Skip to content

Commit a755750

Browse files
moloch--moloch--
authored
Merge pull request #1926 from BishopFox/bugfix_listeners
Bugfix listeners
2 parents 6697801 + d1fa99d commit a755750

File tree

13 files changed

+1669
-1830
lines changed

13 files changed

+1669
-1830
lines changed

protobuf/clientpb/client.pb.go

+1,614-1,796
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

protobuf/clientpb/client.proto

+2-17
Original file line numberDiff line numberDiff line change
@@ -358,6 +358,7 @@ message ListenerJob {
358358
DNSListenerReq DNSConf = 6;
359359
HTTPListenerReq HTTPConf = 7;
360360
MultiplayerListenerReq MultiConf = 8;
361+
StagerListenerReq TCPConf = 9;
361362
}
362363

363364
message MultiplayerListenerReq {
@@ -490,10 +491,7 @@ message StagerListenerReq {
490491
string Host = 2;
491492
uint32 Port = 3;
492493
bytes Data = 4;
493-
bytes Cert = 5;
494-
bytes Key = 6;
495-
bool ACME = 7;
496-
string ProfileName = 8;
494+
string ProfileName = 5;
497495
}
498496

499497
message StagerListener { uint32 JobID = 1; }
@@ -506,19 +504,6 @@ message ShellcodeRDIReq {
506504

507505
message ShellcodeRDI { bytes Data = 1; }
508506

509-
message MsfStagerReq {
510-
string Arch = 1;
511-
string Format = 2;
512-
uint32 Port = 3;
513-
string Host = 4;
514-
string OS = 5; // reserved for future usage
515-
StageProtocol Protocol = 6;
516-
repeated string BadChars = 7;
517-
string HTTPC2ConfigName = 9;
518-
}
519-
520-
message MsfStager { commonpb.File File = 1; }
521-
522507
// GetSystemReq - Client request to the server which is translated into
523508
// InvokeSystemReq when sending to the implant.
524509
message GetSystemReq {

server/c2/jobs.go

+13-2
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,7 @@ import (
3434
"github.com/bishopfox/sliver/protobuf/clientpb"
3535
"github.com/bishopfox/sliver/server/certs"
3636
"github.com/bishopfox/sliver/server/core"
37+
"github.com/bishopfox/sliver/server/db"
3738
"github.com/bishopfox/sliver/server/log"
3839
"golang.zx2c4.com/wireguard/device"
3940
)
@@ -86,6 +87,16 @@ func StartWGListenerJob(wgListener *clientpb.WGListenerReq) (*core.Job, error) {
8687
JobCtrl: make(chan bool),
8788
}
8889

90+
listenerJob := &clientpb.ListenerJob{
91+
JobID: uint32(job.ID),
92+
Type: constants.WGStr,
93+
WGConf: wgListener,
94+
}
95+
err = db.SaveC2Listener(listenerJob)
96+
if err != nil {
97+
return nil, err
98+
}
99+
89100
ticker := time.NewTicker(5 * time.Second)
90101
done := make(chan bool)
91102

@@ -229,7 +240,7 @@ func StartHTTPListenerJob(req *clientpb.HTTPListenerReq) (*core.Job, error) {
229240
}
230241

231242
// StartTCPStagerListenerJob - Start a TCP staging payload listener
232-
func StartTCPStagerListenerJob(host string, port uint16, profileName string, shellcode []byte) (*core.Job, error) {
243+
func StartTCPStagerListenerJob(host string, port uint16, name string, shellcode []byte) (*core.Job, error) {
233244
ln, err := StartTCPListener(host, port, shellcode)
234245
if err != nil {
235246
return nil, err // If we fail to bind don't setup the Job
@@ -241,8 +252,8 @@ func StartTCPStagerListenerJob(host string, port uint16, profileName string, she
241252
Description: "Raw TCP listener (stager only)",
242253
Protocol: "tcp",
243254
Port: port,
244-
ProfileName: profileName,
245255
JobCtrl: make(chan bool),
256+
ProfileName: name,
246257
}
247258

248259
go func() {

server/certs/ca.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certi
6060
certFilePath := filepath.Join(storageDir, fmt.Sprintf("%s-ca-cert.pem", caType))
6161
if _, err := os.Stat(certFilePath); os.IsNotExist(err) {
6262
certsLog.Infof("Generating certificate authority for '%s'", caType)
63-
cert, key := GenerateECCCertificate(caType, commonName, true, false)
63+
cert, key := GenerateECCCertificate(caType, commonName, true, false, false)
6464
SaveCertificateAuthority(caType, cert, key)
6565
}
6666
cert, key, err := GetCertificateAuthority(caType)

server/certs/certs.go

+8-2
Original file line numberDiff line numberDiff line change
@@ -135,15 +135,21 @@ func RemoveCertificate(caType string, keyType string, commonName string) error {
135135
// GenerateECCCertificate - Generate a TLS certificate with the given parameters
136136
// We choose some reasonable defaults like Curve, Key Size, ValidFor, etc.
137137
// Returns two strings `cert` and `key` (PEM Encoded).
138-
func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte) {
138+
func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool, isOperator bool) ([]byte, []byte) {
139139

140140
certsLog.Infof("Generating TLS certificate (ECC) for '%s' ...", commonName)
141141

142142
var privateKey interface{}
143143
var err error
144144

145145
// Generate private key
146-
curves := []elliptic.Curve{elliptic.P521(), elliptic.P384(), elliptic.P256()}
146+
var curves []elliptic.Curve
147+
if isOperator {
148+
curves = []elliptic.Curve{elliptic.P256()}
149+
} else {
150+
curves = []elliptic.Curve{elliptic.P521(), elliptic.P384(), elliptic.P256()}
151+
}
152+
147153
curve := curves[randomInt(len(curves))]
148154
privateKey, err = ecdsa.GenerateKey(curve, rand.Reader)
149155
if err != nil {

server/certs/mtls.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -26,14 +26,14 @@ const (
2626

2727
// MtlsC2ServerGenerateECCCertificate - Generate a server certificate signed with a given CA
2828
func MtlsC2ServerGenerateECCCertificate(host string) ([]byte, []byte, error) {
29-
cert, key := GenerateECCCertificate(MtlsServerCA, host, false, false)
29+
cert, key := GenerateECCCertificate(MtlsServerCA, host, false, false, false)
3030
err := saveCertificate(MtlsServerCA, ECCKey, host, cert, key)
3131
return cert, key, err
3232
}
3333

3434
// MtlsC2ImplantGenerateECCCertificate - Generate a server certificate signed with a given CA
3535
func MtlsC2ImplantGenerateECCCertificate(name string) ([]byte, []byte, error) {
36-
cert, key := GenerateECCCertificate(MtlsImplantCA, name, false, true)
36+
cert, key := GenerateECCCertificate(MtlsImplantCA, name, false, true, false)
3737
err := saveCertificate(MtlsImplantCA, ECCKey, name, cert, key)
3838
return cert, key, err
3939
}

server/certs/operators.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ const (
3737

3838
// OperatorClientGenerateCertificate - Generate a certificate signed with a given CA
3939
func OperatorClientGenerateCertificate(operator string) ([]byte, []byte, error) {
40-
cert, key := GenerateECCCertificate(OperatorCA, operator, false, true)
40+
cert, key := GenerateECCCertificate(OperatorCA, operator, false, true, true)
4141
err := saveCertificate(OperatorCA, ECCKey, fmt.Sprintf("%s.%s", clientNamespace, operator), cert, key)
4242
return cert, key, err
4343
}
@@ -59,7 +59,7 @@ func OperatorServerGetCertificate(hostname string) ([]byte, []byte, error) {
5959

6060
// OperatorServerGenerateCertificate - Generate a certificate signed with a given CA
6161
func OperatorServerGenerateCertificate(hostname string) ([]byte, []byte, error) {
62-
cert, key := GenerateECCCertificate(OperatorCA, hostname, false, false)
62+
cert, key := GenerateECCCertificate(OperatorCA, hostname, false, false, true)
6363
err := saveCertificate(OperatorCA, ECCKey, fmt.Sprintf("%s.%s", serverNamespace, hostname), cert, key)
6464
return cert, key, err
6565
}

server/cli/daemon.go

+6
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,12 @@ func StartPersistentJobs(listenerJobs []*clientpb.ListenerJob) error {
123123
return err
124124
}
125125
j.JobID = uint32(id)
126+
case constants.TCPListenerStr:
127+
job, err := c2.StartTCPStagerListenerJob(listenerJob.TCPConf.Host, uint16(listenerJob.TCPConf.Port), listenerJob.TCPConf.ProfileName, listenerJob.TCPConf.Data)
128+
if err != nil {
129+
return err
130+
}
131+
j.JobID = uint32(job.ID)
126132
}
127133
db.UpdateHTTPC2Listener(j)
128134
}

server/console/console-admin.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -212,7 +212,7 @@ func startMultiplayerModeCmd(cmd *cobra.Command, _ []string) {
212212
Type: "multiplayer",
213213
MultiConf: multiConfig,
214214
}
215-
err = db.SaveHTTPC2Listener(listenerJob)
215+
err = db.SaveC2Listener(listenerJob)
216216
if err != nil {
217217
fmt.Printf(Warn+"Failed to save job %v\n", err)
218218
}

server/console/console-admin_test.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ func TestRootOnlyVerifyCertificate(t *testing.T) {
3636
}
3737

3838
// Test with wrong CA
39-
wrongCert, _ := certs.GenerateECCCertificate(certs.HTTPSCA, "foobar", false, false)
39+
wrongCert, _ := certs.GenerateECCCertificate(certs.HTTPSCA, "foobar", false, false, false)
4040
block, _ = pem.Decode(wrongCert)
4141
err = clienttransport.RootOnlyVerifyCertificate(config.CACertificate, [][]byte{block.Bytes})
4242
if err == nil {

server/db/helpers.go

+1-1
Original file line numberDiff line numberDiff line change
@@ -515,7 +515,7 @@ func HTTPC2ConfigUpdate(newConf *clientpb.HTTPC2Config, oldConf *clientpb.HTTPC2
515515
return nil
516516
}
517517

518-
func SaveHTTPC2Listener(listenerConf *clientpb.ListenerJob) error {
518+
func SaveC2Listener(listenerConf *clientpb.ListenerJob) error {
519519
dbListener := models.ListenerJobFromProtobuf(listenerConf)
520520
dbSession := Session()
521521
result := dbSession.Clauses(clause.OnConflict{

server/rpc/rpc-jobs.go

+5-5
Original file line numberDiff line numberDiff line change
@@ -129,7 +129,7 @@ func (rpc *Server) StartMTLSListener(ctx context.Context, req *clientpb.MTLSList
129129
Type: constants.MtlsStr,
130130
MTLSConf: req,
131131
}
132-
err = db.SaveHTTPC2Listener(listenerJob)
132+
err = db.SaveC2Listener(listenerJob)
133133
if err != nil {
134134
return nil, err
135135
}
@@ -180,7 +180,7 @@ func (rpc *Server) StartWGListener(ctx context.Context, req *clientpb.WGListener
180180
Type: constants.WGStr,
181181
WGConf: req,
182182
}
183-
err = db.SaveHTTPC2Listener(listenerJob)
183+
err = db.SaveC2Listener(listenerJob)
184184
if err != nil {
185185
return nil, err
186186
}
@@ -205,7 +205,7 @@ func (rpc *Server) StartDNSListener(ctx context.Context, req *clientpb.DNSListen
205205
Type: constants.DnsStr,
206206
DNSConf: req,
207207
}
208-
err = db.SaveHTTPC2Listener(listenerJob)
208+
err = db.SaveC2Listener(listenerJob)
209209
if err != nil {
210210
return nil, err
211211
}
@@ -237,7 +237,7 @@ func (rpc *Server) StartHTTPSListener(ctx context.Context, req *clientpb.HTTPLis
237237
Type: constants.HttpsStr,
238238
HTTPConf: req,
239239
}
240-
err = db.SaveHTTPC2Listener(listenerJob)
240+
err = db.SaveC2Listener(listenerJob)
241241
if err != nil {
242242
return nil, err
243243
}
@@ -269,7 +269,7 @@ func (rpc *Server) StartHTTPListener(ctx context.Context, req *clientpb.HTTPList
269269
Type: constants.HttpStr,
270270
HTTPConf: req,
271271
}
272-
err = db.SaveHTTPC2Listener(listenerJob)
272+
err = db.SaveC2Listener(listenerJob)
273273
if err != nil {
274274
return nil, err
275275
}

server/rpc/rpc-stager.go

+13
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,10 @@ import (
2222
"context"
2323
"net"
2424

25+
"github.com/bishopfox/sliver/client/constants"
2526
"github.com/bishopfox/sliver/protobuf/clientpb"
2627
"github.com/bishopfox/sliver/server/c2"
28+
"github.com/bishopfox/sliver/server/db"
2729
)
2830

2931
// StartTCPStagerListener starts a TCP stager listener
@@ -36,6 +38,17 @@ func (rpc *Server) StartTCPStagerListener(ctx context.Context, req *clientpb.Sta
3638
if err != nil {
3739
return nil, err
3840
}
41+
42+
listenerJob := &clientpb.ListenerJob{
43+
JobID: uint32(job.ID),
44+
Type: constants.StageListenerStr,
45+
TCPConf: req,
46+
}
47+
err = db.SaveC2Listener(listenerJob)
48+
if err != nil {
49+
return nil, err
50+
}
51+
3952
return &clientpb.StagerListener{JobID: uint32(job.ID)}, nil
4053
}
4154

0 commit comments

Comments
 (0)