Is this project still working? experiencing issues loading several shellcodes about scarecrow HOT 11 CLOSED

I am working on a new version (which should be out shortly) that removes the old binary template with 4 new ones. The Binary template no longer works with the latest versions of golang. As a result the new version will provide several universal templates.

from scarecrow.

Yes, this project is very much still working. It looks like it's your shellcode, unfortunately, I can't help you as not sure what your shellcode looks like (posting debug outputs don't help me when I don't know what's being loaded) It could be a UDRL in the case of cobalt strike or something else. Based on your output, I suggest you try some of the other loaders built into Scarecrow.

from scarecrow.

Ok will do some research and update on this thanks for a quick response :)

from scarecrow.

Posting the calc shellcode used:

\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00

Maybe it's the null bytes?

from scarecrow.

Tried without null bytes as well still not working, will check it further out and update

from scarecrow.

FYI @sl4cky I was running into this same issue with fresh stageless shellcode for CS. I unloaded my UDRL and made a new payload with ScareCrow and everything was resolved.

from scarecrow.

It shoulds like it could be a UDRL issue. Hard to know with out know for sure with out all the details of the C2 and other things going into your payload.

from scarecrow.

I ended up getting this error too, in my case the "image_size_x64" value was too low and c2lint called it out too. Not sure if this related to more recent changes because the profile used to work but maybe this helps.

I also ran into an issue where the binary output is unreliable. Sometimes it straight exits, other times I can see the beacon come in and then die (sometimes after a few successful sleep cycles). I turned off any custom settings in the profile/UDRL but the issue persisted. I ended up modifying the loader routine so it uses virtualalloc + write (just like the DLL loader) instead of the pointer trickery + virtualprotect. This solved it and it is now consistently triggering and stays alive. Again it used to work so maybe latest CS changes are causing an access violation somewhere?

from scarecrow.

Came back to say that I'm experiencing similar issues to @ptr0x1. With bone stock CS shellcode (4.8 release), I will very rarely get a beacon callback, and if I do it dies shortly after. Same outcome for binary payloads and DLLs, so something must be causing issues with the new CS versions; as my previous comment was from old CS shellcode (< 4.7). I'm going to tinker with this a good bit in the coming days and see if I can find some answers.

from scarecrow.

I was able to implement the fix @ptr0x1 spoke about (using the DLL loader for the Binary template) and everything works fine. @Tylous I didn't submit a PR for it since it's not really a fix, but the code's in my fork here: https://github.com/chucksploit/ScareCrow. I'm still trying to see what the root cause is.

from scarecrow.

ScareCrow 5.0 is out now, this should take of this, please feel free to re-open this if you experience it still.

from scarecrow.