sliver
sliver copied to clipboard
Published
20 hours ago •
BishopFox
BishopFox
There is a deadlock problem with tunnel usage.
There is a deadlock problem with tunnel use on the client.
-
When the tunnel is created, there will be a request packet https://github.com/BishopFox/sliver/blob/dc65bddfbb4d938b7a07e80687d5c71239aa9477/server/rpc/rpc-tunnel.go#L136-L143
-
When the client starts before the shell execution will cause, the tunnel will deadlock when the shell execution fails. https://github.com/BishopFox/sliver/blob/dc65bddfbb4d938b7a07e80687d5c71239aa9477/client/command/shell/shell.go#L80-L86
-
Where deadlocks occur https://github.com/BishopFox/sliver/blob/dc65bddfbb4d938b7a07e80687d5c71239aa9477/client/core/tunnel_io.go#L117-L128
This is how it should be done
shell, err := con.Rpc.Shell(context.Background(), &sliverpb.ShellReq{
Request: con.ActiveTarget.Request(ctx),
Path: shellPath,
EnablePTY: !noPty,
TunnelID: rpcTunnel.TunnelID,
})
if err != nil {
con.PrintErrorf("%s\n", err)
return
}
// Start() takes an RPC tunnel and creates a local Reader/Writer tunnel object
tunnel := core.GetTunnels().Start(rpcTunnel.TunnelID, rpcTunnel.SessionID)
defer tunnel.Close()
log.Printf("Bound remote shell pid %d to tunnel %d", shell.Pid, shell.TunnelID)
con.PrintInfof("Started remote shell with pid %d\n\n", shell.Pid)
or
tunnel.Client = stream // Bind client to tunnel
tunnelLog.Debugf("Binding client %v to tunnel id: %d", stream, tunnel.ID)
//tunnel.Client.Send(&sliverpb.TunnelData{
// TunnelID: tunnel.ID,
// SessionID: tunnel.SessionID,
// Closed: false,
//})
GetTunnels().Start How to use the wrong place in multiple places.
