search

souzomain / Shaco

Shaco is a linux agent for havoc
MIT License
144 stars 20 forks source link

Runtime error: index out of range [3] with length 3 #7

Open QU35T-code opened 1 year ago

QU35T-code commented 1 year ago

1) Create a HTTP listener 2) Run shaco agent on the target (Linux c8b61144fa84 5.4.0-1030-aws #31-Ubuntu SMP Fri Nov 13 11:40:37 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux) 3) Crash error

[*] teamserver socket opened
[*] New Message
[*] register agent
[*] New Message
send agent checkin request
[*] New Message
new command register request
[-] Websocket error: Connection to remote host was lost.
[21:34:35] [INFO] [SERVICE] registered a new agent [Name: Shaco]
[21:34:35] [DBUG] [service.(*Service).dispatch:206]: {"Name":"Shaco","MagicValue":"0x6861636f","Author":"@souzomain","Formats":[{"Name":"Linux Executable","Extension":"elf"},{"Name":"Linux Shared Library","Extension":"so"}],"SupportedOS":null,"Description":"Shaco payload, version: 0.1","Commands":[{"Name":"shell","Description":"executes commands using shell","Help":"shell \u003ccommand\u003e","NeedAdmin":false,"Mitr":["T1059.004"],"Params":[{"Name":"command","IsFilePath":false,"IsOptional":false}]},{"Name":"cd","Description":"change direcroty","Help":"cd \u003cpath\u003e","NeedAdmin":false,"Mitr":[""],"Params":[{"Name":"command","IsFilePath":false,"IsOptional":false}]},{"Name":"pwd","Description":"get current directory","Help":"pwd","NeedAdmin":false,"Mitr":[""],"Params":[]},{"Name":"upload","Description":"upload file to agent. Don't try upload \u003e 7k","Help":"upload \u003clocalfile\u003e \u003cremote put file\u003e","NeedAdmin":false,"Mitr":[""],"Params":[{"Name":"localfile","IsFilePath":true,"IsOptional":false},{"Name":"remotefile","IsFilePath":false,"IsOptional":false}]},{"Name":"download","Description":"download file of agent","Help":"download \u003cremotefile\u003e","NeedAdmin":false,"Mitr":[""],"Params":[{"Name":"remotefile","IsFilePath":false,"IsOptional":false}]},{"Name":"checkin","Description":"agent checkin","Help":"checkin","NeedAdmin":false,"Mitr":[""],"Params":[]},{"Name":"exit","Description":"","Help":"exit","NeedAdmin":false,"Mitr":[""],"Params":[]},{"Name":"sleep","Description":"change sleep duration","Help":"","NeedAdmin":false,"Mitr":[],"Params":[{"Name":"time","IsFilePath":false,"IsOptional":false}]},{"Name":"jitter","Description":"change max timeout duration: jitter = random_int(sleep, sleep+maxtimeout)","Help":"jitter \u003ctime\u003e","NeedAdmin":false,"Mitr":[],"Params":[{"Name":"time","IsFilePath":false,"IsOptional":false}]}],"BuildingConfig":{"AntiDebug":true,"Daemon":true,"HideCmdline":true,"MaxTimeout":"0","Sleep":"5"}}
[21:34:39] [DBUG] [service.(*AgentService).SendResponse:112]: map[Body:map[Agent:<nil> AgentHeader:map[AgentID:000b39af MagicValue:6861636f Size:0] RandID:794b96 Response:AAAADlFsSFB5SzJDMnE2aU4yUlRYUG5lZTBXNDE4YzRs Type:AgentResponse] Head:map[Type:Agent]]
[21:34:39] [DBUG] [service.(*Service).dispatch:343]: BodyAgentResponse
[21:34:39] [DBUG] [service.(*Service).dispatch:344]: map[Body:map[Agent:<nil> AgentHeader:map[AgentID:000b39af MagicValue:6861636f Size:0] RandID:794b96 Response:AAAADA== Type:AgentResponse] Head:map[Type:Agent]]
[21:34:39] [DBUG] [service.(*Service).dispatch:355]: [0xc0004740f0]
[21:34:39] [DBUG] [service.(*AgentService).SendResponse:112]: map[Body:map[Agent:<nil> AgentHeader:map[AgentID:000b39af MagicValue:6861636f Size:0] RandID:73e831 Response:AAAADAALOa8AAAAMYzhiNjExNDRmYTg0AAAABihub25lKQAAAAYobm9uZSkAAAAPMTkyLjE2OC4xMDAuMTAwAAAJAgAAAAEAAAAGeDg2XzY0AAAAAQAAAA41LjQuMC0xMDMwLWF3cwAAAAUAAAAAZDlmTzBCME1qdDZZdg== Type:AgentResponse] Head:map[Type:Agent]]
panic: runtime error: index out of range [3] with length 3

goroutine 26 [running]:
Havoc/pkg/agent.getWindowsVersionString({0xc00036ac48?, 0xa?, 0xd32bd1?})
    /home/qu35t/Documents/Havoc/teamserver/pkg/agent/agent.go:1290 +0x3ff
Havoc/pkg/agent.RegisterInfoToInstance({0xc00038c3a0?, 0xc0001879c8?, 0x1?, 0x0?}, 0x466419?)
    /home/qu35t/Documents/Havoc/teamserver/pkg/agent/agent.go:288 +0xb32
Havoc/pkg/service.(*Service).dispatch(0xc000438630, 0xc00043d230, 0xc0004740f0)
    /home/qu35t/Documents/Havoc/teamserver/pkg/service/service.go:329 +0x9bf
Havoc/pkg/service.(*Service).routine(0xc6cfc0?, 0xc0004740f0)
    /home/qu35t/Documents/Havoc/teamserver/pkg/service/service.go:162 +0x4f
Havoc/pkg/service.(*Service).handleConnection(0xc000438630, 0xc0000f8160)
    /home/qu35t/Documents/Havoc/teamserver/pkg/service/service.go:69 +0xf7
created by Havoc/pkg/service.(*Service).Start.func1
    /home/qu35t/Documents/Havoc/teamserver/pkg/service/service.go:45 +0xf0
souzomain commented 1 year ago

Hey, I'll understand better this issue later, call me in discord if you have more details

QU35T-code commented 1 year ago

The problem is that when requesting agent registration at Havoc, Havoc tries to determine the version of the agent. But Havoc only supports Windows, it cannot find the Linux version, which causes a crash

rm1984 commented 9 months ago

The problem is that when requesting agent registration at Havoc, Havoc tries to determine the version of the agent. But Havoc only supports Windows, it cannot find the Linux version, which causes a crash

Hi, thank you QU35T-code, I'm having exactly the same issue right now. What could be possibile solutions? Faking the Shaco agent as running on Windows? Or asking Havoc maintainer to add support for other platforms?

ElJayRight commented 4 months ago

You can add this:

    if len(OsVersion) != 5 {
        logger.Debug("Idk What this is:", OsVersion)
        return WinVersion
    }

on line 1245 in agent.go and it will fix server crashing. A better fix would be to pass out the version string, but im to lazy for that rn