donut: Generated shellcode does not work

What’s wrong ?

The generated loader.bin shellcode does not seem to work on a specific system configuration. It makes the host process crash when loaded.

System configuration

  • Windows 10.0.18362 N/A Build 18362
  • .NET Framework installed on the host:
    • v4.0.0.0
    • v4.8.03752
  • Anti-Virus: Windows Defender is installed by default, but all options have been disabled
  • Donut: latest version built from master as of 03/23/2020

What did you try to do ?

Use donut.exe to generate a shellcode based on the DemoCreateProcess assembly with the following command:

.\donut.exe -e 1 -b 1 -z 1 -c TestClass -m RunProcess -p "calc.exe calc.exe" C:\Users\lab\source\repos\donut\DemoCreateProcess\bin\Release\DemoCreateProcess.dll

Then converted the shellcode to a base64 string using the following powershell snippet:

 [System.Convert]::ToBase64String([IO.File]::ReadAllBytes("path\to\loader.bin")) | clip

Finally, replaced the base64 string in the DonutTest project, line 13. Then, I compiled the DonutTest project, started a new notepad.exe process (pid 5824), and ran:

.\DonutTest.exe 5824

What did you expect ?

calc.exe should be running as a child of notepad.exe (process 5824)

What happened ?

The notepad process crashed.

More information

I initially had the issue with another assembly, and another shellcode injector, but even trying with the ones provided within the donut repo, I am able to reproduce this behavior. Building and using a debug version of donut results in the same behavior, although running .\loader64.exe .\instance on the generated instance file works well. So my best guess would be that something is wrong in the loader embedded in the final shellcode, but I have honestly no clue about what.

Here are the log files for the debug build: https://gist.github.com/lesnuages/f27ef9b33676ac4f0e882c738ed0fb10

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Comments: 15 (2 by maintainers)

Most upvoted comments

I’m not sure if this is the same issue, but I am able to reproduce the GCC vs MinGW issue. In my case, the shellcode created with MinGW/Windows donut.exe works but the shellcode created with GCC/Linux donut fails.

Generated via:

donut -a 2 -e 1 -s http://localhost:8080 my.dll

Build versions:

$ gcc --version
gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0

$ x86_64-w64-mingw32-gcc --version
x86_64-w64-mingw32-gcc (GCC) 7.3-win32 20180312

And here’s the output to dumpcfg for both versions:

PS > .\tools\dumpcfg.exe .\loader.bin.mingw
Length    : 3664
Key       : 00000000000000000000000000000000
CTR       : 00000000000000000000000000000000
Maru IV   : 0
Exit Opt  : 1
OEP       : 0000000000000000
API Count : 52
00 => 8322A3F655D252A0 is the hash for kernel32.dll!LoadLibraryA : OK
01 => 5F9A2F5A70159AF7 is the hash for kernel32.dll!GetProcAddress : OK
02 => ECEC2E0F77C1DF79 is the hash for kernel32.dll!GetModuleHandleA : OK
03 => 52622E8E2A03836A is the hash for kernel32.dll!VirtualAlloc : OK
04 => A0F99483877BBCC4 is the hash for kernel32.dll!VirtualFree : OK
05 => A6B3DEBBBD52F776 is the hash for kernel32.dll!VirtualQuery : OK
06 => E0206318E83E16F4 is the hash for kernel32.dll!VirtualProtect : OK
07 => 29407C7E01077DEF is the hash for kernel32.dll!Sleep : OK
08 => B2D46685A8D6CC8F is the hash for kernel32.dll!MultiByteToWideChar : OK
09 => 3D28AFB2AD9197E5 is the hash for kernel32.dll!GetUserDefaultLCID : OK
10 => C45F651AAFFB410B is the hash for kernel32.dll!WaitForSingleObject : OK
11 => A88D8A63D7D17933 is the hash for kernel32.dll!CreateThread : OK
12 => EDBBC13672C19CE4 is the hash for kernel32.dll!GetThreadContext : OK
13 => 6A2447B1BECC189C is the hash for kernel32.dll!GetCurrentThread : OK
14 => E6E2D0AA08292200 is the hash for kernel32.dll!GetCommandLineA : OK
15 => 1C7CF9F57FA86E3D is the hash for kernel32.dll!GetCommandLineW : OK
16 => F3848EC570838A21 is the hash for shell32.dll!CommandLineToArgvW : OK
17 => DFBD47E13EE13B10 is the hash for oleaut32.dll!SafeArrayCreate : OK
18 => BD77AF2569689C8A is the hash for oleaut32.dll!SafeArrayCreateVector : OK
19 => 8AD71499A1140B4D is the hash for oleaut32.dll!SafeArrayPutElement : OK
20 => 2082D640CCFD441B is the hash for oleaut32.dll!SafeArrayDestroy : OK
21 => 7046B02E03CE7D0C is the hash for oleaut32.dll!SafeArrayGetLBound : OK
22 => C1EB0C113A5660BA is the hash for oleaut32.dll!SafeArrayGetUBound : OK
23 => F3AC45C203C14CE0 is the hash for oleaut32.dll!SysAllocString : OK
24 => 733CE6F644E27222 is the hash for oleaut32.dll!SysFreeString : OK
25 => 3E3F0153FB195BEB is the hash for oleaut32.dll!LoadTypeLib : OK
26 => 908B117CC2EF66F9 is the hash for wininet.dll!InternetCrackUrlA : OK
27 => A146D290F7863A30 is the hash for wininet.dll!InternetOpenA : OK
28 => 57777DD39940F617 is the hash for wininet.dll!InternetConnectA : OK
29 => 9395C00826DDF250 is the hash for wininet.dll!InternetSetOptionA : OK
30 => D388820170E23FB1 is the hash for wininet.dll!InternetReadFile : OK
31 => 6A0E5F83356BF090 is the hash for wininet.dll!InternetCloseHandle : OK
32 => F66DD0723A6E8482 is the hash for wininet.dll!HttpOpenRequestA : OK
33 => 0B43C51621CD164B is the hash for wininet.dll!HttpSendRequestA : OK
34 => B872B6B717BFF247 is the hash for wininet.dll!HttpQueryInfoA : OK
35 => 957235ACDB519818 is the hash for mscoree.dll!CorBindToRuntime : OK
36 => 60111C8D1049452E is the hash for mscoree.dll!CLRCreateInstance : OK
37 => 121D46593E41D827 is the hash for ole32.dll!CoInitializeEx : OK
39 => E9A80D05EE05D859 is the hash for ole32.dll!CoUninitialize : OK
40 => 453737D2E7D0F769 is the hash for ntdll.dll!RtlEqualUnicodeString : OK
41 => 439713CC2F516036 is the hash for ntdll.dll!RtlEqualString : OK
42 => C7B512E9E2D2F84F is the hash for ntdll.dll!RtlUnicodeStringToAnsiString : OK
43 => 2992DE171F478173 is the hash for ntdll.dll!RtlInitUnicodeString : OK
44 => 8C914E01296AFCA9 is the hash for ntdll.dll!RtlExitUserThread : OK
45 => B2038712DAAC1A44 is the hash for ntdll.dll!RtlExitUserProcess : OK
46 => 8EDF30B20BC8A076 is the hash for ntdll.dll!RtlCreateUnicodeString : OK
47 => 5FD236D633BA0134 is the hash for ntdll.dll!RtlGetCompressionWorkSpaceSize : OK
48 => 0CF4EFF0BA940F2B is the hash for ntdll.dll!RtlDecompressBuffer : OK
49 => B0C67F05012616EC is the hash for ntdll.dll!NtContinue : OK
50 => 2B187C9F4F529D96 is the hash for kernel32.dll!AddVectoredExceptionHandler : OK
51 => 0989367F9B2F00CE is the hash for kernel32.dll!RemoveVectoredExceptionHandler : OK
sizeof(DONUT_INSTANCE) : 3664
sizeof(ULONG_PTR)      : 8
RtlExitUserProcess index : 45
Hashes match OK


PS > .\tools\dumpcfg.exe .\loader.bin.gcc
Length    : 3664
Key       : 00000000000000000000000000000000
CTR       : 00000000000000000000000000000000
Maru IV   : 0
Exit Opt  : 1
OEP       : 0000000000000000
API Count : 52
00 => 8322A3F655D252A0 is the hash for kernel32.dll!LoadLibraryA : OK
01 => 5F9A2F5A70159AF7 is the hash for kernel32.dll!GetProcAddress : OK
02 => ECEC2E0F77C1DF79 is the hash for kernel32.dll!GetModuleHandleA : OK
03 => 52622E8E2A03836A is the hash for kernel32.dll!VirtualAlloc : OK
04 => A0F99483877BBCC4 is the hash for kernel32.dll!VirtualFree : OK
05 => A6B3DEBBBD52F776 is the hash for kernel32.dll!VirtualQuery : OK
06 => E0206318E83E16F4 is the hash for kernel32.dll!VirtualProtect : OK
07 => 29407C7E01077DEF is the hash for kernel32.dll!Sleep : OK
08 => B2D46685A8D6CC8F is the hash for kernel32.dll!MultiByteToWideChar : OK
09 => 3D28AFB2AD9197E5 is the hash for kernel32.dll!GetUserDefaultLCID : OK
10 => C45F651AAFFB410B is the hash for kernel32.dll!WaitForSingleObject : OK
11 => A88D8A63D7D17933 is the hash for kernel32.dll!CreateThread : OK
12 => EDBBC13672C19CE4 is the hash for kernel32.dll!GetThreadContext : OK
13 => 6A2447B1BECC189C is the hash for kernel32.dll!GetCurrentThread : OK
14 => E6E2D0AA08292200 is the hash for kernel32.dll!GetCommandLineA : OK
15 => 1C7CF9F57FA86E3D is the hash for kernel32.dll!GetCommandLineW : OK
16 => F3848EC570838A21 is the hash for shell32.dll!CommandLineToArgvW : OK
17 => DFBD47E13EE13B10 is the hash for oleaut32.dll!SafeArrayCreate : OK
18 => BD77AF2569689C8A is the hash for oleaut32.dll!SafeArrayCreateVector : OK
19 => 8AD71499A1140B4D is the hash for oleaut32.dll!SafeArrayPutElement : OK
20 => 2082D640CCFD441B is the hash for oleaut32.dll!SafeArrayDestroy : OK
21 => 7046B02E03CE7D0C is the hash for oleaut32.dll!SafeArrayGetLBound : OK
22 => C1EB0C113A5660BA is the hash for oleaut32.dll!SafeArrayGetUBound : OK
23 => F3AC45C203C14CE0 is the hash for oleaut32.dll!SysAllocString : OK
24 => 733CE6F644E27222 is the hash for oleaut32.dll!SysFreeString : OK
25 => 3E3F0153FB195BEB is the hash for oleaut32.dll!LoadTypeLib : OK
26 => 908B117CC2EF66F9 is the hash for wininet.dll!InternetCrackUrlA : OK
27 => A146D290F7863A30 is the hash for wininet.dll!InternetOpenA : OK
28 => 57777DD39940F617 is the hash for wininet.dll!InternetConnectA : OK
29 => 9395C00826DDF250 is the hash for wininet.dll!InternetSetOptionA : OK
30 => D388820170E23FB1 is the hash for wininet.dll!InternetReadFile : OK
31 => 6A0E5F83356BF090 is the hash for wininet.dll!InternetCloseHandle : OK
32 => F66DD0723A6E8482 is the hash for wininet.dll!HttpOpenRequestA : OK
33 => 0B43C51621CD164B is the hash for wininet.dll!HttpSendRequestA : OK
34 => B872B6B717BFF247 is the hash for wininet.dll!HttpQueryInfoA : OK
35 => 957235ACDB519818 is the hash for mscoree.dll!CorBindToRuntime : OK
36 => 60111C8D1049452E is the hash for mscoree.dll!CLRCreateInstance : OK
37 => 121D46593E41D827 is the hash for ole32.dll!CoInitializeEx : OK
38 => 2D5F94E307433D52 is the hash for ole32.dll!CoCreateInstance : OK
39 => E9A80D05EE05D859 is the hash for ole32.dll!CoUninitialize : OK
40 => 453737D2E7D0F769 is the hash for ntdll.dll!RtlEqualUnicodeString : OK
41 => 439713CC2F516036 is the hash for ntdll.dll!RtlEqualString : OK
42 => C7B512E9E2D2F84F is the hash for ntdll.dll!RtlUnicodeStringToAnsiString : OK
43 => 2992DE171F478173 is the hash for ntdll.dll!RtlInitUnicodeString : OK
44 => 8C914E01296AFCA9 is the hash for ntdll.dll!RtlExitUserThread : OK
45 => B2038712DAAC1A44 is the hash for ntdll.dll!RtlExitUserProcess : OK
46 => 8EDF30B20BC8A076 is the hash for ntdll.dll!RtlCreateUnicodeString : OK
47 => 5FD236D633BA0134 is the hash for ntdll.dll!RtlGetCompressionWorkSpaceSize : OK
48 => 0CF4EFF0BA940F2B is the hash for ntdll.dll!RtlDecompressBuffer : OK
49 => B0C67F05012616EC is the hash for ntdll.dll!NtContinue : OK
50 => 2B187C9F4F529D96 is the hash for kernel32.dll!AddVectoredExceptionHandler : OK
51 => 0989367F9B2F00CE is the hash for kernel32.dll!RemoveVectoredExceptionHandler : OK
sizeof(DONUT_INSTANCE) : 3664
sizeof(ULONG_PTR)      : 8
RtlExitUserProcess index : 45
Hashes match OK
+2
aus on Apr 1, 2020

For what it’s worth, I’m having a similar problem. Using the dev branch and the same .NET Assembly (DemoCreateProcess), generating shellcode on Windows works fine while shellcode generated on Linux crashes the host process.

I have a very different version of mingw than @lesnuages , though.


COLLECT_GCC=x86_64-w64-mingw32-gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-w64-mingw32/7.3-win32/lto-wrapper
Target: x86_64-w64-mingw32
Configured with: ../../src/configure --build=x86_64-linux-gnu --prefix=/usr --includedir='/usr/include' --mandir='/usr/share/man' --infodir='/usr/share/info' --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir='/usr/lib/x86_64-linux-gnu' --libexecdir='/usr/lib/x86_64-linux-gnu' --disable-maintainer-mode --disable-dependency-tracking --prefix=/usr --enable-shared --enable-static --disable-multilib --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --libdir=/usr/lib --enable-libstdcxx-time=yes --with-tune=generic --with-headers=/usr/x86_64-w64-mingw32/include --enable-version-specific-runtime-libs --enable-fully-dynamic-string --enable-libgomp --enable-languages=c,c++,fortran,objc,obj-c++,ada --enable-lto --with-plugin-ld --enable-threads=win32 --program-suffix=-win32 --program-prefix=x86_64-w64-mingw32- --target=x86_64-w64-mingw32 --with-as=/usr/bin/x86_64-w64-mingw32-as --with-ld=/usr/bin/x86_64-w64-mingw32-ld --enable-libatomic --enable-libstdcxx-filesystem-ts=yes
Thread model: win32
gcc version 7.3-win32 20180312 (GCC)
+1
TheWover on Mar 26, 2020

Well I had the same issues using the generated shellcode from donut on Linux, if that ever helps.

+1
lesnuages on Mar 25, 2020
Read more comments on GitHub
← rn-emoji-keyboard: Exception thrown while executing UI Block: Collection was being mutated while being enumerated
rollup-plugin-livereload: live reload not working after first reload →