Merged master

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.19.1
+FROM golang:1.19.2
 
 #
 # IMPORTANT: This Dockerfile is used for testing, I do not recommend deploying

client/command/commands.go

@@ -1208,6 +1208,8 @@ func BindCommands(con *console.SliverConsoleClient) {
 			a.Uint("pid", "pid")
 		},
 		Flags: func(f *grumble.Flags) {
+			f.Bool("S", "disable-sgn", true, "disable shikata ga nai shellcode encoder")
+
 			f.Int("t", "timeout", defaultTimeout, "command timeout in seconds")
 		},
 		HelpGroup: consts.SliverWinHelpGroup,
@@ -1297,6 +1299,9 @@ func BindCommands(con *console.SliverConsoleClient) {
 			f.String("P", "password", "", "SSH user password")
 			f.String("l", "login", "", "username to use to connect")
 			f.Bool("s", "skip-loot", false, "skip the prompt to use loot credentials")
+			f.String("c", "kerberos-config", "/etc/krb5.conf", "path to remote Kerberos config file")
+			f.String("k", "kerberos-keytab", "", "path to Kerberos keytab file")
+			f.String("r", "kerberos-realm", "", "Kerberos realm")
 		},
 		Run: func(ctx *grumble.Context) error {
 			con.Println()

client/command/exec/execute-assembly.go

@@ -20,7 +20,7 @@ package exec
 
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -50,7 +50,7 @@ func ExecuteAssemblyCmd(ctx *grumble.Context, con *console.SliverConsoleClient)
 			return
 		}
 	}
-	assemblyBytes, err := ioutil.ReadFile(assemblyPath)
+	assemblyBytes, err := os.ReadFile(assemblyPath)
 	if err != nil {
 		con.PrintErrorf("%s", err.Error())
 		return

client/command/exec/execute-shellcode.go

@@ -23,7 +23,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"log"
 	"os"
 
@@ -52,7 +51,7 @@ func ExecuteShellcodeCmd(ctx *grumble.Context, con *console.SliverConsoleClient)
 	}
 	pid := ctx.Flags.Uint("pid")
 	shellcodePath := ctx.Args.String("filepath")
-	shellcodeBin, err := ioutil.ReadFile(shellcodePath)
+	shellcodeBin, err := os.ReadFile(shellcodePath)
 	if err != nil {
 		con.PrintErrorf("%s\n", err.Error())
 		return
@@ -82,7 +81,7 @@ func ExecuteShellcodeCmd(ctx *grumble.Context, con *console.SliverConsoleClient)
 			Data:         shellcodeBin,
 		})
 		if err != nil {
-			con.PrintErrorf("%s\n", err.Error())
+			con.PrintErrorf("%s\n", err)
 			return
 		}
 		oldSize := len(shellcodeBin)

client/command/exec/execute.go

@@ -18,7 +18,6 @@ package exec
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -242,7 +241,7 @@ func SaveExecutionOutput(executionOutput string, commandName string, hostName st
 
 	outFileName := filepath.Base(fmt.Sprintf("%s_%s_%s*.log", commandName, hostName, timeNow))
 
-	outFilePath, err = ioutil.TempFile("", outFileName)
+	outFilePath, err = os.CreateTemp("", outFileName)
 
 	if err != nil {
 		con.PrintErrorf("%s\n", err)

client/command/exec/migrate.go

@@ -3,14 +3,17 @@ package exec
 /*
 	Sliver Implant Framework
 	Copyright (C) 2019  Bishop Fox
+
 	This program is free software: you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
 	the Free Software Foundation, either version 3 of the License, or
 	(at your option) any later version.
+
 	This program is distributed in the hope that it will be useful,
 	but WITHOUT ANY WARRANTY; without even the implied warranty of
 	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 	GNU General Public License for more details.
+
 	You should have received a copy of the GNU General Public License
 	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
@@ -33,12 +36,19 @@ func MigrateCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 
 	pid := ctx.Args.Uint("pid")
 	config := con.GetActiveSessionConfig()
+	encoder := clientpb.ShellcodeEncoder_SHIKATA_GA_NAI
+	if ctx.Flags.Bool("disable-sgn") {
+		encoder = clientpb.ShellcodeEncoder_NONE
+	}
+
 	ctrl := make(chan bool)
 	con.SpinUntil(fmt.Sprintf("Migrating into %d ...", pid), ctrl)
+
 	migrate, err := con.Rpc.Migrate(context.Background(), &clientpb.MigrateReq{
 		Pid:     uint32(pid),
 		Config:  config,
 		Request: con.ActiveTarget.Request(ctx),
+		Encoder: encoder,
 	})
 	ctrl <- true
 	<-ctrl

client/command/exec/psexec.go

@@ -21,17 +21,19 @@ package exec
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
-	insecureRand "math/rand"
+	"os"
 	"strings"
 	"time"
 
+	insecureRand "math/rand"
+
 	"github.com/bishopfox/sliver/client/command/generate"
 	"github.com/bishopfox/sliver/client/command/settings"
 	"github.com/bishopfox/sliver/client/console"
 	"github.com/bishopfox/sliver/protobuf/clientpb"
 	"github.com/bishopfox/sliver/protobuf/commonpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
+	"github.com/bishopfox/sliver/server/codenames"
 	"github.com/bishopfox/sliver/util/encoders"
 	"github.com/desertbit/grumble"
 )
@@ -93,15 +95,15 @@ func PsExecCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		serviceBinary, _ = generate.GetSliverBinary(implantProfile, con)
 	} else {
 		// use a custom exe instead of generating a new Sliver
-		fileBytes, err := ioutil.ReadFile(customExe)
+		fileBytes, err := os.ReadFile(customExe)
 		if err != nil {
 			con.PrintErrorf("Error reading custom executable '%s'\n", customExe)
 			return
 		}
 		serviceBinary = fileBytes
 	}
 
-	filename := randomString(10)
+	filename := randomFileName()
 	filePath := fmt.Sprintf("%s\\%s.exe", uploadPath, filename)
 	uploadGzip := new(encoders.Gzip).Encode(serviceBinary)
 	// upload to remote target
@@ -172,11 +174,28 @@ func PsExecCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	con.PrintInfof("Successfully removed service %s on %s\n", serviceName, hostname)
 }
 
-func randomString(length int) string {
-	var charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-	b := make([]byte, length)
-	for i := range b {
-		b[i] = charset[insecureRand.Intn(len(charset))]
+func randomFileName() string {
+	noun, _ := codenames.RandomNoun()
+	noun = strings.ToLower(noun)
+	switch insecureRand.Intn(3) {
+	case 0:
+		noun = strings.ToUpper(noun)
+	case 1:
+		noun = strings.ToTitle(noun)
+	}
+
+	separators := []string{"", "", "", "", "", ".", "-", "_", "--", "__"}
+	sep := separators[insecureRand.Intn(len(separators))]
+
+	alphanumeric := "abcdefghijklmnopqrstuvwxyz0123456789"
+	prefix := ""
+	for index := 0; index < insecureRand.Intn(3); index++ {
+		prefix += string(alphanumeric[insecureRand.Intn(len(alphanumeric))])
 	}
-	return string(b)
+	suffix := ""
+	for index := 0; index < insecureRand.Intn(6)+1; index++ {
+		suffix += string(alphanumeric[insecureRand.Intn(len(alphanumeric))])
+	}
+
+	return fmt.Sprintf("%s%s%s%s%s", prefix, sep, noun, sep, suffix)
 }

client/command/exec/sideload.go

@@ -21,7 +21,7 @@ package exec
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"path/filepath"
 	"strings"
 
@@ -45,7 +45,7 @@ func SideloadCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	processName := ctx.Flags.String("process")
 	args := strings.Join(ctx.Args.StringList("args"), " ")
 
-	binData, err := ioutil.ReadFile(binPath)
+	binData, err := os.ReadFile(binPath)
 	if err != nil {
 		con.PrintErrorf("%s", err.Error())
 		return

client/command/exec/spawndll.go

@@ -1,9 +1,27 @@
 package exec
 
+/*
+	Sliver Implant Framework
+	Copyright (C) 2019  Bishop Fox
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"os"
 	"strings"
 
 	"github.com/bishopfox/sliver/client/console"
@@ -24,7 +42,7 @@ func SpawnDllCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	processName := ctx.Flags.String("process")
 	exportName := ctx.Flags.String("export")
 
-	binData, err := ioutil.ReadFile(binPath)
+	binData, err := os.ReadFile(binPath)
 	if err != nil {
 		con.PrintErrorf("%s\n", err)
 		return

client/command/exec/ssh.go

@@ -1,8 +1,26 @@
 package exec
 
+/*
+	Sliver Implant Framework
+	Copyright (C) 2019  Bishop Fox
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
+
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
 import (
 	"context"
-	"io/ioutil"
+	"os"
 	"strings"
 
 	"github.com/AlecAivazis/survey/v2"
@@ -31,9 +49,9 @@ func SSHCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 
 	port := ctx.Flags.Uint("port")
-	privateKeypath := ctx.Flags.String("private-key")
-	if privateKeypath != "" {
-		privKey, err = ioutil.ReadFile(privateKeypath)
+	privateKeyPath := ctx.Flags.String("private-key")
+	if privateKeyPath != "" {
+		privKey, err = os.ReadFile(privateKeyPath)
 		if err != nil {
 			con.PrintErrorf("%s\n", err)
 			return
@@ -43,6 +61,19 @@ func SSHCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 
 	hostname := ctx.Args.String("hostname")
 	command := ctx.Args.StringList("command")
+	kerberosRealm := ctx.Flags.String("kerberos-realm")
+	kerberosConfig := ctx.Flags.String("kerberos-config")
+	kerberosKeytabFile := ctx.Flags.String("kerberos-keytab")
+
+	if kerberosRealm != "" && kerberosKeytabFile == "" {
+		con.PrintErrorf("You must specify a keytab file with the --kerberos-keytab flag\n")
+		return
+	}
+	kerberosKeytab, err := os.ReadFile(kerberosKeytabFile)
+	if err != nil {
+		con.PrintErrorf("%s\n", err)
+		return
+	}
 
 	if password == "" && len(privKey) == 0 && !ctx.Flags.Bool("skip-loot") {
 		oldUsername := username
@@ -59,6 +90,9 @@ func SSHCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 		PrivKey:  privKey,
 		Password: password,
 		Command:  strings.Join(command, " "),
+		Realm:    kerberosRealm,
+		Krb5Conf: kerberosConfig,
+		Keytab:   kerberosKeytab,
 		Request:  con.ActiveTarget.Request(ctx),
 	})
 	if err != nil {

go-assets.sh

@@ -20,8 +20,8 @@ set -e
 
 # Creates the static go asset archives
 
-GO_VER="1.19.1"
-GARBLE_VER="1.19.2"
+GO_VER="1.19.2"
+GARBLE_VER="1.19.3"
 SGN_VER="0.0.3"
 
 GO_ARCH_1="amd64"