Stageless Cobalt Strike beacon.exe compiles incorrectly
t3hbb opened this issue · comments
PEZor generates a 20Kb stageless beacon.exe rather than the ~220Kb file size and it fails to execute correctly.
PEZor output
PEzor
-sgn
-64
-unhook
-format=exe
/tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba
Executing PEzor
PEzor!! v2.1.0
Read the blog posts here:
https://iwantmore.pizza/posts/PEzor.html
https://iwantmore.pizza/posts/PEzor2.html
https://iwantmore.pizza/posts/PEzor3.html
Based on:
https://github.com/TheWover/donut
https://github.com/EgeBalci/sgn
https://github.com/JustasMasiulis/inline_syscall
https://github.com/CylanceVulnResearch/ReflectiveDLLRefresher
[?] Final shellcode will be encoded with sgn
[?] Forcing 64-bit architecture
[?] Unhook enabled
[?] Output format: exe
[?] Processing /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba
[?] PE detected: /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
[?] Building executable
[?] Executing donut
[ Donut shellcode generator v0.9.3
[ Copyright (c) 2019 TheWover, Odzhan
usage: donut [options] <EXE/DLL/VBS/JS>
Only the finest artisanal donuts are made of shells.
-MODULE OPTIONS-
-n <name> Module name for HTTP staging. If entropy is enabled, this is generated randomly.
-s <server> HTTP server that will host the donut module.
-e <level> Entropy. 1=None, 2=Use random names, 3=Random names + symmetric encryption (default)
-PIC/SHELLCODE OPTIONS-
-a <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default).
-b <level> Bypass AMSI/WLDP : 1=None, 2=Abort on fail, 3=Continue on fail.(default)
-o <path> Output file to save loader. Default is "loader.bin"
-f <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex
-y <addr> Create thread for loader and continue execution at <addr> supplied.
-x <action> Exiting. 1=Exit thread (default), 2=Exit process
-FILE OPTIONS-
-c <namespace.class> Optional class name. (required for .NET DLL)
-d <name> AppDomain name to create for .NET assembly. If entropy is enabled, this is generated randomly.
-m <method | api> Optional method or function for DLL. (a method is required for .NET DLL)
-p <arguments> Optional parameters/command line inside quotations for DLL method/function or EXE.
-w Command line is passed to unmanaged DLL function in UNICODE format. (default is ANSI)
-r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
-t Execute the entrypoint of an unmanaged EXE as a thread.
-z <engine> Pack/Compress file. 1=None, 2=aPLib
examples:
donut c2.dll
donut -a1 -cTestClass -mRunProcess -pnotepad.exe loader.dll
donut loader.dll -c TestClass -m RunProcess -p"calc notepad" -s http://remote_server.com/modules/
[?] Executing sgn
__ _ __ __ _
___ / / () /_____ / /__ _ ___ ____ _ ___ ___ ()
(-</ _ / / '/ _ / __/ _ / / _ / _ / / _ / _ / / /___/_//_/_/_/\_\\_,_/\__/\_,_/ \_, /\_,_/ /_//_/\_,_/_/ ========[Author:-Ege-Balcı-]====/___/=======v2.0.0========= ┻�┻ ︵ヽ(Д´)ノ︵ ┻�┻ (ノ ゜Д゜)ノ ︵ 仕方���
[!] Done! Check /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba.packed.exe: PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows
PEzor generated EXE /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba.packed.exe
Files in /tmp
-rw-r--r-- 1 root root 262656 Mar 10 13:53 /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba
-rwxr-xr-x 1 root root 19968 Mar 10 13:53 /tmp/afd423c7-93d7-49a0-8f1e-19df5838cd45_tmp_cfb08721-39a6-48a7-b09d-161a52b25bba.packed.exe
