Covenant
Covenant copied to clipboard
cobbr
[Bug] Format Exception with custom template
Feature Request or Bug Bug
Describe the feature request or bug I created a custom listener profile and receive stack traces when using HTTP grunts (see screenshots). Basically, there seems to be a string format issue in the HTTP handler:
fail: Microsoft.AspNetCore.Server.Kestrel[13]
Connection id "0HM7OU2GJC1EL", Request id "0HM7OU2GJC1EL:00000002": An unhandled exception was thrown by the application.
System.FormatException: Input string was not in a correct format.
at System.Text.StringBuilder.FormatError()
at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)
at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)
at System.String.Format(String format, Object arg0, Object arg1)
at Covenant.Controllers.HttpListenerController.Route() in /opt/Covenant/Covenant/Controllers/ListenerControllers/HttpListenerController.cs:line 77
at lambda_method(Closure , Object )
at Microsoft.Extensions.Internal.ObjectMethodExecutorAwaitable.Awaiter.GetResult()
at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextResourceFilter>g__Awaited|24_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
This had no negative impact for the operation of the grunt, but the uncomfortable feeling remains...
To Reproduce Steps to reproduce the behavior: Honestly I have no clue what my template does differently than the builtin templates - it is just a slight modification of builtin templates (with an nginx default page instead of Hello World and different parameter names).
Expected behavior No crashes / stack traces.
Screenshots
If applicable, add screenshots to help explain your problem.
Covenant Server Information:
- OS: Kali
- Docker or Native: native
- Note: I'm using the zeropoint security fork that is used for CRTO. Nevertheless, the bug also exists upstream.
Browser Information:
- Browser Edge Chromium
- Version 89
Target Information (System that implant is running on):
- OS: Windows 10
Additional context
The issue seems to be here - the replacements performed in the main body of the function does an expansion { -> {{ before replacing the values. This behavior was introduced in commit 15b1fad37f29affb75c4652566d0123c20d5afd9 but it seems it was overlooked in the exception handlers. I adapted the code in the exception handlers in my local build and the errors are gone.
Hey @edermi , are you able to share the custom listener profile that causes the issue? This will be difficult to debug without it.
Sure, here you go. If you need anything else, I'll do my best. http_post.txt http_post_response.txt server_headers.txt transform.txt urls.txt client_headers.txt http_get_response.txt