Comments (2)
I started working on this earlier today and I think I worked out the issue. This will be quite the bug explanation so bare with me...
Currently the type definition for the ps command in the stdlib code is char* getps()
. This type declaration is lost during the compilation and the function is assumed to return an int
. I believe this occurs because by default the x86_64-w64-mingw32-gcc
compiler applies the gnu89
iso standard to c code during compilation, see here and search for gnu89. Per the c89 standard implicit declarations of functions are treated as int f();
therefore char* getps();
is transformed into int getps();
. I couldn't find "official" documentation for this behavior but it is a semi well known thing. I know this behavior from my K.N. King C Programming book
but here is a stackoverflow link talking about the same thing. Anyways because the return value is now an int it can only contain 4 bytes of data instead of 8 bytes for a pointer. See this and this for data type sizes from Microsoft's documentation. This all results in the truncation of the return of getps
which creates an access violation bug / undefined behavior which typically crashes the beacon. Here is a screenshot showing this behavior occurring on my test vm
Im not 100% sure why this behavior manifests so consistently on this specific beacon... maybe it is how the addressing works within threads on windows however I believe this bug is in every beacon format. A fix could be adding the prototype to the beacons core.h
file. If possible it would be good to enforce some compilation checks such as -Wall
or a particular C iso standard.
from shad0w.
Wanted to include a better example of the truncation that occurs causing this bug. I couldn't get a pretty screenshot but here is some debug output that nicely shows the bug.
[DEBUG] getps() text return as pointer: 0000025DA43B0C30
[DEBUG] Stdlib() data return from getps() as pointer: FFFFFFFFA43B0C30
As you can see the pointer for the text in getps
is truncated and turned into a signed integer when the Stdlib function receives it causing a completely different address to be used in subsequent actions. This results in a access violation.
from shad0w.
Related Issues (20)
- Incorrect pading error HOT 14
- Missing beacon.exe HOT 1
- support for linux HOT 1
- IOT devices
- ERROR: Shad0w C2 not working
- Place output in alphabetical order for psh -l
- Computer name corrupt HOT 6
- Most GhostPack modules are broken HOT 1
- Additional packers to consider HOT 1
- Listener crashes HOT 1
- PowerShell modules broken HOT 3
- Feature requests from the Discord channel
- Rename jitter (-j) variable to interval (-i)
- Upload command not working HOT 4
- Assertion failed: jso->_ref_count > 0, file json_object.c, line 192 HOT 10
- Possibility to kill all beacons HOT 1
- shad0w update command not working HOT 1
- Automation HOT 1
- Error installing shadow0w HOT 2
- Python Base64 Issue on command execution HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from shad0w.