Havoc icon indicating copy to clipboard operation
Havoc copied to clipboard
verified publisher icon HavocFramework

[File a bug report for the Demon Implant]: Demon is no able to copy files in to directories with

Open raf181 opened this issue 3 years ago • 0 comments

Contact Details

[email protected]

What happened?

Demon is not able to copy itself to directories with a name that contains a space

Tested commands for copying files

Demon is not able to copy itself to directories with a name that contains a space

Tested commands for copying files:

cd C:\Demon.ex C:\Users\RAFAEL.PONCE1.S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

shell xcopy C:\Files C:\Users\RAFAEL.PONCE1.S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup /i

powershell Copy-Item -Path "C:\Demon.exe" -Destination "C:\Users\RAFAEL.PONCE1.S\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" -Recurse

In most cases, the output will give a syntax failure since it detects the space in "Start Menu" as the end of the path and reads the word after the space as a command option

Tested on:

  • server and client on latest debian11
  • target machine Windows 11 Preview

Did You Do a Pull First?

Latest (You performed a pull first)

Relevant log output

Output 1

25/10/2022 12:51:44 [#####] Demon » dir
[*] [AF628C0E] Tasked demon to list current directory
[+] Send Task to Agent [26 bytes]
[*] List Directory: C:\Users\secur\Documents

 Size         Type     Last Modified         Name    
 ----         ----     -------------------   ----    
 59.90 kB     file     25/10/2022 38:12:09   demon.exe
 59.90 kB     file     25/10/2022 31:49:09   ex.exe  
              dir      21/10/2022 15:39:10   My Music
              dir      21/10/2022 15:39:10   My Pictures
              dir      21/10/2022 15:39:10   My Videos


25/10/2022 12:53:48 [#####] Demon » cp ex.exe C:\Users\secur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[*] [8F61B0A5] Tasked demon to copy file ex.exe to C:\Users\secur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
[+] Send Task to Agent [184 bytes]
[!] Win32 Error: ERROR_FILE_NOT_FOUND [2]
[!] Failed to copied file ex.exe to C:\U[]ers\secur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Output 2

25/10/2022 12:59:07 [anoam] Demon » shell xcopy ex.exe C:\Users\secur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup /i
[*] [6185E4A0] Tasked demon to execute a shell command
[+] Send Task to Agent [165 bytes]
[+] Received Output [30 bytes]:
Invalid number of parameters

Output 3
25/10/2022 13:01:22 [anoam] Demon » powershell Copy-Item -Path "C:\Users\secur\Documents\ex.exe" -Destination "C:\Users\secur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" -Recurse
[*] [3CB1540E] Tasked demon to execute a powershell command/script
[+] Send Task to Agent [243 bytes]
[+] Received Output [466 bytes]:
Copy-Item : A positional parameter cannot be found that accepts argument 'Menu\Programs\Startup'.
At line:1 char:1
+ Copy-Item -Path C:\Users\secur\Documents\ex.exe -Destination C:\Users ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Copy-Item], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.CopyItemCommand

Did You Read Over Your Issue First?

  • [X] I declare I made an effort and provided the necessary information for replication of the issue.

raf181 avatar Oct 25 '22 17:10 raf181