search

jm33-m0 / emp3r0r

Linux/Windows post-exploitation framework made by linux user
https://infosec.exchange/@jm33
MIT License
1.26k stars 232 forks source link

Port-Fwd on agent always forward to the target port of latest session #2

Closed jm33-m0 closed 4 years ago

jm33-m0 commented 4 years ago

When more than 1 port-fwd sessions exist, all data sent by CC get redirected to the newly specified target port instead of the port it should be forwarded to.

jm33-m0 commented 4 years ago

Looks like CC is mixing h2conn.Conns:

emp3r0r > run                                                                                                                                                                                                

2020/03/09 11:23:07 Got a portFwd connection from 10.103.249.40:51990                                                                                                                                        
2020/03/09 11:23:14 PortFwd write to agent port: 1081 (Local) -> 1080 (Agent) via &{0xc000456750 0xc0003d03a0 0x4dce50 {0 0} {1 0}}                                                                          
emp3r0r > set to_port 8000                                                                                                                                                                                   

emp3r0r > set listen_port 8001

emp3r0r > info                                     
Option          Value                              
======          =====                              

module          port_fwd                           
target          0                                  
to_port         8000                               
listen_port     8001                               
switch          on                                 

emp3r0r > run                                      

2020/03/09 11:23:39 Got a portFwd connection from 10.103.249.40:51990
2020/03/09 11:23:45 PortFwd write to agent port: 8001 (Local) -> 8000 (Agent) via &{0xc0003cee40 0xc0003a5100 0x4dce50 {0 0} {1 0}}
2020/03/09 11:23:53 PortFwd write to agent port: 1081 (Local) -> 1080 (Agent) via &{0xc0003cee40 0xc0003a5100 0x4dce50 {0 0} {1 0}}
jm33-m0 commented 4 years ago

The last two logs tells me that mapping 1081 -> 1080 is using the h2conn.Conn connection that mapping 8001 -> 8000 (newer) uses.

jm33-m0 commented 4 years ago

https://github.com/jm33-m0/emp3r0r/blob/8bd041486ce2b563f858afdb829e01ae3511be23/core/internal/cc/server.go#L47-L70

sh *StreamHandler is a fixed pointer, thus no matter what requests come, PortFwdSession.Sh never changes, all sessions share the same sh

jm33-m0 commented 4 years ago 
emp3r0r > ls_port_fwds
Active port mappings
====================

1081 (Local) -> 1080 (Agent) (96fa17ac-8049-485a-900b-7275eb111321)
sh: 0xc000390d40, h2conn: 0xc00043ac80
8001 (Local) -> 8000 (Agent) (db7bf19c-9724-4cbf-b289-7f69b5330924)
sh: 0xc00000ce40, h2conn: 0xc00043ac80

However, the *h2conn.Conn pointer seems wrong too, even with a new *StreamHandler copy