Skip to content

Commit

Permalink
Merge pull request #598 from BishopFox/fix/pivots
Browse files Browse the repository at this point in the history
Fix/pivots
  • Loading branch information
moloch-- authored Feb 12, 2022
2 parents 3826ca8 + f71a066 commit 8bc39cc
Show file tree
Hide file tree
Showing 8 changed files with 46 additions and 30 deletions.
15 changes: 15 additions & 0 deletions client/command/generate/generate.go
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,9 @@ func ParseNamedPipec2(args string) ([]*clientpb.ImplantC2, error) {
}
for index, arg := range strings.Split(args, ",") {
arg = strings.ToLower(arg)
arg = strings.ReplaceAll(arg, "\\", "/")
arg = strings.TrimPrefix(arg, "/")
arg = strings.TrimPrefix(arg, "/")
var uri *url.URL
var err error
if strings.HasPrefix(arg, "namedpipe://") {
Expand All @@ -531,6 +534,18 @@ func ParseNamedPipec2(args string) ([]*clientpb.ImplantC2, error) {
if uri.Scheme != "namedpipe" {
return nil, fmt.Errorf("invalid namedpipe scheme: %s", uri.Scheme)
}

if !strings.HasPrefix(uri.Path, "/pipe/") {
prompt := &survey.Confirm{
Message: fmt.Sprintf("Named pipe '%s' is missing the 'pipe' path prefix\nContinue anyways?", uri),
}
var confirm bool
survey.AskOne(prompt, &confirm)
if !confirm {
return nil, fmt.Errorf("invalid namedpipe path: %s", uri.Path)
}
}

c2s = append(c2s, &clientpb.ImplantC2{
Priority: uint32(index),
URL: uri.String(),
Expand Down
3 changes: 2 additions & 1 deletion implant/sliver/pivots/named-pipe_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package pivots
*/

import (
"strings"
"sync"
"time"

Expand All @@ -37,7 +38,7 @@ var (

// CreateNamedPipePivotListener - Starts a named pipe listener
func CreateNamedPipePivotListener(address string, upstream chan<- *pb.Envelope) (*PivotListener, error) {
fullName := "\\\\.\\pipe\\" + address
fullName := "\\\\.\\pipe\\" + strings.TrimPrefix(address, "\\\\.\\pipe\\")
ln, err := winio.ListenPipe(fullName, &winio.PipeConfig{
//SecurityDescriptor: "",
RemoteClientMode: true,
Expand Down
6 changes: 4 additions & 2 deletions implant/sliver/transports/session.go
Original file line number Diff line number Diff line change
Expand Up @@ -753,18 +753,20 @@ func tcpPivotConnect(uri *url.URL) (*Connection, error) {
case <-pingCtrl:
return
case <-time.After(time.Minute):
// {{if .Config.Debug}}
log.Printf("[tcp pivot] peer ping...")
// {{end}}
data, _ := proto.Marshal(&pb.PivotPing{
Nonce: uint32(time.Now().UnixNano()),
})
connection.Send <- &pb.Envelope{
Type: pb.MsgPivotPeerPing,
Data: data,
}
case <-time.After(time.Minute):
// {{if .Config.Debug}}
log.Printf("[tcp pivot] server ping...")
// {{end}}
data, _ := proto.Marshal(&pb.PivotPing{
data, _ = proto.Marshal(&pb.PivotPing{
Nonce: uint32(time.Now().UnixNano()),
})
connection.Send <- &pb.Envelope{
Expand Down
7 changes: 5 additions & 2 deletions implant/sliver/transports/transports_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ func namedPipeConnect(uri *url.URL) (*Connection, error) {
// {{end}}
close(send)
ctrl <- struct{}{}
pingCtrl <- struct{}{}
close(recv)
},
}
Expand All @@ -80,18 +81,20 @@ func namedPipeConnect(uri *url.URL) (*Connection, error) {
case <-pingCtrl:
return
case <-time.After(time.Minute):
// {{if .Config.Debug}}
log.Printf("[namedpipe] peer ping...")
// {{end}}
data, _ := proto.Marshal(&pb.PivotPing{
Nonce: uint32(time.Now().UnixNano()),
})
connection.Send <- &pb.Envelope{
Type: pb.MsgPivotPeerPing,
Data: data,
}
case <-time.After(time.Minute):
// {{if .Config.Debug}}
log.Printf("[namedpipe] server ping...")
// {{end}}
data, _ := proto.Marshal(&pb.PivotPing{
data, _ = proto.Marshal(&pb.PivotPing{
Nonce: uint32(time.Now().UnixNano()),
})
connection.Send <- &pb.Envelope{
Expand Down
4 changes: 4 additions & 0 deletions server/core/pivots.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,10 @@ func insertImmediateChildren(entry *PivotGraphEntry, depth int) {
return true
}
session := Sessions.FromImplantConnection(pivot.ImplantConn)
if session == nil {
coreLog.Warnf("[graph] session not found for pivot: %v", pivot)
return true
}
coreLog.Debugf("[graph] entry: %v, pivot: %v", entry.Name, pivot)
if pivot.Peers[1].PeerID == entry.PeerID {
child := &PivotGraphEntry{
Expand Down
8 changes: 8 additions & 0 deletions server/core/sessions.go
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,7 @@ func (s *Session) LastCheckin() time.Time {

// IsDead - See if last check-in is within expected variance
func (s *Session) IsDead() bool {
sessionsLog.Debugf("Checking health of %s", s.ID)
sessionsLog.Debugf("Last checkin was %v", s.Connection.LastMessage)
padding := time.Duration(10 * time.Second) // Arbitrary margin of error
timePassed := time.Since(s.LastCheckin())
Expand All @@ -95,6 +96,12 @@ func (s *Session) IsDead() bool {
return false
}
}
if s.Connection.Transport == "pivot" {
if time.Since(s.Connection.LastMessage) < time.Duration(time.Minute)+padding {
sessionsLog.Debugf("Last message within pivot/server ping interval with padding")
return false
}
}
return true
}

Expand Down Expand Up @@ -202,6 +209,7 @@ func (s *sessions) Remove(sessionID string) {
for _, child := range children {
childSession, ok := s.sessions.LoadAndDelete(child.SessionID)
if ok {
PivotSessions.Delete(childSession.(*Session).Connection.ID)
EventBroker.Publish(Event{
EventType: consts.SessionClosedEvent,
Session: childSession.(*Session),
Expand Down
25 changes: 4 additions & 21 deletions server/handlers/pivot.go
Original file line number Diff line number Diff line change
Expand Up @@ -76,8 +76,6 @@ func pivotPeerEnvelopeHandler(implantConn *core.ImplantConnection, data []byte)
resp = serverKeyExchange(implantConn, peerEnvelope)
case sliverpb.MsgPivotSessionEnvelope:
resp = sessionEnvelopeHandler(implantConn, peerEnvelope)
case sliverpb.MsgPivotServerPing:
resp = serverPingHandler(implantConn, peerEnvelope)
}

return resp
Expand Down Expand Up @@ -130,6 +128,8 @@ func handlePivotEnvelope(pivot *core.Pivot, envelope *sliverpb.Envelope) {
pivot.ImplantConn.Send <- respEnvelope
}()
}
} else if envelope.Type == sliverpb.MsgPivotServerPing {
pivotServerPingHandler(pivot)
} else {
pivotLog.Errorf("no pivot handler for envelope type %v", envelope.Type)
}
Expand Down Expand Up @@ -159,26 +159,9 @@ func pivotPeerFailureHandler(implantConn *core.ImplantConnection, data []byte) *
return nil
}

func serverPingHandler(implantConn *core.ImplantConnection, peerEnvelope *sliverpb.PivotPeerEnvelope) *sliverpb.Envelope {
pivotSessionID := uuid.FromBytesOrNil(peerEnvelope.PivotSessionID).String()
if pivotSessionID == "" {
pivotLog.Errorf("failed to parse pivot session id from peer envelope")
return nil
}

// Find the pivot session for the server ping
pivotLog.Debugf("origin envelope pivot session ID = %s", pivotSessionID)
pivotEntry, ok := core.PivotSessions.Load(pivotSessionID)
if !ok {
pivotLog.Errorf("pivot session id '%s' not found", pivotSessionID)
return nil
}
pivot := pivotEntry.(*core.Pivot)

// Update last message time
func pivotServerPingHandler(pivot *core.Pivot) {
pivot.ImplantConn.UpdateLastMessage()

return nil
pivot.ImmediateImplantConn.UpdateLastMessage()
}

// ------------------------
Expand Down
8 changes: 4 additions & 4 deletions server/handlers/sessions.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ func tunnelDataHandler(implantConn *core.ImplantConnection, data []byte) *sliver
if session.ID == tunnel.SessionID {
tunnel.FromImplant <- tunnelData
} else {
sessionHandlerLog.Warnf("Warning: Session %d attempted to send data on tunnel it did not own", session.ID)
sessionHandlerLog.Warnf("Warning: Session %s attempted to send data on tunnel it did not own", session.ID)
}
} else {
sessionHandlerLog.Warnf("Data sent on nil tunnel %d", tunnelData.TunnelID)
Expand All @@ -135,7 +135,7 @@ func tunnelCloseHandler(implantConn *core.ImplantConnection, data []byte) *slive
sessionHandlerLog.Infof("Closing tunnel %d", tunnel.ID)
core.Tunnels.Close(tunnel.ID)
} else {
sessionHandlerLog.Warnf("Warning: Session %d attempted to send data on tunnel it did not own", session.ID)
sessionHandlerLog.Warnf("Warning: Session %s attempted to send data on tunnel it did not own", session.ID)
}
} else {
sessionHandlerLog.Warnf("Close sent on nil tunnel %d", tunnelData.TunnelID)
Expand All @@ -145,7 +145,7 @@ func tunnelCloseHandler(implantConn *core.ImplantConnection, data []byte) *slive

func pingHandler(implantConn *core.ImplantConnection, data []byte) *sliverpb.Envelope {
session := core.Sessions.FromImplantConnection(implantConn)
sessionHandlerLog.Debugf("ping from session %d", session.ID)
sessionHandlerLog.Debugf("ping from session %s", session.ID)
return nil
}

Expand All @@ -166,7 +166,7 @@ func socksDataHandler(implantConn *core.ImplantConnection, data []byte) *sliverp
if session.ID == SocksTunne.SessionID {
SocksTunne.FromImplant <- socksData
} else {
sessionHandlerLog.Warnf("Warning: Session %d attempted to send data on tunnel it did not own", session.ID)
sessionHandlerLog.Warnf("Warning: Session %s attempted to send data on tunnel it did not own", session.ID)
}
} else {
sessionHandlerLog.Warnf("Data sent on nil tunnel %d", socksData.TunnelID)
Expand Down

0 comments on commit 8bc39cc

Please sign in to comment.