Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] CreateThread kills the Notion agent if there's no handler to catch the shellcode shell #57

Open
HuskyHacks opened this issue Mar 6, 2022 · 4 comments
Assignees
Labels
bug Something isn't working

Comments

@HuskyHacks
Copy link
Collaborator

Describe the bug
inject self will kill the Notion agent if the injection happens but no session spawns. If you inject meterpreter shellcode but no multi/handler is up to catch it, for example.

To Reproduce
Host shellcode
Do not run a multi/handler
Perform self injection

Expected behavior
The agent should handle this and exit from the CreateThread injection routine alive.

@HuskyHacks HuskyHacks added the bug Something isn't working label Mar 6, 2022
@HuskyHacks HuskyHacks self-assigned this Mar 6, 2022
@HuskyHacks HuskyHacks changed the title [Bug] CreateThread kill the Notion agent if there's no handler to catch the shellcode shell [Bug] CreateThread kills the Notion agent if there's no handler to catch the shellcode shell Mar 6, 2022
@HuskyHacks
Copy link
Collaborator Author

Have annotated this in https://github.com/mttaggart/OffensiveNotion/wiki/6.-Agent-Interaction#windows-inject-self but will continue to work on resolving the underlying issue

@HuskyHacks
Copy link
Collaborator Author

HuskyHacks commented Mar 30, 2022

Reproduced under different conditions: I made some Cobalt Strike shellcode, tried to overwrite it, but ended up saving 0 bytes to a file by accident. When the self-injection happened, the agent "decoded" the 0 bytes, mapped the 0 bytes into memory, executed the thread, and died hard. Noted

Possible solution for this iteration: check to make sure there are more than 0 bytes during the shellcode download

@HuskyHacks
Copy link
Collaborator Author

I just had a eureka moment and I think this might happen because msfvenom generated shellcode defaults to ExitFunc=process. I will test this with ExitFunc=thread and see if that alters the behavior.

The second bug I mentioned (agent dies because of size 0 buffer of shellcode) is still something we need to handle.

@HuskyHacks
Copy link
Collaborator Author

I noticed that the script in the wiki uses Exitfunc=thread as an argument and it still kills the agent in the event of an unsuccessful self injection (this time it was a mismatch of B64 iterations given during decode) so that smashes my hypothesis to bits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant