shellcode_amd64 executor crashes agent

[heyquentin]

Describe the bug
The sandcat agent crashes and the connection between it and Caldera is lost (no heartbeat) when executing shellcode using the shellcode_amd64 executor on a Windows 10 system.

To Reproduce
Steps to reproduce the behavior:
Target system: Windows 10 22H2

Caldera: latest (4.2.0)
Sandcat: latest

1. Open Powershell on the Windows machine and exec sandcat.exe to get a callback to Caldera
2. Make an ability using the shellcode_amd64 executor and put in a simple nop
   
3. Execute the operation. The agent will crash, the heartbeats will cease and an error will be displayed in Powershell
   

Here is the text

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0xa688b9]

goroutine 28 [running]:
syscall.(*Proc).Call(0x2?, {0xc0000cfa40?, 0x64d6a514?, 0x36699b4c?})
        /usr/local/go/src/syscall/dll_windows.go:190 +0x19
github.com/mitre/gocat/execute/shellcode.Runner({0xc0000a3e30, 0x1, 0x28034c30598?})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode_windows.go:28 +0x65
github.com/mitre/gocat/execute/shellcode.(*Shellcode).Run(0x0?, {0xc0000a3e28?, 0x0?}, 0x100000000000000?, {0xc00014ea50, 0xc00014e9f0, {0x0, 0x0, 0x0}, 0xc00014ea20})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode.go:34 +0xe5
github.com/mitre/gocat/execute.RunCommand({0xc00014ea50, 0xc00014e9f0, {0x0, 0x0, 0x0}, 0xc00014ea20})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/execute.go:80 +0x436
github.com/mitre/gocat/agent.(*Agent).runInstructionCommand(0x0?, 0xc00014e9f0)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:282 +0x157
github.com/mitre/gocat/agent.(*Agent).RunInstruction(0xc0000cab60, 0x0?, 0x1)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:263 +0x3f
created by github.com/mitre/gocat/core.runAgent
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/core/core.go:100 +0xcea

Expected behavior
The given shellcode is executed.

Desktop (please complete the following information):

• OS: Caldera on Ubuntu 20 using Python3.8, target system running Windows 10 (see screenshot above)
• Browser: Firefox
• Version: Caldera and Sandcat are latest versions

Additional context
I tested the shellcode functionality on Linux (Kali) and it seemed to work fine.
The same error code is also shown in a cmd prompt

[heyquentin]

In the msg above I was using Go version 1.20.5. I saw mention of 1.11 in a config file so I installed that version. Same error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal 0xc0000005 code=0x0 addr=0x18 pc=0xa688b9]

goroutine 7 [running]:
syscall.(*Proc).Call(0x2?, {0xc000024cc0?, 0x64d6c715?, 0x3190c564?})
        /usr/local/go/src/syscall/dll_windows.go:190 +0x19
github.com/mitre/gocat/execute/shellcode.Runner({0xc00001d448, 0x1, 0x22047530108?})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode_windows.go:28 +0x65
github.com/mitre/gocat/execute/shellcode.(*Shellcode).Run(0xa30585?, {0xc00001d440?, 0x200000003?}, 0x10000c000085380?, {0xc00015be00, 0xc00015bda0, {0x0, 0x0, 0x0}, 0xc00015bdd0})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/shellcode/shellcode.go:34 +0xe5
github.com/mitre/gocat/execute.RunCommand({0xc00015be00, 0xc00015bda0, {0x0, 0x0, 0x0}, 0xc00015bdd0})
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/execute/execute.go:80 +0x436
github.com/mitre/gocat/agent.(*Agent).runInstructionCommand(0x0?, 0xc00015bda0)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:282 +0x157
github.com/mitre/gocat/agent.(*Agent).RunInstruction(0xc000084340, 0x0?, 0x1)
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/agent/agent.go:263 +0x3f
created by github.com/mitre/gocat/core.runAgent
        /home/quentin/Downloads/caldera/plugins/sandcat/gocat/core/core.go:100 +0xcea

@elegantmoose Can you shed any light on this?

[RiccardoAncarani]

Hey, I had the same problem. Inspecting the code it seems that all the WinAPIs related to the shellcode lading are not initialised properly on Windows. This means that VirtualAlloc is NULL, and when invoked raises an ACCESS_DENIED exception. You can solve this by "stealing" the lazyDll loading code from from the donut executor. I simply included both modules in my fixed sandcat. At line 20-ish the var statement now looks like this:

var (
	kernel32      = donut.NewLazySystemDLL("kernel32.dll")
	ntdll         = donut.NewLazySystemDLL("ntdll.dll")
	VirtualAlloc  = kernel32.NewProc("VirtualAlloc")
	RtlCopyMemory = kernel32.NewProc("RtlCopyMemory")
)

and fix the import with the following

	"github.com/mitre/gocat/execute/donut"

[RiccardoAncarani]

Also bear in mind that you always need to use a shellcode with an exitfunc=thread, or it will crash the sandcat process. A working example is this: msfvenom --payload windows/x64/exec CMD=calc.exe EXITFUNC=thread -f raw -o calc2.bin