Comments (5)
I think the real bug is in the detection of case sensitive vs. case insensitive encoding, the implant should* be able to detect this manipulation and fallback to base32 but doesn't.
from sliver.
There are multiple issues here:
First Issue
An example of a message which failes to decode is the initial TOTP message, which is always base32 encoded.
sliver/implant/sliver/transports/dnsclient/dnsclient.go
Lines 926 to 937 in c8a7948
The problem is that the DNS-0x20 encoding will alter the case of the subdata, which then fails decoding in the base32 encoder, as there are characters which are uppercase.
sliver/util/encoders/base32.go
Lines 27 to 39 in c8a7948
Possible Solution
A solution to this is doing strings.ToLower
on the input data.
return sliverBase32.DecodeString(strings.ToLower(string(data)))
This however is partially problematic(programming wise) as, it transfers the responsibility from server/c2/dns.go
to the base32 encoder.
Second Issue
Sometimes, a base32 encoded value mangled by DNS-0x20(for example) is interpreted as a base58 encoded value. I have seen you mention this issue here: #1354 (comment)
This can become a problem for example here:
Lines 382 to 394 in c8a7948
When the data gets interpreted as base58 and produces semi-valid protobuf data, the decodeSubdata functions returns a message and no error. This becomes a problem on line 394 as we use the ID field, which is incorrectly interpreted.
This issue will produce a log warning:
Line 396 in c8a7948
Possible Solution
A possible solution could be that if we attempt to decode the subdata using the current method and we are unable to find a valid session id we could attempt to decode the lowercase value of the subdata.
The solution would look something like this:
dnsLog.Debugf("[dns] processing req for subdomain = %s", subdomain)
msg, checksum, err := s.decodeSubdata(subdomain)
if err != nil {
dnsLog.Errorf("[dns] error decoding subdata: %v", err)
return s.nameErrorResp(req)
}
// TOTP Handler can be called without dns session ID
if msg.Type == dnspb.DNSMessageType_TOTP {
return s.handleHello(domain, msg, req)
}
// All other handlers require a valid dns session ID
_, ok := s.sessions.Load(msg.ID & sessionIDBitMask)
if !ok {
subdomain = strings.ToLower(subdomain)
dnsLog.Debugf("[dns] reprocessing req for subdomain = %s", subdomain)
msg, checksum, err = s.decodeSubdata(subdomain)
if err != nil {
dnsLog.Errorf("[dns] error decoding subdata: %v", err)
return s.nameErrorResp(req)
}
_, ok := s.sessions.Load(msg.ID & sessionIDBitMask)
if !ok {
dnsLog.Warnf("[dns] session not found for id %v (%v)", msg.ID, msg.ID&sessionIDBitMask)
return s.nameErrorResp(req)
}
}
This is a bit of a hacky solution, but should work.
Better Solution
Would be nice to be able to determine whether the resolver manipulates the DNS queries using for example DNS-0x20 encoding.
from sliver.
We've removed TOTP in v1.6, it would be good to address all these issues in that branch. Perhaps we should just use a single bit to indicate the Base32 vs. Base58 instead of trying to detect it.
from sliver.
Sorry, but I do not understand. The code I referenced in the previous comment is from the master branch and not to the 1.5.x/master branch.
Is there a more updated version of v1.6?
from sliver.
Oh yes, you're right. We did remove the TOTP auth, but the message is still called TOTP.
from sliver.
Related Issues (20)
- DNS implant beacon interval without function?
- Sliver rpc error: code = Unknown desc = exit status 1 (Attempting to Generate Wireguard Implant) HOT 5
- `procdump` crashes inconsistently HOT 1
- QUESTION. How to run BOF Files with Coff-loader. HOT 1
- Run on load not working HOT 6
- Generate error on Windows server HOT 2
- Readline lib eats backslash characters HOT 2
- i am facing armory extension installation error in linux HOT 1
- Error: rpc error: code = Unknown desc = exit status 1 - Please make sure Metasploit framework >= v6.2 is installed and msfvenom/msfconsole are in your PATH HOT 2
- No UserAgent on windows implants
- QUESTION: how to execute implant without popping CMD window on Windows? HOT 1
- Add homepage option to websites
- Named pipe stager error HOT 1
- winrm extension issue with WSL
- sideload does not parse well the blank spaces HOT 2
- Multiplayer Mode not functioning (context deadline exceeded) HOT 8
- Beacons renaming HOT 1
- Postgres FK constraint errors with fresh install HOT 3
- [!] Error: rpc error: code = Unknown desc = Invalid format: shellcode - Please make sure Metasploit framework >= v6.2 is installed and msfvenom/msfconsole are in your PATH HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sliver.