sliver
sliver copied to clipboard
Published
20 hours ago •
BishopFox
BishopFox
Sliver server crashes with panic when canaries are resolved
Sliver crashes when DNS canaries are resolved.
To Reproduce Steps to reproduce the behavior:
-
Install Sliver 1.5.41 on a Ubuntu 22.04 server
-
Set up a DNS redirector on a different server, using socat to route packets:
ulimit -u unlimited ; socat udp4-listen:53,fork,reuseaddr udp4:10.0.0.2:5353 -
Set up a DNS attack domain and a DNS canary domain, with NS zone pointing at the same DNS redirector public IP
-
On the Sliver server, set up a DNS listener:
[server] sliver > dns -d t.attackdomain.com -l 5353 -p [*] Starting DNS listener with parent domain(s) [t.dubleclick.net.] ... [*] Successfully started job #2 -
Generate a timed implant with a canary:
[server] sliver > generate -c foo.a.canary.com -G -e -f exe -b http.attackdomain.com -n bar.attackdomain.com -w 2023-10-17 -
Check the canary is set up:
[server] sliver > canaries Sliver Name Domain Triggered First Trigger Latest Trigger HUNGRY_CHERRY dwgk7c5.foo.a.canary.com. false Never Never -
Trigger the canary from a different machine
-
Sliver crashes
Expected behavior Sliver does not crash
Screenshots
[server] sliver > panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0xe335d8]
goroutine 40 [running]:
github.com/bishopfox/sliver/server/core.(*ImplantConnection).GetLastMessage(0xc0003c3700?)
github.com/bishopfox/sliver/server/core/connnection.go:44 +0x38
github.com/bishopfox/sliver/server/core.(*Session).LastCheckin(...)
github.com/bishopfox/sliver/server/core/sessions.go:81
github.com/bishopfox/sliver/server/core.(*Session).ToProtobuf(0xc0003f8500)
github.com/bishopfox/sliver/server/core/sessions.go:134 +0x2c
github.com/bishopfox/sliver/server/rpc.(*Server).Events(0x6?, 0x18ab1c0?, {0x98590f0, 0xc000112b70})
github.com/bishopfox/sliver/server/rpc/rpc-events.go:45 +0x4e5
github.com/bishopfox/sliver/protobuf/rpcpb._SliverRPC_Events_Handler({0x1a1f200?, 0xa50b620}, {0x9856c20, 0xc0003163e0})
github.com/bishopfox/sliver/protobuf/rpcpb/services_grpc.pb.go:4650 +0xd3
github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus.PayloadStreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856c20?, 0xc0003163e0?}, 0xc000429590, 0x966cfd0)
github.com/grpc-ecosystem/[email protected]/logging/logrus/payload_interceptors.go:49 +0x15f
google.golang.org/grpc.getChainStreamHandler.func1({0x1a1f200, 0xa50b620}, {0x9856c20, 0xc0003163e0})
google.golang.org/[email protected]/server.go:1483 +0xb9
github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus.StreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856cb0, 0xc0003a04c0}, 0xc000429590, 0xc0003a0500)
github.com/grpc-ecosystem/[email protected]/logging/logrus/server_interceptors.go:61 +0x153
google.golang.org/grpc.getChainStreamHandler.func1({0x1a1f200, 0xa50b620}, {0x9856cb0, 0xc0003a04c0})
google.golang.org/[email protected]/server.go:1483 +0xb9
github.com/grpc-ecosystem/go-grpc-middleware/tags.StreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856c20?, 0xc0003163c0?}, 0xc000429590, 0xc0003a0440)
github.com/grpc-ecosystem/[email protected]/tags/interceptors.go:39 +0x135
google.golang.org/grpc.getChainStreamHandler.func1({0x1a1f200, 0xa50b620}, {0x9856c20, 0xc0003163c0})
google.golang.org/[email protected]/server.go:1483 +0xb9
github.com/grpc-ecosystem/go-grpc-middleware/auth.StreamServerInterceptor.func1({0x1a1f200, 0xa50b620}, {0x9856fc8?, 0xc0001ea1e0?}, 0xc000429590, 0xc0003a0400)
github.com/grpc-ecosystem/[email protected]/auth/auth.go:66 +0x146
google.golang.org/grpc.chainStreamInterceptors.func1({0x1a1f200, 0xa50b620}, {0x9856fc8, 0xc0001ea1e0}, 0x1748d40?, 0xc000112b10?)
google.golang.org/[email protected]/server.go:1474 +0x8f
google.golang.org/grpc.(*Server).processStreamingRPC(0xc0003403c0, {0x985c6e0, 0xc0003a4340}, 0xc00016ab40, 0xc00037ff50, 0xa41b120, 0x0)
google.golang.org/[email protected]/server.go:1638 +0x1363
google.golang.org/grpc.(*Server).handleStream(0xc0003403c0, {0x985c6e0, 0xc0003a4340}, 0xc00016ab40, 0x0)
google.golang.org/[email protected]/server.go:1718 +0x9f0
google.golang.org/grpc.(*Server).serveStreams.func1.1()
google.golang.org/[email protected]/server.go:959 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/[email protected]/server.go:957 +0x18c
Desktop (please complete the following information):
- OS: Ubuntu 22.04
- Version 1.5.41
Notes
- The same happens when the DNS listener is set up to work with the canary domain only
- It does not crash when looking up a canary that has been already looked up and is marked as trigggered
