Comments (11)
I am working on a new version (which should be out shortly) that removes the old binary template with 4 new ones. The Binary template no longer works with the latest versions of golang. As a result the new version will provide several universal templates.
from scarecrow.
Yes, this project is very much still working. It looks like it's your shellcode, unfortunately, I can't help you as not sure what your shellcode looks like (posting debug outputs don't help me when I don't know what's being loaded) It could be a UDRL in the case of cobalt strike or something else. Based on your output, I suggest you try some of the other loaders built into Scarecrow.
from scarecrow.
Ok will do some research and update on this thanks for a quick response :)
from scarecrow.
Posting the calc shellcode used:
\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00
Maybe it's the null bytes?
from scarecrow.
Tried without null bytes as well still not working, will check it further out and update
from scarecrow.
FYI @sl4cky I was running into this same issue with fresh stageless shellcode for CS. I unloaded my UDRL and made a new payload with ScareCrow and everything was resolved.
from scarecrow.
It shoulds like it could be a UDRL issue. Hard to know with out know for sure with out all the details of the C2 and other things going into your payload.
from scarecrow.
I ended up getting this error too, in my case the "image_size_x64" value was too low and c2lint called it out too. Not sure if this related to more recent changes because the profile used to work but maybe this helps.
I also ran into an issue where the binary output is unreliable. Sometimes it straight exits, other times I can see the beacon come in and then die (sometimes after a few successful sleep cycles). I turned off any custom settings in the profile/UDRL but the issue persisted. I ended up modifying the loader routine so it uses virtualalloc + write (just like the DLL loader) instead of the pointer trickery + virtualprotect. This solved it and it is now consistently triggering and stays alive. Again it used to work so maybe latest CS changes are causing an access violation somewhere?
from scarecrow.
Came back to say that I'm experiencing similar issues to @ptr0x1. With bone stock CS shellcode (4.8 release), I will very rarely get a beacon callback, and if I do it dies shortly after. Same outcome for binary payloads and DLLs, so something must be causing issues with the new CS versions; as my previous comment was from old CS shellcode (< 4.7). I'm going to tinker with this a good bit in the coming days and see if I can find some answers.
from scarecrow.
I was able to implement the fix @ptr0x1 spoke about (using the DLL loader for the Binary template) and everything works fine. @Tylous I didn't submit a PR for it since it's not really a fix, but the code's in my fork here: https://github.com/chucksploit/ScareCrow. I'm still trying to see what the root cause is.
from scarecrow.
ScareCrow 5.0 is out now, this should take of this, please feel free to re-open this if you experience it still.
from scarecrow.
Related Issues (20)
- Windows 10 bug HOT 3
- Windows defender new sandbox HOT 3
- Newest version v4.1 not working with msfvenom payload HOT 7
- Binary loader build HOT 5
- New Feature Request - ProxyAware
- '.exp' files are not the compiled Go files HOT 3
- panic: Call to VirtualProtect failed!!!!! HOT 4
- Delivery HTA with Loaders Control or Wscript not working HOT 12
- cmd.Run() failed with exit status 0xffffffff HOT 5
- Output to the user is incorrect when using the -O <file> option HOT 1
- runtime.cgocall() Issue HOT 2
- Output Types HOT 2
- Windows executables not in PATH HOT 8
- ProcessInjection crashes HOT 5
- Doc, docx, rtf HOT 1
- cmd.Run() failed with exit status 0xc0000135 HOT 4
- Still having issues with cmd.Run() failed with exit status 255 HOT 1
- Add Go Lib Requirement
- Errors running ScareCrow. Exit status 128 and exit status 255 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scarecrow.