search

mgeeky / RedWarden

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
GNU General Public License v3.0
890 stars 139 forks source link

[Errno 17] File exists #3

Closed superuser5 closed 2 years ago

superuser5 commented 3 years ago

Hi, tool looks very cool, thank you for sharing it.

I get similar error message, while used example-config.yaml provided and commenting the following lines from the config:

#  - 443/https
#profile: malleable.profile

python setup

# cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

# python3 -V
Python 3.8.5

# sudo python3 -m pip install -r requirements.txt
Requirement already satisfied: brotli in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 1)) (1.0.9)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.22.0)
Requirement already satisfied: PyYaml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 3)) (5.3.1)
Requirement already satisfied: sqlitedict in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 4)) (1.7.0)
Requirement already satisfied: tornado in /usr/local/lib/python3.8/dist-packages (from -r requirements.txt (line 5)) (6.1)

Error:

# sudo python3 RedWarden.py -c example-config.yaml
[INFO] 2021-06-17/00:44:02: Loading 1 plugin...
[INFO] 2021-06-17/00:44:02: Plugin "malleable_redirector" has been installed.
[INFO] 2021-06-17/00:44:02: Preparing SSL certificates and keys for https traffic interception...
[INFO] 2021-06-17/00:44:02: Using provided CA key file: /etc/letsencrypt/live/attacker.com/privkey.pem
[INFO] 2021-06-17/00:44:02: Using provided CA certificate file: /etc/letsencrypt/live/attacker.com/fullchain.pem
[INFO] 2021-06-17/00:44:02: Using provided Certificate key: /opt/RedWarden/ca-cert/cert.key
[INFO] 2021-06-17/00:44:02: Teeing stdout output to /opt/RedWarden/redwarden_redirector.log log file.
[ERROR] 2021-06-17/00:44:02:

=================================================================================================
 MALLEABLE C2 PROFILE PATH NOT SPECIFIED! LOGIC BASED ON PARSING HTTP REQUESTS WILL BE DISABLED!
=================================================================================================

[INFO] 2021-06-17/00:44:02: Loaded 1890 blacklisted CIDRs.
[INFO] 2021-06-17/00:44:02:

    ____           ___       __               __
   / __ \___  ____/ / |     / /___ __________/ /__  ____
  / /_/ / _ \/ __  /| | /| / / __ `/ ___/ __  / _ \/ __ \
 / _, _/  __/ /_/ / | |/ |/ / /_/ / /  / /_/ /  __/ / / /
/_/ |_|\___/\__,_/  |__/|__/\__,_/_/   \__,_/\___/_/ /_/

    :: RedWarden - Keeps your malleable C2 packets slipping through AVs,
                   EDRs, Blue Teams and club bouncers like nothing else!

    by Mariusz B. / mgeeky, '19-'21
    <mb [at] binary-offensive.com>

    v0.7

[INFO] 2021-06-17/00:44:02: Serving proxy on: http://0.0.0.0:80 ...
[INFO] 2021-06-17/00:44:02: Serving proxy on: http://0.0.0.0:80 ...
Fatal error has occured.
    [Errno 17] File exists
Traceback:
------------------------------
Traceback (most recent call last):
  File "/usr/lib/python3.8/asyncio/selector_events.py", line 259, in _add_reader
    key = self._selector.get_key(fd)
  File "/usr/lib/python3.8/selectors.py", line 192, in get_key
    raise KeyError("{!r} is not registered".format(fileobj)) from None
KeyError: '6 is not registered'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "RedWarden.py", line 214, in main
    serve_proxy(srv[0], srv[1], srv[2], srv[3])
  File "RedWarden.py", line 145, in serve_proxy
    server.add_sockets(foosock)
  File "/usr/local/lib/python3.8/dist-packages/tornado/tcpserver.py", line 165, in add_sockets
    self._handlers[sock.fileno()] = add_accept_handler(
  File "/usr/local/lib/python3.8/dist-packages/tornado/netutil.py", line 282, in add_accept_handler
    io_loop.add_handler(sock, accept_handler, IOLoop.READ)
  File "/usr/local/lib/python3.8/dist-packages/tornado/platform/asyncio.py", line 150, in add_handler
    self.selector_loop.add_reader(fd, self._handle_events, fd, IOLoop.READ)
  File "/usr/lib/python3.8/asyncio/selector_events.py", line 332, in add_reader
    return self._add_reader(fd, callback, *args)
  File "/usr/lib/python3.8/asyncio/selector_events.py", line 261, in _add_reader
    self._selector.register(fd, selectors.EVENT_READ,
  File "/usr/lib/python3.8/selectors.py", line 359, in register
    self._selector.register(key.fd, poller_events)
FileExistsError: [Errno 17] File exists
------------------------------

Originally posted by @superuser5 in https://github.com/mgeeky/RedWarden/issues/1#issuecomment-862830440

superuser5 commented 3 years ago

Hi Mariusz, is anything else could i provide for this issue?

mgeeky commented 2 years ago

So it turns out that your config file defined duplicate TCP port listeners, as stated by program's output:

[INFO] 2021-06-17/00:44:02: Serving proxy on: http://0.0.0.0:80 ...
[INFO] 2021-06-17/00:44:02: Serving proxy on: http://0.0.0.0:80 ...

You were attempting to listen on TCP port 80 twice.

I've added logic to prevent that behaviour in 9d0d421.

Let me know if problem remains.

M.

ghost commented 2 years ago

weird same issue of duplicate on a freshly installed Debian 10 vps with python3.9 and all requirements installed.

i tested on debian 8 or 9 before and everything was ok.