search

moloch-- / sliver-py

A Python gRPC Client Library for Sliver
GNU General Public License v3.0
62 stars 13 forks source link

windows implant doesn't run properly on windows server #55

Open Rvn0xsy opened 1 month ago

Rvn0xsy commented 1 month ago

Describe the bug

I used sliver-py to generate windows implant and found that it can only go live on windows 10/11, not on windows server.

But I go through sliver-client and use generate to generate the implant and it works fine, what is the difference please?

Below is my code:

    async def generate_beacon(self, url: str, path: str) -> bool:
        """
        Generates a beacon executable file for the Sliver client.

        Args:
            url (str): The URL to use for the C2 (Command and Control) communication.
            path (str): The file path where the generated beacon executable will be saved.

        Returns:
            bool: True if the beacon executable is successfully generated and saved, False otherwise.
        """
        architecture = platform.machine().lower()
        if architecture in ["x86_64", "amd64"]:
            architecture = 'amd64'
        elif architecture == "aarch64":
            architecture = 'arm64'
        elif architecture == "ppc64le":
            architecture = 'darwin64'
        else:
            _logger.error("Unsupported architecture: %s", architecture)
            return False
        _logger.info("Generating beacon executable for %s:%s", platform.system().lower(), architecture)
        implant_config = ImplantConfig(
            IsBeacon=False,
            Name="sliver-" + os.urandom(8).hex(),
            GOARCH=architecture,
            GOOS=platform.system().lower(),
            Format=OutputFormat.EXECUTABLE,
            ObfuscateSymbols=False,
            C2=[ImplantC2(Priority=0, URL=url)],
        )
        result = await self.client.generate_implant(implant_config)
        try:
            with open(path, 'wb') as f:
                f.write(result.File.Data)
        except Exception as e:
            _logger.error(e)
            return False
        return True

Addendum: the implant I generated using sliver-py doesn't respond to double-click execution on windows server, it seems to exit directly

moloch-- commented 1 month ago

TBH I'm not sure, this looks like it should be enough arguments to get a working binary. I'd recommend taking a look at the default settings in the golang client code and seeing if you spot a difference. I won't have time to attempt to reproduce for a while.

Rvn0xsy commented 4 days ago

image I tried to execute the same binary beacon file on both Windows Server 2016 and Windows 10, with debug mode enabled, and found that it could not connect properly on Windows Server 2016, with the server returning a 404 error, while it ran well on Windows 10.