting the code it seems that all the WinAPIs related to the shellcode lading are not initialised properly on Windows. This means that VirtualAlloc is NULL, and when invoked raises an ACCESS_DENIED exception. You can solve this by "stealing" the lazyDll loading code from from the donut executor. I simply included both modules in my fixed sandcat. At line 20-ish the var statement now looks like this:

var (
    kernel32      = donut.NewLazySystemDLL("kernel32.dll")
    ntdll         = donut.NewLazySystemDLL("ntdll.dll")
    VirtualAlloc  = kernel32.NewProc("VirtualAlloc")
    RtlCopyMemory = kernel32.NewProc("RtlCopyMemory")
)

and fix the import with the following

    "github.com/mitre/gocat/execute/donut"
RiccardoAncarani commented 6 months ago

Also bear in mind that you always need to use a shellcode with an exitfunc=thread, or it will crash the sandcat process. A working example is this: msfvenom --payload windows/x64/exec CMD=calc.exe EXITFUNC=thread -f raw -o calc2.bin