search

Ne0nd0g / merlin

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
GNU General Public License v3.0
5.03k stars 798 forks source link

[Bug] Listener does not accept '?' and '&' in the URLs section #115

Closed HuskyHacks closed 3 years ago

HuskyHacks commented 3 years ago

Prerequisite

Expected Behavior

I create an agent with an embedded URL of "/news.php?cmd=whoami" and/or "/news.php&cmd=whoami"

I run the HTTP listener with the correct configs (PSK, URLS)

I run the agent on the host and get a check-in.

Actual Behavior

The agent does not check-in. Confirm in Wireshark that the web request is POSTing to the correct URL, but agent authentication does not occur.

Steps to Reproduce Behavior

Compile an agent with the -X main.url flag set to /news.php?cmd=whoami Set up and run the Listener with the URLS field set to /news.php?cmd=whoami Run the agent on the target, check-in does not occur.

Compile an agent with the -X main.url flag set to /news.php&cmd=whoami Set up and run the Listener with the URLS field set to /news.php&cmd=whoami Run the agent on the target, check-in does not occur.

Compile an agent with the -X main.url flag set to /news.phpcmd=whoami Set up and run the Listener with the URLS field set to /news.phpcmd=whoami Run the agent on the target, check-in does occur.

Misc Information

May exist with other special chars as well, confirmed for & and ?. = seems to be OK and does not hinder check-in.

PCAP for failing check-in image

PCAP for successful check-in image

HuskyHacks commented 3 years ago

From some additional testing, it seems that we solved this issue by implementing proper argument wrapping in the go build command (see https://github.com/Ne0nd0g/merlin-agent/commit/7d3493e6a300228dcc38a46a4fc323065c4f2d8d). Agent checks in with a URL argument that includes both & and ?. Happy to close this now (will monitor just in case but looks good over here)