Merge pull request #418 from janedoe-lab/reverse-proxy-remoteaddr

Fetch correct remote addr when sliver server runs behind reverse proxy
BishopFox · Jul 2, 2021 · f318c00 · f318c00
2 parents 15a8aa7 + f9c91f1
commit f318c00
Showing 1 changed file with 24 additions and 4 deletions.
diff --git a/server/c2/tcp-http.go b/server/c2/tcp-http.go
@@ -30,6 +30,7 @@ import (
 	"fmt"
 	"io/ioutil"
 	insecureRand "math/rand"
+	"net"
 	"net/http"
 	"path/filepath"
 	"strconv"
@@ -306,7 +307,7 @@ func filterNonce(req *http.Request, rm *mux.RouteMatch) bool {
 
 func loggingMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
-		accessLog.Infof("%s - %s - %v", req.RemoteAddr, req.RequestURI, req.Header.Get("User-Agent"))
+		accessLog.Infof("%s - %s - %v", getRemoteAddr(req), req.RequestURI, req.Header.Get("User-Agent"))
 		next.ServeHTTP(resp, req)
 	})
 }
@@ -414,7 +415,7 @@ func (s *SliverHTTPC2) startSessionHandler(resp http.ResponseWriter, req *http.R
 	httpSession.Session = core.Sessions.Add(&core.Session{
 		ID:            core.NextSessionID(),
 		Transport:     "http(s)",
-		RemoteAddress: req.RemoteAddr,
+		RemoteAddress: getRemoteAddr(req),
 		Send:          make(chan *sliverpb.Envelope, 16),
 		RespMutex:     &sync.RWMutex{},
 		Resp:          map[uint64]chan *sliverpb.Envelope{},
@@ -544,9 +545,9 @@ func (s *SliverHTTPC2) stopHandler(resp http.ResponseWriter, req *http.Request)
 // stagerHander - Serves the sliver shellcode to the stager requesting it
 func (s *SliverHTTPC2) stagerHander(resp http.ResponseWriter, req *http.Request) {
 	if len(s.SliverStage) != 0 {
-		httpLog.Infof("Received staging request from %s", req.RemoteAddr)
+		httpLog.Infof("Received staging request from %s", getRemoteAddr(req))
 		resp.Write(s.SliverStage)
-		httpLog.Infof("Serving sliver shellcode (size %d) to %s", len(s.SliverStage), req.RemoteAddr)
+		httpLog.Infof("Serving sliver shellcode (size %d) to %s", len(s.SliverStage), getRemoteAddr(req))
 		resp.WriteHeader(200)
 	} else {
 		resp.WriteHeader(404)
@@ -581,3 +582,22 @@ func newHTTPSessionID() string {
 	rand.Read(buf)
 	return hex.EncodeToString(buf)
 }
+
+func getRemoteAddr(req *http.Request) string {
+	ipAddress := req.Header.Get("X-Real-Ip")
+	if ipAddress == "" {
+		ipAddress = req.Header.Get("X-Forwarded-For")
+	}
+	if ipAddress == "" {
+		return req.RemoteAddr
+	}
+
+	// Try to parse the header as an IP address, as this is user controllable
+	// input we don't want to trust it.
+	ip := net.ParseIP(ipAddress)
+	if ip == nil {
+		httpLog.Warnf("Failed to parse X-Header as ip address")
+		return req.RemoteAddr
+	}
+	return fmt.Sprintf("tcp(%s)->%s", req.RemoteAddr, ip.String())
+}