Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sliver server crashes with panic when canaries are resolved #1435

Open
lorenzog opened this issue Oct 17, 2023 · 0 comments
Open

Sliver server crashes with panic when canaries are resolved #1435

lorenzog opened this issue Oct 17, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@lorenzog
Copy link

lorenzog commented Oct 17, 2023
edited

Sliver crashes when DNS canaries are resolved.

To Reproduce
Steps to reproduce the behavior:

  1. Install Sliver 1.5.41 on a Ubuntu 22.04 server

  2. Set up a DNS redirector on a different server, using socat to route packets: ulimit -u unlimited ; socat udp4-listen:53,fork,reuseaddr udp4:10.0.0.2:5353

  3. Set up a DNS attack domain and a DNS canary domain, with NS zone pointing at the same DNS redirector public IP

  4. On the Sliver server, set up a DNS listener:

    [server] sliver > dns -d t.attackdomain.com -l 5353 -p
[*] Starting DNS listener with parent domain(s) [t.dubleclick.net.] ...
[*] Successfully started job #2

  5. Generate a timed implant with a canary: [server] sliver > generate -c foo.a.canary.com -G -e -f exe -b http.attackdomain.com -n bar.attackdomain.com -w 2023-10-17

  6. Check the canary is set up:

    [server] sliver > canaries

Sliver Name          Domain                          Triggered   First Trigger                   Latest Trigger
HUNGRY_CHERRY        dwgk7c5.foo.a.canary.com.   false       Never                           Never

  7. Trigger the canary from a different machine

  8. Sliver crashes

Expected behavior
Sliver does not crash

Screenshots

[server] sliver > panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0xe335d8]

goroutine 40 [running]:
github.com/bishopfox/sliver/server/core.(*ImplantConnection).GetLastMessage(0xc0003c3700?)
        github.com/bishopfox/sliver/server/core/connnection.go:44 +0x38
github.com/bishopfox/sliver/server/core.(*Session).LastCheckin(...)
        github.com/bishopfox/sliver/server/core/sessions.go:81
github.com/bishopfox/sliver/server/core.(*Session).ToProtobuf(0xc0003f8500)
        github.com/bishopfox/sliver/server/core/sessions.go:134 +0x2c
github.com/bishopfox/sliver/server/rpc.(*Server).Events(0x6?, 0x18ab1c0?, {0x98590f0, 0xc000112b70})
        github.com/bishopfox/sliver/server/rpc/rpc-events.go:45 +0x4e5
github.com/bishopfox/sliver/protobuf/rpcpb._SliverRPC_Events_Handler({0x1a1f200?, 0xa50b620}, {0x9856c20, 0xc0003163e0})
        github.com/bishopfox/sliver/protobuf/rpcpb/services_grpc.pb.go:4650 +0xd3
github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus.PayloadStreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856c20?, 0xc0003163e0?}, 0xc000429590, 0x966cfd0)
        github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/payload_interceptors.go:49 +0x15f
google.golang.org/grpc.getChainStreamHandler.func1({0x1a1f200, 0xa50b620}, {0x9856c20, 0xc0003163e0})
        google.golang.org/grpc@v1.55.0/server.go:1483 +0xb9
github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus.StreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856cb0, 0xc0003a04c0}, 0xc000429590, 0xc0003a0500)
        github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/server_interceptors.go:61 +0x153
google.golang.org/grpc.getChainStreamHandler.func1({0x1a1f200, 0xa50b620}, {0x9856cb0, 0xc0003a04c0})
        google.golang.org/grpc@v1.55.0/server.go:1483 +0xb9
github.com/grpc-ecosystem/go-grpc-middleware/tags.StreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856c20?, 0xc0003163c0?}, 0xc000429590, 0xc0003a0440)
        github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/tags/interceptors.go:39 +0x135
google.golang.org/grpc.getChainStreamHandler.func1({0x1a1f200, 0xa50b620}, {0x9856c20, 0xc0003163c0})
        google.golang.org/grpc@v1.55.0/server.go:1483 +0xb9
github.com/grpc-ecosystem/go-grpc-middleware/auth.StreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856fc8?, 0xc0001ea1e0?}, 0xc000429590, 0xc0003a0400)
        github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/auth/auth.go:66 +0x146
google.golang.org/grpc.chainStreamInterceptors.func1({0x1a1f200, 0xa50b620}, {0x9856fc8, 0xc0001ea1e0}, 0x1748d40?, 0xc000112b10?)
        google.golang.org/grpc@v1.55.0/server.go:1474 +0x8f
google.golang.org/grpc.(*Server).processStreamingRPC(0xc0003403c0, {0x985c6e0, 0xc0003a4340}, 0xc00016ab40, 0xc00037ff50, 0xa41b120, 0x0)
        google.golang.org/grpc@v1.55.0/server.go:1638 +0x1363
google.golang.org/grpc.(*Server).handleStream(0xc0003403c0, {0x985c6e0, 0xc0003a4340}, 0xc00016ab40, 0x0)
        google.golang.org/grpc@v1.55.0/server.go:1718 +0x9f0
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/grpc@v1.55.0/server.go:959 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.55.0/server.go:957 +0x18c

Desktop (please complete the following information):

  • OS: Ubuntu 22.04
  • Version 1.5.41

Notes

  • The same happens when the DNS listener is set up to work with the canary domain only
  • It does not crash when looking up a canary that has been already looked up and is marked as trigggered
@moloch-- moloch-- added the bug Something isn't working label Oct 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@moloch-- @lorenzog