Error during payload compiling and after that during signing of a binary

[jsdhasfeds]

Hi. Thank you for your great work! I am trying to get a Cobalt Strike beacon.exe thru Windows Defender but currently I get the two errors below. I attempt this on Kali 2021.3 in a virtual environment using version 2.3 of ScareCrow.

┌──(virtual_env_scarecrow)─(root💀kali)-[~/pentest/ScareCrow-2.3] └─# ./ScareCrow -I beacon.exe -domain www.microsoft.com -injection "C:\Windows\System32\notepad.exe" -console

[] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [+] Process Injection Mode Enabled [] Created Process: C:\Windows\System32\notepad.exe [] Creating an Embedded Resource File [+] Created Embedded Resource File With OneDrive's Properties [] Compiling Payload exit status 2: # loader ./OneDrive.go:367:67: newline in string ./OneDrive.go:367:67: syntax error: unexpected newline, expecting comma or ) ./OneDrive.go:2682:3: newline in string

[+] Payload Compiled [*] Signing OneDrive.exe With a Fake Cert 2021/09/22 04:06:42 cmd.Run() failed with exit status 255

[Tylous]

Hello, Does this happen constantly or if you re-run the command will work fine? I just test your command out and seem to work, so more info would be helpful. Also the -I field only takes raw shellcode, not a binary.

  _________                           _________
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     /
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/
    \/     \/     \/            \/        \/
                            (@Tyl0us)
    “Fear, you must understand is more than a mere obstacle.
    Fear is a TEACHER. the first one you ever had.”

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With libcrypto's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing libcrypto.dll With a Fake Cert
[+] Signed File Created
[*] Creating Loader
[+] Loader Compiled

[jsdhasfeds]

I tried running the same command several times again, this time making sure to input raw shellcode. However, the result was the same every time I tried it. Can I help in any other way?

[Tylous]

did you download the sourcecode.zip in releases or use a gitclone? if you used the sourcecode.zip try a git clone.

[jsdhasfeds]

Interesting. I used the source code from your 2.3 release when I had these errors. Now that I cloned main I no longer get the errors! It seems there is something wrong with the 2.3 release. Thanks for suggesting the cloning! I can now start the testing of your tool which I very much look forward to!

[Tylous]

No problem that’s what I was thinking the issue. Looks like I’ll have to re-release it.

[beerandgin]

Have the same issues using both clone and sourcode.zip

[Tylous]

Seems odd if it’s both… please paste the exact command and output thank you

[Lexati]

Hello, thanks for ScareCrow) I have the same problem. I used: sudo ./ScareCrow -I GfxValDisplayLog.bin -valid my_cert.cer -password ***** -domain www.microsoft.com

and get error 255. I used "git clone"

---

/ / ____ ____ \ __ \ __ _ ___ _/ \_ \_ _/ \/ \ \/_ \/ _ \ \/ \/ / / \ _ / | | \/\ /\ ____| | ( <> ) / /___ /_ >__ /| _ >____ /|| __/ \/_/
\/ \/ \/ \/ \/
(@Tyl0us) “Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [] Creating an Embedded Resource File [+] Created Embedded Resource File With Outlook's Properties [] Compiling Payload [+] Payload Compiled [] Signing Outlook.exe With a Valid Cert my_cert.cer 2021/09/30 17:54:12 cmd.Run() failed with exit status 255

[Tylous]

hey @Lexati you need to use a .pfx. You can convert your .cer into a .pfx

[Lexati]

@Tylous Ok, i converted into pfx, but also i got same error (255)

~/Documents/ScareCrow$ **./ScareCrow -I GfxValDisplayLog.bin -domain www.microsoft.com -valid bob_pfx.pfx -password ***

---

/ / ____ ____ \ __ \ __ _ ___ _/ \_ \_ _/ \/ \ \/_ \/ _ \ \/ \/ / / \ _ / | | \/\ /\ ____| | ( <> ) / /___ /_ >__ /| _ >____ /|| __/ \/_/
\/ \/ \/ \/ \/
(@Tyl0us) “Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [] Creating an Embedded Resource File [+] Created Embedded Resource File With Excel's Properties [] Compiling Payload [+] Payload Compiled [] Signing Excel.exe With a Valid Cert bob_pfx.pfx 2021/10/05 17:45:00 cmd.Run() failed with exit status 255

[Lexati]

@Tylous I think, that i have a problem because my VM host around the proxy. Tell my please how i can use a proxy? I tested: **https_proxy=http://33.33.33.33:4444 ./ScareCrow -I GfxValDisplayLog.bin -domain www.microsoft.com -valid bob_pfx.pfx -password ***** but it didn't work....

[Tylous]

Using -domain flag with the -valid flag together won't work. If you are using a valid cert use just the -valid and -password flag. If your -domain flag and there is a proxy then that's a different issue. Proxy stuff like proxychains doesn't work well with go because go doesn't libc. I would suggest compiling the executable somewhere and transferring it over.

[Lexati]

@Tylous Ok, but whithout "-domain" a get new error =((

p.s in last version also this problem

[Tylous]

Sorry for the delay, I see the problem its an issue the the argument checks if you disable

if opt.domain == "" {
        log.Fatal("Error: Please provide a domain in order to generate a code signing certificate")
    }

At line 154 and recompile it this it wont be a problem. I will releasing a new version tomorrow that address this issue.

[Tylous]

Fixed in patch 3.0

[Lexati]

@Tylous Hello, I disable this string and also get error 255. But: I put my pfx file in all dir, which random generate in progress create payload.. One of dir is Powerpnt. And then random create payload for Powerpnt, i get succsess work

I learning your code and i think, that problem in file limelighter.go In function SignExecutable. Possible the path to the file "pfx "may be incorrectly specified during execution Early, I had the pfx file in the root ScareCrow.

I don't develop on go, but it seems to me that this may be the problem, please check =))) Thanks very much)

[Tylous]

So based on your picture it worked. You wouldn't have the message "Signed File Created" Or "Binary Compiled' if it failed. If you are still having this issue can you please try with the latest version and post the exact output (you can blur any sensitive data in the photo I just need to see the full picture)

[Lexati]

@Tylous Hello, i download new version and get new error))

[Tylous]

So you need to update your version of go. Check out https://golang.org/

[Lexati]

@Tylous If you see on screen, you can see that i used command "go version". My version 1.17,I specifically updated before write a report.

[Tylous]

I am sorry I miss understanding your image then. As you can see with the image below it works just fine for me and I am on 1.17.1.

Can you try 1.17.1 and see if you're still getting that issue.

[Sh0ckFR]

@Lexati I had the same problem, I guess you just replaced the go and gofmt binaries, that's not enough.

I fixed the problem this way:

type go

In my case the output was : /usr/local/go/bin/go

I downloaded the new version and replaced the full directory:

curl -L https://golang.org/dl/go1.17.2.linux-amd64.tar.gz --output golang.tar.gz
rm -rf /usr/local/go/
tar -xvf golang.tar.gz
cp -R go/ /usr/local/go/

[Tylous]

Is this still an issue? I haven't been able to recreate this. The only time this would occur is if the older version of go is still present.

[zhihuba]

su root
./ScareCrow_3.01_linux_amd64 -I 1.bin -domain www.google.com
Can be solved cmd.Run() failed with exit status 255