Segmentation fault generating shellcode from x64 .Net assembly

Question

Segmentation fault generating shellcode from x64 .Net assembly

Closed this issue 4 years ago · 3 comments

Trying to step through the process using the included templates/msg.cs template, I get a seg fault apparently during shellcode generation for x64. I originally tried to use EXCELntDonut in a pipenv on an xubuntu vm, but got the same result on a kali vm using the recommended install. I am not ruling out that I am doing something wrong, either.

`kali@kali:~/src/EXCELntDonut$ EXCELntDonut -f templates/msg.cs -r System.Windows.Forms.dll

| \ / / | | | _ __ | || _ \ ___ _ __ _ | |
| | \ / | | | | | | ' | | | | |/ _ | ' | | | | |
| | / \ || || || | | | || || | () | | | | || | |_
|//__||_|| ||_|___/ _/|| ||_,|__|
by @joeleonjr (@FortyNorthSec)
[i] Generating your x86 .NET assembly.
[i] Generating shellcode from x86 .NET assembly file.
[i] Removing null bytes from x86 shellcode with msfvenom
Attempting to read payload from STDIN...
Found 11 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai failed with Encoding failed due to a bad character (index=901, char=0x00)
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=3, char=0x00)
Attempting to encode payload with 1 iterations of x86/call4_dword_xor
x86/call4_dword_xor failed with A key could not be found for the Call+4 Dword XOR Encoder encoder.
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown failed with Encoding failed due to a bad character (index=267, char=0x00)
Attempting to encode payload with 1 iterations of x86/fnstenv_mov
x86/fnstenv_mov failed with A key could not be found for the Variable-length Fnstenv/mov Dword XOR Encoder encoder.
Attempting to encode payload with 1 iterations of x86/jmp_call_additive
x86/jmp_call_additive failed with Encoding failed due to a bad character (index=63, char=0x00)
Attempting to encode payload with 1 iterations of x86/xor_dynamic
x86/xor_dynamic succeeded with size 26063 (iteration=0)
x86/xor_dynamic chosen with final size 26063
Payload size: 26063 bytes
Saved as: _excelntdonut_qoZkowlHO2.bin
[i] Null bytes removed for x86.
[i] Generating your x64 .NET assembly.
[i] Generating shellcode from x64 .NET assembly file.
Segmentation fault
kali@kali:~/src/EXCELntDonut$
`

Answer 1 · 2020-06-10T16:23:01.000Z

Having looked into this a little more, the segfault is in donut.create() on line 197 for the x64 assembly

Answer 2 · 2020-06-10T18:02:55.000Z

I tracked this down, kind of. There was a bug in version 0.9.2 of donut-shellcode on linux, so I built version 0.9.3 from donut github and this command completes successfully.

Note, if someone else has this problem, that the donut-shellcode 0.9.3 python extension won't build on python 3.8. I had to remove sys from the setuptools import and put it on its own line.

Answer 3 · 2020-09-02T08:17:41.000Z

BTW the newest EXCELntDonut update rips out Donut for x64 and adds in CLRvoyance. I haven't had any issues with segfaults since, but please let us know if you see any more. Thanks for sending in the issue.