Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Win下CrossC2 v2.2.5 生成带rebind库的beacon无法上线 #117

Closed
NS-Sp4ce opened this issue Sep 8, 2021 · 3 comments
Closed

Win下CrossC2 v2.2.5 生成带rebind库的beacon无法上线 #117

NS-Sp4ce opened this issue Sep 8, 2021 · 3 comments
Labels
bug Something isn't working Fixed

Comments

@NS-Sp4ce
Copy link

NS-Sp4ce commented Sep 8, 2021
edited
Loading

因为一些原因,工作机用的Windows,所以用的Windows版的CrossC2,加载profile后按照demo编写rebind并加载后运行发现会报错
image
换用Linux生成后正常上线
image
对比了下两个文件发现Linux比Windows多4个字节,010editor对比了下发现在0x1C2204地址附近存在差异,似乎为UPX壳导致文件内容被破坏
image
@gloxec
Copy link
Owner

gloxec commented Sep 9, 2021

麻烦strace -ff -o res.txt ./c2跑下windows生成的beacon

@NS-Sp4ce
Copy link
Author

NS-Sp4ce commented Sep 9, 2021 

execve("./win", ["./win"], 0x7ffec39c0a48 /* 26 vars */) = -1 EACCES (Permission denied)
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=2502, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff09ea17000
read(3, "# Locale name alias data base.\n#"..., 4096) = 2502
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7ff09ea17000, 4096)            = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/libc.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "strace: exec: Permission denied\n", 32) = 32
exit_group(1)                           = ?
+++ exited with 1 +++
execve("./win", ["./win"], 0x7fffaf7750b8 /* 26 vars */) = 0
open("/proc/self/exe", O_RDONLY)        = 3
mmap(NULL, 1843171, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f42424b3000
mmap(0x7f42424b3000, 1842810, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0) = 0x7f42424b3000
mprotect(0x7f4242674000, 4067, PROT_READ|PROT_EXEC) = 0
readlink("/proc/self/exe", "/root/win", 4095) = 9
mmap(0x400000, 5758976, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000
mmap(0x400000, 10112, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x400000
mprotect(0x400000, 10112, PROT_READ)    = 0
mmap(0x403000, 5039361, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0x3000) = 0x403000
mprotect(0x403000, 5039361, PROT_READ|PROT_EXEC) = 0
mmap(0x8d2000, 612768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0x4d2000) = 0x8d2000
mprotect(0x8d2000, 612768, PROT_READ)   = 0
mmap(0x968000, 75152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0x567000) = 0x968000
mprotect(0x968000, 75152, PROT_READ|PROT_WRITE) = 0
mmap(0x97b000, 11904, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x97b000
open("/lib64/ld-linux-x86-64.so.2", O_RDONLY) = 4
read(4, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\21\0\0\0\0\0\0"..., 1024) = 1024
mmap(NULL, 2244608, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f424228f000
mmap(0x7f424228f000, 137568, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0) = 0x7f424228f000
mmap(0x7f42424b0000, 8056, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 4, 0x21000) = 0x7f42424b0000
mmap(0x7f42424b2000, 336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f42424b2000
close(4)                                = 0
mmap(NULL, 4096, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f424228e000
close(3)                                = 0
munmap(0x7f42424b3000, 1843171)         = 0
brk(NULL)                               = 0x266f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242674000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=43151, ...}) = 0
mmap(NULL, 43151, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f4242669000
close(3)                                = 0
open("/lib64/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\264\5\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=995840, ...}) = 0
mmap(NULL, 3175456, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4241f86000
mprotect(0x7f424206f000, 2097152, PROT_NONE) = 0
mmap(0x7f424226f000, 40960, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xe9000) = 0x7f424226f000
mmap(0x7f4242279000, 82976, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4242279000
close(3)                                = 0
open("/lib64/librt.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0000\"\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=43712, ...}) = 0
mmap(NULL, 2128952, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4241d7e000
mprotect(0x7f4241d85000, 2093056, PROT_NONE) = 0
mmap(0x7f4241f84000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x7f4241f84000
close(3)                                = 0
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200m\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=142144, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242668000
mmap(NULL, 2208904, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4241b62000
mprotect(0x7f4241b79000, 2093056, PROT_NONE) = 0
mmap(0x7f4241d78000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x16000) = 0x7f4241d78000
mmap(0x7f4241d7a000, 13448, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4241d7a000
close(3)                                = 0
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\16\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=19248, ...}) = 0
mmap(NULL, 2109744, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f424195e000
mprotect(0x7f4241960000, 2097152, PROT_NONE) = 0
mmap(0x7f4241b60000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x7f4241b60000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0`&\2\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=2156352, ...}) = 0
mmap(NULL, 3985920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4241590000
mprotect(0x7f4241754000, 2093056, PROT_NONE) = 0
mmap(0x7f4241953000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c3000) = 0x7f4241953000
mmap(0x7f4241959000, 16896, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f4241959000
close(3)                                = 0
open("/lib64/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0PS\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1136944, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242667000
mmap(NULL, 3150136, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f424128e000
mprotect(0x7f424138f000, 2093056, PROT_NONE) = 0
mmap(0x7f424158e000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x100000) = 0x7f424158e000
close(3)                                = 0
open("/lib64/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320*\0\0\0\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=88720, ...}) = 0
mmap(NULL, 2184192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f4241078000
mprotect(0x7f424108d000, 2093056, PROT_NONE) = 0
mmap(0x7f424128c000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14000) = 0x7f424128c000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242666000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242665000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242663000
arch_prctl(ARCH_SET_FS, 0x7f4242663740) = 0
mprotect(0x7f4241953000, 16384, PROT_READ) = 0
mprotect(0x7f424128c000, 4096, PROT_READ) = 0
mprotect(0x7f424158e000, 4096, PROT_READ) = 0
mprotect(0x7f4241b60000, 4096, PROT_READ) = 0
mprotect(0x7f4241d78000, 4096, PROT_READ) = 0
mprotect(0x7f4241f84000, 4096, PROT_READ) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242662000
mprotect(0x7f424226f000, 32768, PROT_READ) = 0
mprotect(0x968000, 4096, PROT_READ)     = 0
mprotect(0x7f42424b0000, 4096, PROT_READ) = 0
munmap(0x7f4242669000, 43151)           = 0
set_tid_address(0x7f4242663a10)         = 1476
set_robust_list(0x7f4242663a20, 24)     = 0
rt_sigaction(SIGRTMIN, {sa_handler=0x7f4241b68860, sa_mask=[], sa_flags=SA_RESTORER|SA_SIGINFO, sa_restorer=0x7f4241b71630}, NULL, 8) = 0
rt_sigaction(SIGRT_1, {sa_handler=0x7f4241b688f0, sa_mask=[], sa_flags=SA_RESTORER|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f4241b71630}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0
getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
rt_sigaction(SIGHUP, {sa_handler=0x781030, sa_mask=[HUP], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f42415c6400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_IGN, sa_mask=[CHLD], sa_flags=SA_RESTORER|SA_RESTART, sa_restorer=0x7f42415c6400}, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=0}, 8) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7f4242663a10) = 1477
exit_group(0)                           = ?
+++ exited with 0 +++
set_robust_list(0x7f4242663a20, 24)     = 0
setsid()                                = 1477
brk(NULL)                               = 0x266f000
brk(0x2690000)                          = 0x2690000
brk(NULL)                               = 0x2690000
open("./win", O_RDONLY)                 = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=1856640, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242673000
fstat(3, {st_mode=S_IFREG|0755, st_size=1856640, ...}) = 0
lseek(3, 1855488, SEEK_SET)             = 1855488
read(3, "s\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\200\7\0\0\0\0\0\0\200\7\0\0\0\0\0\0"..., 1152) = 1152
mmap(NULL, 1859584, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4240eb2000
lseek(3, 0, SEEK_SET)                   = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\2\0>\0\1\0\0\0H\25\\\0\0\0\0\0"..., 1855488) = 1855488
read(3, "s\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\200\7\0\0\0\0\0\0\200\7\0\0\0\0\0\0"..., 4096) = 1152
close(3)                                = 0
munmap(0x7f4242673000, 4096)            = 0
stat("/etc/resolv.conf", {st_mode=S_IFREG|0644, st_size=68, ...}) = 0
open("/etc/host.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=9, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242673000
read(3, "multi on\n", 4096)             = 9
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f4242673000, 4096)            = 0
futex(0x7f424195b9f0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/etc/resolv.conf", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=68, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242673000
read(3, "\nnameserver 114.114.114.114\nname"..., 4096) = 68
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x7f4242673000, 4096)            = 0
munmap(0x7f4240eb2000, 1859584)         = 0
open("./win", O_RDONLY)                 = 3
fstat(3, {st_mode=S_IFREG|0755, st_size=1856640, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242673000
fstat(3, {st_mode=S_IFREG|0755, st_size=1856640, ...}) = 0
lseek(3, 1855488, SEEK_SET)             = 1855488
read(3, "s\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\200\7\0\0\0\0\0\0\200\7\0\0\0\0\0\0"..., 1152) = 1152
brk(NULL)                               = 0x2690000
brk(0x2856000)                          = 0x2856000
lseek(3, 0, SEEK_SET)                   = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\2\0>\0\1\0\0\0H\25\\\0\0\0\0\0"..., 1855488) = 1855488
read(3, "s\0\0\0\1\0\0\0\6\0\0\0\0\0\0\0\200\7\0\0\0\0\0\0\200\7\0\0\0\0\0\0"..., 4096) = 1152
close(3)                                = 0
munmap(0x7f4242673000, 4096)            = 0
uname({sysname="Linux", nodename="localhost.localdomain", ...}) = 0
unlink("/tmp/.sys.rrcache.data")        = -1 ENOENT (No such file or directory)
open("/tmp/.sys.rrcache.data", O_WRONLY|O_CREAT, 0777) = 3
write(3, "\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\10\0\0\0\0\0\0@\0\0\0"..., 5065500092648141104) = -1 EFAULT (Bad address)
fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4242673000
write(1, "[error]: write dll\n", 19)    = 19
close(3)                                = 0
chmod("/tmp/.sys.rrcache.data", 0777)   = 0
futex(0x7f4241b610d0, FUTEX_WAKE_PRIVATE, 2147483647) = 0
open("/tmp/.sys.rrcache.data", O_RDONLY|O_CLOEXEC) = 3
read(3, "", 832)                        = 0
close(3)                                = 0
write(1, "[error]: [parse lib]: /tmp/.sys."..., 62) = 62
unlink("/tmp/.sys.rrcache.data")        = 0
unlink("./.sys.rrcache.data")           = -1 ENOENT (No such file or directory)
open("./.sys.rrcache.data", O_WRONLY|O_CREAT, 0777) = 3
write(3, "\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\20\10\0\0\0\0\0\0@\0\0\0"..., 5065500092648141104) = -1 EFAULT (Bad address)
write(1, "[error]: write dll\n", 19)    = 19
close(3)                                = 0
chmod("./.sys.rrcache.data", 0777)      = 0
open("./.sys.rrcache.data", O_RDONLY|O_CLOEXEC) = 3
read(3, "", 832)                        = 0
close(3)                                = 0
write(1, "[error]: [parse lib]: ./.sys.rrc"..., 59) = 59
unlink("./.sys.rrcache.data")           = 0
write(1, "[error]: [parse symbol]: (null)!"..., 33) = 33
exit_group(0)                           = ?
+++ exited with 0 +++

@gloxec gloxec added the bug Something isn't working label Sep 23, 2021
@gloxec
Copy link
Owner

gloxec commented Sep 23, 2021

错误已修复 : https://github.com/gloxec/CrossC2/releases/download/v2.2.5/genCrossC2.Win-fix-2021-09-23.zip

@gloxec gloxec added the Fixed label Sep 23, 2021
@gloxec gloxec changed the title CrossC2 v2.2.5 加载rebind库后无法上线 Win下CrossC2 v2.2.5 生成带rebind库的beacon无法上线 Nov 2, 2021
@gloxec gloxec closed this as completed Nov 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working Fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gloxec @NS-Sp4ce