Flow "LaunchBinary" Not working

Question

Flow "LaunchBinary" Not working

skanjINCIDE opened this issue 3 years ago · comments

Environment

How did you install GRR? From release DEB
What GRR version are you running? 3.4.2
What operating system does the GRR server run on? Ubuntu 18.04
What operating system does the affected GRR client run on, if applicable? Windows 10

Describe the issue
Following the procedure in the documentation (https://grr-doc.readthedocs.io/en/latest/investigating-with-grr/pushing-code.html#deploying-arbitrary-python-code) I upload and sign two files in the server. I can see the files in the Binary tab in the UI, so I this step goes well.
When I start creating the flow in the machine I get the following screen:

I try to create the flow with the following arguments:

Binary: aff4:windows/xxxxx.exe, Command Line: xxxxx.exe -p "C:" --csv. And I get the error: Unable to determine type of signed binary: aff4:/aff4:windows/xxxxx.exe.
Binary:windows/xxxxx.exe, Command Line: xxxxx.exe -p "C:" --csv. And I get the error: Unable to determine type of signed binary: aff4:/windows/xxxxx.exe.

The files type are: "PE32 executable (console) Intel 80386, for MS Windows"

Can you help me to find what I'm missing, Please?

Thank you!

Łukasz Hanuszczak · Answer 1 · Tue Oct 19 2021 18:09:25 GMT+0800 (China Standard Time)

After uploading the executable foobar.exe, the binary path you want to use is:

aff4:/config/executables/foobar.exe

Moreover, the command line should only include arguments (without the executable name), so it should be just:

-p "C:" --csv

skanjINCIDE · Answer 2 · Tue Oct 19 2021 18:26:59 GMT+0800 (China Standard Time)

Hi @panhania ,

Thank you for your answer. I try the solution you propose and I get this error:

Traceback (most recent call last): File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/signed_binary_utils.py", line 163, in FetchBlobsForSignedBinaryByID binary_id) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/databases/db.py", line 4222, in ReadSignedBinaryReferences return self.delegate.ReadSignedBinaryReferences(binary_id) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/databases/db_utils.py", line 51, in Decorator result = f(*args, **kwargs) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/databases/mysql_utils.py", line 241, in Decorated return self._RunInTransaction(Closure, readonly) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/databases/mysql.py", line 559, in _RunInTransaction result = function(connection) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/databases/mysql_utils.py", line 239, in Closure return func(self, *args, **new_kw) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/databases/mysql_signed_binaries.py", line 60, in ReadSignedBinaryReferences raise db.UnknownSignedBinaryError(binary_id) grr_response_server.databases.db.UnknownSignedBinaryError: Signed binary of type EXECUTABLE and path loki.exe was not found During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/flows/general/administrative.py", line 850, in _BlobIterator binary_urn) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/signed_binary_utils.py", line 190, in FetchBlobsForSignedBinaryByURN return FetchBlobsForSignedBinaryByID(_SignedBinaryIDFromURN(binary_urn)) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/signed_binary_utils.py", line 165, in FetchBlobsForSignedBinaryByID raise SignedBinaryNotFoundError(_SignedBinaryURNFromID(binary_id)) grr_response_server.signed_binary_utils.SignedBinaryNotFoundError: Binary with urn aff4:/config/executables/loki.exe was not found. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/flow.py", line 266, in StartFlow flow_obj.Start() File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/flows/general/administrative.py", line 865, in Start blob_iterator = self._BlobIterator(binary_urn) File "/usr/share/grr-server/lib/python3.6/site-packages/grr_response_server/flows/general/administrative.py", line 853, in _BlobIterator self.args.binary) grr_response_server.flow_base.FlowError: Executable binary aff4:/config/executables/foobar.exe not found.

And the status:
Executable binary aff4:/config/executables/foobar.exe not found.

This is the output of the sign command:

user@server:~/exe_deploy$ sudo grr_config_updater upload_exe --file=/home/ubuntu/exe_deploy/foobar.exe --platform=windows
I1019 10:17:10.448897 140054543677248 server_logging.py:191] Writing log file to /usr/share/grr-server/lib/python3.6/site-packages/grr_response_core/var/log//GRRlog.txt
Using configuration <GrrConfigManager  file="/usr/share/grr-server/install_data/etc/grr-server.yaml"  file="/etc/grr//server.local.yaml" >
Uploaded EXECUTABLE to windows//foobar.exe

Maybe I have to restart de service? In the binary tab it seems the binary is correctly uploaded.

Thank you so much,

Best regards

Łukasz Hanuszczak · Answer 3 · Tue Oct 19 2021 18:38:50 GMT+0800 (China Standard Time)

Ah, sorry, I messed up the path (forgot about the platform part), I think. It should be:

aff4:/config/executables/windows/foobar.exe

skanjINCIDE · Answer 4 · Wed Oct 20 2021 15:35:41 GMT+0800 (China Standard Time)

Hi @panhania ,

Thank you very much!! It works for me.

My best regards,