Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Donut [File not found] When Generating Shellcode Stager #761

Closed
1 task done
Bad3r opened this issue Nov 20, 2024 · 4 comments
Closed
1 task done

[BUG] Donut [File not found] When Generating Shellcode Stager #761

Bad3r opened this issue Nov 20, 2024 · 4 comments
Assignees
Labels
bug Something isn't working confirmed

Comments

@Bad3r
Copy link

Bad3r commented Nov 20, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Empire Version

v5.11.7

Python Version

3.12.7

Operating System

Kali Linux 2024.4

Database

MariaDB

Current Behavior

When attempting to generate a windows_shellcode stager in Empire, the process fails with a server-side error:

Server Log Error:
    RuntimeError: File not found.
    File "/home/kali/git/Empire/empire/server/common/stagers.py", line 203, in generate_powershell_shellcode
        shellcode = donut.create(file=directory, arch=arch_type)

On the client-side, this results in a JSONDecodeError due to an empty response from the server:

Client Log Error:
    ERROR: Expecting value: line 1 column 1 (char 0)
    requests.exceptions.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Despite donut-shellcode being installed as indicated in pyproject.toml and poetry.lock, the error persists.

Verification of Donut Installation:
kali@kali ~/g/Empire ((v5.11.7))> poetry show | grep donut-shellcode
donut-shellcode = { version = "^1.1", markers = "platform_machine == 'x86_64' or platform_machine == 'amd64'" }

kali@kali ~/g/Empire ((v5.11.7))> cat poetry.lock | grep donut
name = "donut-shellcode"
    {file = "donut_shellcode-1.1.tar.gz", hash = "sha256:80861de844b9a36de3907e726605cdf01b8e052c24a74b6e454da9b2ebca2788"},

Full server log:

[ERROR]: Exception in ASGI application
 
Traceback (most recent call last):
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/uvicorn/protocols/http/h11_impl.py", line 412, in run_asgi
    result = await app(  # type: ignore[func-returns-value]
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/uvicorn/middleware/proxy_headers.py", line 84, in __call__
    return await self.app(scope, receive, send)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/fastapi/applications.py", line 1054, in __call__
    await super().__call__(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/applications.py", line 123, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/middleware/errors.py", line 186, in __call__
    raise exc
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/middleware/errors.py", line 164, in __call__
    await self.app(scope, receive, _send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 24, in __call__
    await responder(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/middleware/gzip.py", line 44, in __call__
    await self.app(scope, receive, self.send_with_gzip)
  File "/home/kali/git/Empire/empire/server/api/middleware.py", line 36, in __call__
    await super().__call__(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/middleware/cors.py", line 83, in __call__
    await self.app(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/middleware/exceptions.py", line 62, in __call__
    await wrap_app_handling_exceptions(self.app, conn)(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/routing.py", line 758, in __call__
    await self.middleware_stack(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/routing.py", line 778, in app
    await route.handle(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/routing.py", line 299, in handle
    await self.app(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/routing.py", line 79, in app
    await wrap_app_handling_exceptions(app, request)(scope, receive, send)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/_exception_handler.py", line 64, in wrapped_app
    raise exc
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/_exception_handler.py", line 53, in wrapped_app
    await app(scope, receive, sender)
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/starlette/routing.py", line 74, in app
    response = await func(request)
               ^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/fastapi/routing.py", line 299, in app
    raise e
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/fastapi/routing.py", line 294, in app
    raw_response = await run_endpoint_function(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.cache/pypoetry/virtualenvs/empire-bc-security-fork-Sa7SYij8-py3.12/lib/python3.12/site-packages/fastapi/routing.py", line 191, in run_endpoint_function
    return await dependant.call(**values)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/Empire/empire/server/api/v2/stager/stager_api.py", line 60, in create_stager
    resp, err = stager_service.create_stager(
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/Empire/empire/server/core/stager_service.py", line 85, in create_stager
    generated, err = self.generate_stager(template_instance)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/Empire/empire/server/core/stager_service.py", line 153, in generate_stager
    resp = template_instance.generate()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/Empire/empire/server/stagers/windows/shellcode.py", line 148, in generate
    shellcode, err = self.mainMenu.stagers.generate_powershell_shellcode(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/git/Empire/empire/server/common/stagers.py", line 203, in generate_powershell_shellcode
    shellcode = donut.create(file=directory, arch=arch_type)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
RuntimeError: File not found.

Expected Behavior

The stager generation process should be completed successfully

Steps To Reproduce

  1. Clone and install Empire from the BC Security repository.
  2. Start the Empire server and client.
  3. Configure the windows_shellcode stager:
    Listener: L1 (active and verified).
    Language: powershell.
    Architecture: both.
    DotNetVersion: net40.
    OutFile: shelly.bin.
  1. generate the stager

  2. Observe the server and client logs for errors.

full list of options set:

Name Value Required Description
Listener L1 True Listener to generate stager for.
Language powershell True Language of the stager to generate.
DotNetVersion net40 True Language of the stager to generate (powershell, csharp).
Architecture both True Architecture of the .dll to generate (x64 or x86).
StagerRetries 0 False Times for the stager to retry connecting.
UserAgent default False User-agent string to use for the staging request (default, none, or other).
Proxy default False Proxy to use for request (default, none, or other).
ProxyCreds default False Proxy credentials ([domain]username:password) to use for request (default, none, or other).
OutFile shelly.bin True Filename that should be used for the generated output.
Obfuscate False False Switch. Obfuscate the launcher powershell code, uses the ObfuscateCommand for obfuscation types. For powershell only.
ObfuscateCommand Token\All\1 False The Invoke-Obfuscation command to use. Only used if Obfuscate switch is True. For powershell only.
Bypasses mattifestation etw False Bypasses as a space separated list to be prepended to the launcher.

Anything else?

Suspected Cause:

  • The donut.create() function cannot find a required file during the stager generation process. This may indicate a misconfiguration in Empire’s use of the donut-shellcode library or missing dependencies. Based on the discussion in [BUG] Fail to build on Python 3.12 #752 donut version was recently updated.

Attempts to Fix:

  1. Reinstalled donut-shellcode using poetry.
  2. Verified donut-shellcode installation in a Python shell (inside poetry session).
  3. Rebuilt Empire dependencies with poetry install.

Despite these steps, the error persists.

@Bad3r Bad3r added the bug Something isn't working label Nov 20, 2024
@Cx01N
Copy link
Member

Cx01N commented Dec 8, 2024

Does building a C# exe also give this error?

@Cx01N Cx01N self-assigned this Dec 8, 2024
@Bad3r
Copy link
Author

Bad3r commented Dec 9, 2024

Does building a C# exe also give this error?

No it doesn't. The usestager/windows_csharp_exe generates as expected. Just tested it to confirm.

@Cx01N
Copy link
Member

Cx01N commented Jan 12, 2025

I think I finally tracked this issue down, and it was definitely a frustrating one to debug. It turns out that if you start the server and generate the PowerShell C# EXE stager, it will fail. However, if you restart the server, it works as expected. The reason it was tricky to reproduce consistently is that the launcher file wasn’t being deleted on a server restart. To address this, I’ve updated the code so that the launcher file is included by default, and resets will now clear that file.

From what I can tell, this issue should no longer exist in version 6.0, as we’ve completely rewritten the compiler in that release.

Thanks for your patience while I worked through this and if you have a chance, can you test out the PR to confirm it works for you?

@Cx01N
Copy link
Member

Cx01N commented Jan 14, 2025

Going to close it for now since the PR was merged. Let us know if you see it again and we can reopen the issue.

@Cx01N Cx01N closed this as completed Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working confirmed
Projects
None yet
Development

No branches or pull requests

2 participants