From 85f51a8752b40596f00f3a77c494ae55d17f08de Mon Sep 17 00:00:00 2001
From: Raf <84349012+RafBishopFox@users.noreply.github.com>
Date: Fri, 7 Apr 2023 11:20:54 -0400
Subject: [PATCH] Initial support for changing C2 when spawning an interactive
 session from a beacon. Does not support changing transports.

---
 client/command/sessions/interactive.go  |  2 +-
 implant/sliver/sliver.go                |  2 +-
 implant/sliver/transports/session.go    |  4 ++--
 implant/sliver/transports/transports.go | 21 +++++++++++++++------
 protobuf/clientpb/client.pb.go          |  2 +-
 protobuf/commonpb/common.pb.go          |  2 +-
 protobuf/dnspb/dns.pb.go                |  2 +-
 protobuf/rpcpb/services.pb.go           |  2 +-
 protobuf/rpcpb/services_grpc.pb.go      |  2 +-
 protobuf/sliverpb/sliver.pb.go          |  2 +-
 10 files changed, 25 insertions(+), 16 deletions(-)

diff --git a/client/command/sessions/interactive.go b/client/command/sessions/interactive.go
index 2bdb85706c..0db6fe7ee3 100644
--- a/client/command/sessions/interactive.go
+++ b/client/command/sessions/interactive.go
@@ -89,7 +89,7 @@ func InteractiveCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	c2s = append(c2s, tcpPivotC2...)
 
 	// No flags, parse the current beacon's ActiveC2 instead
-	if len(mtlsC2) == 0 && len(wgC2) == 0 && len(httpC2) == 0 && len(dnsC2) == 0 && len(namedPipeC2) == 0 && len(tcpPivotC2) == 0 {
+	if len(c2s) == 0 {
 		con.PrintInfof("Using beacon's active C2 endpoint: %s\n", beacon.ActiveC2)
 		c2url, err := url.Parse(beacon.ActiveC2)
 		if err != nil {
diff --git a/implant/sliver/sliver.go b/implant/sliver/sliver.go
index 289f703a90..84c8ed9e17 100644
--- a/implant/sliver/sliver.go
+++ b/implant/sliver/sliver.go
@@ -540,7 +540,7 @@ func openSessionHandler(data []byte) {
 
 	go func() {
 		abort := make(chan struct{})
-		connections := transports.StartConnectionLoop(abort)
+		connections := transports.StartConnectionLoop(abort, openSession.C2S...)
 		defer func() { abort <- struct{}{} }()
 		connectionAttempts := 0
 		for connection := range connections {
diff --git a/implant/sliver/transports/session.go b/implant/sliver/transports/session.go
index d7fb8ec2bd..b251a8fdac 100644
--- a/implant/sliver/transports/session.go
+++ b/implant/sliver/transports/session.go
@@ -80,7 +80,7 @@ type Start func() error
 type Stop func() error
 
 // StartConnectionLoop - Starts the main connection loop
-func StartConnectionLoop(abort <-chan struct{}) <-chan *Connection {
+func StartConnectionLoop(abort <-chan struct{}, temporaryC2 ...string) <-chan *Connection {
 
 	// {{if .Config.Debug}}
 	log.Printf("Starting interactive session connection loop ...")
@@ -88,7 +88,7 @@ func StartConnectionLoop(abort <-chan struct{}) <-chan *Connection {
 
 	nextConnection := make(chan *Connection)
 	innerAbort := make(chan struct{})
-	c2Generator := C2Generator(innerAbort)
+	c2Generator := C2Generator(innerAbort, temporaryC2...)
 
 	go func() {
 		var connection *Connection
diff --git a/implant/sliver/transports/transports.go b/implant/sliver/transports/transports.go
index bfd2e3b387..40d28bb5dd 100644
--- a/implant/sliver/transports/transports.go
+++ b/implant/sliver/transports/transports.go
@@ -36,17 +36,26 @@ const (
 )
 
 // C2Generator - Creates a stream of C2 URLs based on a connection strategy
-func C2Generator(abort <-chan struct{}) <-chan *url.URL {
+func C2Generator(abort <-chan struct{}, temporaryC2 ...string) <-chan *url.URL {
 	// {{if .Config.Debug}}
 	log.Printf("Starting c2 url generator ({{.Config.ConnectionStrategy}}) ...")
 	// {{end}}
 
 	c2Servers := []func() string{}
-	// {{range $index, $value := .Config.C2}}
-	c2Servers = append(c2Servers, func() string {
-		return "{{$value}}" // {{$index}}
-	})
-	// {{end}} - range
+	// Any temporary C2 servers that are defined will override what is configured in the implant
+	if len(temporaryC2) > 0 {
+		for _, c2 := range temporaryC2 {
+			c2Servers = append(c2Servers, func() string {
+				return c2
+			})
+		}
+	} else {
+		// {{range $index, $value := .Config.C2}}
+		c2Servers = append(c2Servers, func() string {
+			return "{{$value}}" // {{$index}}
+		})
+		// {{end}} - range
+	}
 
 	generator := make(chan *url.URL)
 	go func() {
diff --git a/protobuf/clientpb/client.pb.go b/protobuf/clientpb/client.pb.go
index 301ec3a3d6..abb1c59ca9 100644
--- a/protobuf/clientpb/client.pb.go
+++ b/protobuf/clientpb/client.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.27.1
-// 	protoc        v4.22.0
+// 	protoc        v3.21.12
 // source: clientpb/client.proto
 
 package clientpb
diff --git a/protobuf/commonpb/common.pb.go b/protobuf/commonpb/common.pb.go
index 372f126038..9e6ce0c34b 100644
--- a/protobuf/commonpb/common.pb.go
+++ b/protobuf/commonpb/common.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.27.1
-// 	protoc        v4.22.0
+// 	protoc        v3.21.12
 // source: commonpb/common.proto
 
 package commonpb
diff --git a/protobuf/dnspb/dns.pb.go b/protobuf/dnspb/dns.pb.go
index 83fb763b30..cac0f3edde 100644
--- a/protobuf/dnspb/dns.pb.go
+++ b/protobuf/dnspb/dns.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.27.1
-// 	protoc        v4.22.0
+// 	protoc        v3.21.12
 // source: dnspb/dns.proto
 
 package dnspb
diff --git a/protobuf/rpcpb/services.pb.go b/protobuf/rpcpb/services.pb.go
index 856970397f..b17e5ea5e0 100644
--- a/protobuf/rpcpb/services.pb.go
+++ b/protobuf/rpcpb/services.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.27.1
-// 	protoc        v4.22.0
+// 	protoc        v3.21.12
 // source: rpcpb/services.proto
 
 package rpcpb
diff --git a/protobuf/rpcpb/services_grpc.pb.go b/protobuf/rpcpb/services_grpc.pb.go
index 3deae266eb..1012f61793 100644
--- a/protobuf/rpcpb/services_grpc.pb.go
+++ b/protobuf/rpcpb/services_grpc.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
 // - protoc-gen-go-grpc v1.2.0
-// - protoc             v4.22.0
+// - protoc             v3.21.12
 // source: rpcpb/services.proto
 
 package rpcpb
diff --git a/protobuf/sliverpb/sliver.pb.go b/protobuf/sliverpb/sliver.pb.go
index 6c0047c00e..9908c442d3 100644
--- a/protobuf/sliverpb/sliver.pb.go
+++ b/protobuf/sliverpb/sliver.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.27.1
-// 	protoc        v4.22.0
+// 	protoc        v3.21.12
 // source: sliverpb/sliver.proto
 
 package sliverpb