sliver icon indicating copy to clipboard operation
sliver copied to clipboard

Published 20 hours ago verified publisher icon BishopFox

[dos] Provide some bug information about the http service

Open a3sroot opened this issue 1 year ago • 2 comments

Describe the bug A clear and concise description of what the bug is. [dos] Provide some bug information about the http service

To Reproduce Steps to reproduce the behavior:

  1. Use tunnel to communicate, of course I am transforming download into the way of tunnel. It is easy for me to get the progress of downloading files and to download large files.
  2. But the design of the tunnel is really too fast, resulting in the agent (implant) to send packets to the c2 server http service to hit the hang.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Linux
  • Version :laster(v1.5.25)

Additional context Add any other context about the problem here. c2 log 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35530: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35501: read tcp 192.168.44.205:443->192.168.44.206:35501: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35499: read tcp 192.168.44.205:443->192.168.44.206:35499: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35632: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35763: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35350: read tcp 192.168.44.205:443->192.168.44.206:35350: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35704: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35402: read tcp 192.168.44.205:443->192.168.44.206:35402: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35773: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35428: read tcp 192.168.44.205:443->192.168.44.206:35428: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35705: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35451: read tcp 192.168.44.205:443->192.168.44.206:35451: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35427: read tcp 192.168.44.205:443->192.168.44.206:35427: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35390: read tcp 192.168.44.205:443->192.168.44.206:35390: read: connection reset by peer 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35403: EOF 2022/09/05 00:00:00 server.go:3197: http: TLS handshake error from 192.168.44.206:35420: read tcp 192.168.44.205:443->192.168.44.206:35420: read: connection reset by peer

agent log 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/database/oauth2/oauth/oauth/oauth2callback/database/rpc.php?i=40562500": read tcp 192.168.0.79:54899->192.168.44.1:443: read: connection reset by peer 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/database/database/namespaces/api/db/index.php?n=661d7969": read tcp 192.168.0.79:59941->192.168.44.1:443: read: connection reset by peer 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/oauth2callback/namespaces/php/namespaces/rpc.php?y=39903i717": EOF 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/oauth2/database/rpc.php?w=438513a0": EOF 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/index.php?g=905t870s50": EOF 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/db/namespaces/oauth/oauth/database/rpc.php?l=5549333t0": EOF 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/api/database/db/database/samples.php?y=4221i4914": read tcp 192.168.0.79:59875->192.168.44.1:443: read: connection reset by peer 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/namespaces/oauth2callback/oauth/rpc.php?t=3a7166e011": EOF 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed 2022/09/05 00:00:00 httpclient.go:485: [http] request failed Post "https://192.168.44.205/oauth/api/db/oauth2/database/samples.php?n=32795d976": EOF 2022/09/05 00:00:00 httpclient.go:481: [http] POST request completed

a3sroot avatar Sep 05 '22 11:09 a3sroot

This will eventually lead to both server-side and agent hang fishing

a3sroot avatar Sep 05 '22 11:09 a3sroot

When the request volume is too large, the correct URL suffix is not matched.

a3sroot avatar Oct 28 '22 09:10 a3sroot