Error during payload compiling and after that during signing of a binary about scarecrow HOT 24 CLOSED

Hello,
Does this happen constantly or if you re-run the command will work fine? I just test your command out and seem to work, so more info would be helpful. Also the -I field only takes raw shellcode, not a binary.

  _________                           _________
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     /
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/
	\/     \/     \/            \/        \/
							(@Tyl0us)
	“Fear, you must understand is more than a mere obstacle.
	Fear is a TEACHER. the first one you ever had.”

[*] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With libcrypto's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing libcrypto.dll With a Fake Cert
[+] Signed File Created
[*] Creating Loader
[+] Loader Compiled

from scarecrow.

I tried running the same command several times again, this time making sure to input raw shellcode. However, the result was the same every time I tried it. Can I help in any other way?

from scarecrow.

did you download the sourcecode.zip in releases or use a gitclone? if you used the sourcecode.zip try a git clone.

from scarecrow.

Interesting. I used the source code from your 2.3 release when I had these errors. Now that I cloned main I no longer get the errors! It seems there is something wrong with the 2.3 release. Thanks for suggesting the cloning! I can now start the testing of your tool which I very much look forward to!

from scarecrow.

No problem that’s what I was thinking the issue. Looks like I’ll have to re-release it.

from scarecrow.

Have the same issues using both clone and sourcode.zip

from scarecrow.

Seems odd if it’s both… please paste the exact command and output thank you

from scarecrow.

Hello, thanks for ScareCrow)
I have the same problem.
I used:
sudo ./ScareCrow -I GfxValDisplayLog.bin -valid my_cert.cer -password ***** -domain www.microsoft.com

and get error 255.
I used "git clone"

/ / ____ _____ _______ ____ _ ___ __ ______ _ __
_____ _/ \ \ __ _/ __ / \ /_ __ / _ \ / / /
/ \ ___ / __ | | /\ /\ _| | ( <> ) /
/______ /___ >____ /| _ >______ /|| __/ /_/
/ / / / /
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With Outlook's Properties
[] Compiling Payload
[+] Payload Compiled
[] Signing Outlook.exe With a Valid Cert my_cert.cer
2021/09/30 17:54:12 cmd.Run() failed with exit status 255

from scarecrow.

hey @Lexati you need to use a .pfx. You can convert your .cer into a .pfx

from scarecrow.

@Tylous Ok, i converted into pfx, but also i got same error (255)

~/Documents/ScareCrow$ **./ScareCrow -I GfxValDisplayLog.bin -domain www.microsoft.com -valid bob_pfx.pfx -password *******

/ / ____ _____ _______ ____ _ ___ __ ______ _ __
_____ _/ \ \ __ _/ __ / \ /_ __ / _ \ / / /
/ \ ___ / __ | | /\ /\ _| | ( <> ) /
/______ /___ >____ /| _ >______ /|| __/ /_/
/ / / / /
(@Tyl0us)
“Fear, you must understand is more than a mere obstacle.
Fear is a TEACHER. the first one you ever had.”

[] Encrypting Shellcode Using AES Encryption
[+] Shellcode Encrypted
[] Creating an Embedded Resource File
[+] Created Embedded Resource File With Excel's Properties
[] Compiling Payload
[+] Payload Compiled
[] Signing Excel.exe With a Valid Cert bob_pfx.pfx
2021/10/05 17:45:00 cmd.Run() failed with exit status 255

from scarecrow.

@Tylous I think, that i have a problem because my VM host around the proxy.
Tell my please how i can use a proxy?
I tested:
**https_proxy=http://33.33.33.33:4444 ./ScareCrow -I GfxValDisplayLog.bin -domain www.microsoft.com -valid bob_pfx.pfx -password *********
but it didn't work....

from scarecrow.

Using -domain flag with the -valid flag together won't work. If you are using a valid cert use just the -valid and -password flag. If your -domain flag and there is a proxy then that's a different issue. Proxy stuff like proxychains doesn't work well with go because go doesn't libc. I would suggest compiling the executable somewhere and transferring it over.

from scarecrow.

@Tylous Ok, but whithout "-domain" a get new error =((

p.s in last version also this problem

from scarecrow.

Sorry for the delay, I see the problem its an issue the the argument checks if you disable

if opt.domain == "" {
		log.Fatal("Error: Please provide a domain in order to generate a code signing certificate")
	}

At line 154 and recompile it this it wont be a problem. I will releasing a new version tomorrow that address this issue.

from scarecrow.

Fixed in patch 3.0

from scarecrow.

@Tylous Hello, I disable this string and also get error 255. But:
I put my pfx file in all dir, which random generate in progress create payload.. One of dir is Powerpnt.
And then random create payload for Powerpnt, i get succsess work

I learning your code and i think, that problem in file limelighter.go
In function SignExecutable. Possible the path to the file "pfx "may be incorrectly specified during execution
Early, I had the pfx file in the root ScareCrow.

I don't develop on go, but it seems to me that this may be the problem, please check =)))
Thanks very much)

from scarecrow.

So based on your picture it worked. You wouldn't have the message "Signed File Created" Or "Binary Compiled' if it failed. If you are still having this issue can you please try with the latest version and post the exact output (you can blur any sensitive data in the photo I just need to see the full picture)

from scarecrow.

@Tylous Hello, i download new version and get new error))

from scarecrow.

So you need to update your version of go. Check out https://golang.org/

from scarecrow.

@Tylous If you see on screen, you can see that i used command "go version". My version 1.17,I specifically updated before write a report.

from scarecrow.

I am sorry I miss understanding your image then. As you can see with the image below it works just fine for me and I am on 1.17.1.

Can you try 1.17.1 and see if you're still getting that issue.

from scarecrow.

@Lexati I had the same problem, I guess you just replaced the go and gofmt binaries, that's not enough.

I fixed the problem this way:

type go

In my case the output was : /usr/local/go/bin/go

I downloaded the new version and replaced the full directory:

curl -L https://golang.org/dl/go1.17.2.linux-amd64.tar.gz --output golang.tar.gz
rm -rf /usr/local/go/
tar -xvf golang.tar.gz
cp -R go/ /usr/local/go/

from scarecrow.

Is this still an issue? I haven't been able to recreate this. The only time this would occur is if the older version of go is still present.

from scarecrow.

su root
./ScareCrow_3.01_linux_amd64 -I 1.bin -domain www.google.com
Can be solved cmd.Run() failed with exit status 255

from scarecrow.