BishopFox · rkervella · Aug 18, 2021 · Aug 18, 2021 · Aug 18, 2021 · Aug 18, 2021
@@ -1038,6 +1038,9 @@ func BindCommands(con *console.SliverConsoleClient) {
 		LongHelp: help.GetHelpFor([]string{consts.LsStr}),
 		Flags: func(f *grumble.Flags) {
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
+			f.Bool("r", "reverse", false, "reverse sort order")
+			f.Bool("m", "modified", false, "sort by modified time")
+			f.Bool("s", "size", false, "sort by size")
 		},
 		Args: func(a *grumble.Args) {
 			a.String("path", "path to enumerate", grumble.Default("."))

@@ -22,8 +22,11 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"path/filepath"
+	"sort"
 	"strings"
 	"text/tabwriter"
+	"time"
 
 	"github.com/bishopfox/sliver/client/console"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
@@ -40,6 +43,45 @@ func LsCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 
 	remotePath := ctx.Args.String("path")
+	filter := ""
+
+	/*
+		Check to see if the remote path is a filter or contains a filter.
+		If the path passes the test to be a filter, then it is a filter
+		because paths are not valid filters.
+	*/
+	if remotePath != "." {
+
+		// Check if the path contains a filter
+		// Test on a standardized version of the path (change any \ to /)
+		testPath := strings.Replace(remotePath, "\\", "/", -1)
+		/*
+			Cannot use the path or filepath libraries because the OS
+			of the client does not necessarily match the OS of the
+			implant
+		*/
+		lastSeparatorOccurence := strings.LastIndex(testPath, "/")
+
+		if lastSeparatorOccurence == -1 {
+			// Then this is only a filter
+			filter = remotePath
+			remotePath = "."
+		} else {
+			// Then we need to test for a filter on the end of the string
+
+			// The indicies should be the same because we did not change the length of the string
+			baseDir := remotePath[:lastSeparatorOccurence]
+			potentialFilter := remotePath[lastSeparatorOccurence+1:]
+
+			_, err := filepath.Match(potentialFilter, "")
+
+			if err == nil {
+				// Then we have a filter on the end of the path
+				remotePath = baseDir
+				filter = potentialFilter
+			}
+		}
+	}
 
 	ls, err := con.Rpc.Ls(context.Background(), &sliverpb.LsReq{
 		Request: con.ActiveSession.Request(ctx),
@@ -48,22 +90,92 @@ func LsCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	if err != nil {
 		con.PrintWarnf("%s\n", err)
 	} else {
-		PrintLs(ls, con)
+		PrintLs(ls, con, ctx.Flags, filter)
 	}
 }
 
 // PrintLs - Display an sliverpb.Ls object
-func PrintLs(ls *sliverpb.Ls, con *console.SliverConsoleClient) {
+func PrintLs(ls *sliverpb.Ls, con *console.SliverConsoleClient, flags grumble.FlagMap, filter string) {
 	con.Printf("%s\n", ls.Path)
 	con.Printf("%s\n", strings.Repeat("=", len(ls.Path)))
 
 	outputBuf := bytes.NewBufferString("")
 	table := tabwriter.NewWriter(outputBuf, 0, 2, 2, ' ', 0)
+
+	// Extract the flags
+	reverseSort := flags.Bool("reverse")
+	sortByTime := flags.Bool("modified")
+	sortBySize := flags.Bool("size")
+
+	/*
+		By default, name sorting is case sensitive.  Upper case entries come before
+		lower case ones.  Instead, we will level the playing field and sort
+		regardless of case
+	*/
+	if reverseSort {
+		sort.SliceStable(ls.Files, func(i, j int) bool {
+			return strings.ToLower(ls.Files[i].Name) > strings.ToLower(ls.Files[j].Name)
+		})
+	} else {
+		sort.SliceStable(ls.Files, func(i, j int) bool {
+			return strings.ToLower(ls.Files[i].Name) < strings.ToLower(ls.Files[j].Name)
+		})
+	}
+
+	/*
+		After names are sorted properly, take care of the modified time if the
+		user wants to sort by time.  Doing this after sorting by name
+		will make the time sorted entries properly sorted by name if times are equal.
+	*/
+
+	if sortByTime {
+		if reverseSort {
+			sort.SliceStable(ls.Files, func(i, j int) bool {
+				return ls.Files[i].ModTime > ls.Files[j].ModTime
+			})
+		} else {
+			sort.SliceStable(ls.Files, func(i, j int) bool {
+				return ls.Files[i].ModTime < ls.Files[j].ModTime
+			})
+		}
+	} else if sortBySize {
+		if reverseSort {
+			sort.SliceStable(ls.Files, func(i, j int) bool {
+				return ls.Files[i].Size > ls.Files[j].Size
+			})
+		} else {
+			sort.SliceStable(ls.Files, func(i, j int) bool {
+				return ls.Files[i].Size < ls.Files[j].Size
+			})
+		}
+	}
+
 	for _, fileInfo := range ls.Files {
+		if filter != "" {
+			fileMatch, err := filepath.Match(filter, fileInfo.Name)
+
+			if err != nil {
+				/*
+					This should not happen because we checked the filter
+					before reaching out to the implant.
+				*/
+				con.PrintErrorf("%s is not a valid filter: %s\n", filter, err)
+				break
+			}
+
+			if !fileMatch {
+				continue
+			}
+		}
+
+		modTime := time.Unix(fileInfo.ModTime, 0)
+		implantLocation := time.FixedZone(ls.Timezone, int(ls.TimezoneOffset))
+		modTime = modTime.In(implantLocation)
+
 		if fileInfo.IsDir {
-			fmt.Fprintf(table, "%s\t<dir>\t\n", fileInfo.Name)
+			fmt.Fprintf(table, "%s\t%s\t<dir>\t%s\n", fileInfo.Mode, fileInfo.Name, modTime.Format(time.RubyDate))
 		} else {
-			fmt.Fprintf(table, "%s\t%s\t\n", fileInfo.Name, util.ByteCountBinary(fileInfo.Size))
+			fmt.Fprintf(table, "%s\t%s\t%s\t%s\n", fileInfo.Mode, fileInfo.Name, util.ByteCountBinary(fileInfo.Size), modTime.Format(time.RubyDate))
 		}
 	}
 	table.Flush()

@@ -235,7 +235,31 @@ c2 message round trip to ensure the remote Sliver is still responding to command
 [[.Bold]]About:[[.Normal]] Kill a remote sliver process (does not delete file).`
 
 	lsHelp = `[[.Bold]]Command:[[.Normal]] ls <remote path>
-[[.Bold]]About:[[.Normal]] List remote files in current directory, or path if provided.`
+[[.Bold]]About:[[.Normal]] List remote files in current directory, or path if provided.
+
+[[.Bold]][[.Underline]]Sorting[[.Normal]]
+Directory and file listings are sorted by name in ascending order by default.  Listings can also be sorted by size (-s) and modified time (-m).  All sorts can be reversed with -r.
+
+[[.Bold]][[.Underline]]Filters[[.Normal]]
+Filters are a way to limit search results to directory and file names matching given criteria.
+
+Filters are specified after the path.  A blank path will filter on names in the current directory.  For example:
+/etc/passwd will display the listing for /etc/passwd.  "/etc/" is the path, and "passwd" is the filter.
+
+Directory and file listings can be filtered using the following patterns:
+'*': Wildcard, matches any sequence of non-path separators (slashes)
+	Example: n*.txt will match all file and directory names starting with n and ending with .txt
+
+'?': Single character wildcard, matches a single non-path separator (slashes)
+	Example: s?iver will match all file and directory names starting with s followed by any non-separator character and ending with iver.
+
+'[{range}]': Match a range of characters.  Ranges are specified with '-'. This is usually combined with other patterns. Ranges can be negated with '^'.
+	Example: [a-c] will match the characters a, b, and c.  [a-c]* will match all directory and file names that start with a, b, or c.
+		^[r-u] will match all characters except r, s, t, and u.
+
+If you need to match a special character (*, ?, '-', '[', ']', '\\'), place '\\' in front of it (example: \\?).
+On Windows, escaping is disabled. Instead, '\\' is treated as path separator.
+`
 
 	cdHelp = `[[.Bold]]Command:[[.Normal]] cd [remote path]
 [[.Bold]]About:[[.Normal]] Change working directory of the active Sliver.`

@@ -28,6 +28,7 @@ import (
 	"io/ioutil"
 	"os/exec"
 	"strings"
+	"time"
 
 	// {{if .Config.Debug}}
 	"log"
@@ -97,7 +98,8 @@ func dirListHandler(data []byte, resp RPCResponse) {
 	dir, files, err := getDirList(dirListReq.Path)
 
 	// Convert directory listing to protobuf
-	dirList := &sliverpb.Ls{Path: dir}
+	timezone, offset := time.Now().Zone()
+	dirList := &sliverpb.Ls{Path: dir, Timezone: timezone, TimezoneOffset: int32(offset)}
 	if err == nil {
 		dirList.Exists = true
 	} else {
@@ -109,6 +111,13 @@ func dirListHandler(data []byte, resp RPCResponse) {
 			Name:  fileInfo.Name(),
 			IsDir: fileInfo.IsDir(),
 			Size:  fileInfo.Size(),
+			/* Send the time back to the client / server as the number of seconds
+			since epoch.  This will decouple formatting the time to display from the
+			time itself.  We can change the format of the time displayed in the client
+			and not have to worry about having to update implants.
+			*/
+			ModTime: fileInfo.ModTime().Unix(),
+			Mode:    fileInfo.Mode().String(),
 		})
 	}