cmd.Run() failed

[r00t7oo2jm]

Can you help me see what's wrong

?

[shrek3n]

I get the same errors when trying to specifically create a control Loader.

[ghost]

Issue happens for me as well with the additional following error:

exit status 1: go list error: exit status 2: # dOUVXEfnjlU
./combase.go:10:3: base64 redeclared as imported package name
        /root/Downloads/ScareCrow/combase/combase.go:8:3: previous declaration

[Tylous]

I will take a look at this right now.

[Tylous]

I get the same errors when trying to specifically create a control Loader.

I don't get the issue with control loaders Can you provide the exact commands you ran so I can properly replicate this for you?

[shrek3n]

┌──(kali㉿kali)-[/opt/ScareCrow] └─$ scarecrow -I ~/Downloads/raw64sl.bin -Loader control -domain www.nvidia.com

---

/ / ____ ____ \ __ \ __ _ ___ _/ \_ \_ _/ \/ \ \/_ \/ _ \ \/ \/ / / \ _ / | | \/\ /\ ____| | ( <> ) / /___ /_ >__ /| _ >____ /|| __/ \/_/ \/ \/ \/ \/ \/ @.***) “Fear, you must understand is more than a mere obstacle. Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption [+] Shellcode Encrypted [+] Patched ETW Enabled [+] Patched AMSI Enabled [] Creating an Embedded Resource File [+] Created Embedded Resource File With ncp's Properties [*] Compiling Payload exit status 1: go list error: exit status 2: # xGvzcRienHzeNk ./ncp.go:10:3: base64 redeclared as imported package name /opt/ScareCrow/ncp/ncp.go:8:3: previous declaration

[+] Payload Compiled [*] Signing ncp.dll With a Fake Cert 2022/03/22 23:23:11 cmd.Run() failed with exit status 255

On Wed, Mar 23, 2022 at 11:46 AM Tylous @.***> wrote:

I get the same errors when trying to specifically create a control Loader.

I don't get the issue with control loaders [image: image] https://user-images.githubusercontent.com/15052743/159739298-c926a103-339a-40b8-a59c-b7f29afdf646.png Can you provide the exact commands you ran so I can properly replicate this for you?

— Reply to this email directly, view it on GitHub https://github.com/optiv/ScareCrow/issues/47#issuecomment-1076501723, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGVFWHFSOCQIHKQPUZOLBS3VBM4DTANCNFSM5RMV4T2A . You are receiving this because you commented.Message ID: @.***>

[Tylous]

@shrek3n I believe I've fixed this. I am currently running through different permutations to make sure I didn't introduce more bugs.

[shrek3n]

I did use your switches above and it worked. Also, I believe I attempted to request a feature to add a proxy ip and port to send traffic out. Unfortunately I have most of my stuff in an environment that uses a proxy and it doesn't play nice going thru http_proxy or https_proxy. Also, if it is possible to have a switch to skip the use of limelighter to be able to manually osslsigncode if for some reason it's not working. I see a few times now that it gets to the compiled piece then hangs at creating a fake cert and errors out. I have the correct pfx/pkcs12 file that I know works. Message ID: @.***>

[Tylous]

@shrek3n With regards to the proxy are you referring to when you are compiling the loader if so the easier solution would to compile it elsewhere and then move it into your environment. If you are referring to the C2 traffic itself that should be handled by C2 framework itself. As for the option to not sign with a limelighter, this is a big part of ScareCrow so I would have to look at it. As for any time of manual code signing, take a look at this standalone project of mine.

[shrek3n]

@Tylous Sorry, let me be more clear. Compiling is fine, but when I use -domain and it tries to pull using your getpem function (not exact name of function) of the site it always fails. I am unable in the environment to get your tool to call thru the proxy for what ever reason. THought about modifying the code, but not fluent or even novice in Go.

[Tylous]

So if it always says it fails it sounds like it could be a routing issue. Have you tried compiling the loader on a different system outside the environment? Go binaries and proxies don't work well because:

• go doesn't even use libc, it uses its own syscall wrappers
• go doesn't use dynamic linking, it uses static linking

[shrek3n]

@Tylous Yep, it works just fine outside of the environment. I was afraid that was going to be your response.

[Tylous]

Yes unfortunately that's my recommendation, for now, there is a lot of options already in Scarecrow that it can be overwhelming. I have pushed an update to address these issues to the current version. I will be closing this issue shortly

[ghost]

tested working as desried with new download today for me