search

its-a-feature / Mythic

A collaborative, multi-platform, red teaming framework
Other
3.28k stars 432 forks source link

BUG: Removing payloads does not clear cachedUUIDInfoMap #424

Open XCVYN6UGT85JywuH opened 1 month ago

XCVYN6UGT85JywuH commented 1 month ago 
payload.Deleted = true
deletedPayloadIDs = append(deletedPayloadIDs, payload.ID)
if _, err := database.DB.Exec(`UPDATE payload SET deleted=true WHERE id=$1`, payload.ID); err != nil {
logging.LogError(err, "Failed to update payload deleted status")
}

As you can see we doesn't clear cachedUUIDInfoMap when removing payload.

func LookupEncryptionData(c2profile string, messageUUID string, updateCheckinTime bool) (*cachedUUIDInfo, error) {
    //logging.LogTrace("Looking up information for new message", "uuid", messageUUID)
    //logging.LogDebug("Getting encryption data", "cachemap", cachedUUIDInfoMap)
    cachedUUIDInfoMapMutex.Lock()
    defer cachedUUIDInfoMapMutex.Unlock()
    if _, ok := cachedUUIDInfoMap[messageUUID+c2profile]; ok {
        // we found an instance of the cache info with c2 profile encryption data
        if cachedUUIDInfoMap[messageUUID+c2profile].UUIDType == "callback" {
            if updateCheckinTime {
                UpdateCallbackEdgesAndCheckinTime(cachedUUIDInfoMap[messageUUID+c2profile])
            }

        }
        return cachedUUIDInfoMap[messageUUID+c2profile], nil
    } else if _, ok := cachedUUIDInfoMap[messageUUID]; ok {
        // we found an instance of the cache info with payload encryption data
        if cachedUUIDInfoMap[messageUUID].UUIDType == "callback" {
            if updateCheckinTime {
                UpdateCallbackEdgesAndCheckinTime(cachedUUIDInfoMap[messageUUID])
            }

        }
        return cachedUUIDInfoMap[messageUUID], nil
    }

But the first part of LookupEncryptionData function check only cachedUUIDInfoMap.

As a result, new callbacks appear even if payload was deleted.

Possible solution: clear cachedUUIDInfoMap when removing payloads.

its-a-feature commented 1 month ago

Try pulling the latest:

git pull
sudo make
sudo ./mythic-cli restart

I just made a push to help address this - now when payloads are deleted, the cache map is invalidated for entries that start with the payload uuid that was deleted.

its-a-feature commented 1 week ago

Were you ever able to confirm that this is fixed for you?