开启交互式shell时,victim节点异常退出会导致admin节点死锁
EddieIvan01 opened this issue · comments
hey,感谢您的工具,很不错
我在使用时发现了一些小bug
ENV:
admin node: Windows
victim node: Windows
(admin node) >>>
[+]Remote connection: 127.0.0.1:6754
[+]A new node connect to admin node success
(admin node) >>> shell
you should select node first
(admin node) >>> goto 1
node 1
(node 1) >>> shell
You can execute commands in this shell :D, 'exit' to exit.
Microsoft Windows [Version 10.0.17134.765]
(c) 2018 Microsoft Corporation。保留所有权利。
E:\GoWorkplace\src\github.com\Dliv3\Venom\agent>ls
ls
agent.exe
agent.go
cli
dispather
init
E:\GoWorkplace\src\github.com\Dliv3\Venom\agent>node disconnect: read tcp 127.0.0.1:4444->127.0.0.1:6754: wsarecv: An existing connection was forcibly closed by the remote host.
Ctrl-C
Ctrl-C
Ctrl-C
Ctrl-C
当victim关闭tcp连接后,admin节点卡死。研究后发现是因为通信的channel阻塞:
if shellPacketRet.Success == 1 {
c := make(chan bool, 2)
go CopyStdin2Node(os.Stdin, peerNode, c)
go CopyNode2Stdout(peerNode, os.Stdout, c)
<-c
<-c
...
func CopyNode2Stdout(input *node.Node, output io.Writer, c chan bool) {
for {
var packetHeader protocol.PacketHeader
var shellPacketRet protocol.ShellPacketRet
err := node.CurrentNode.CommandBuffers[protocol.SHELL].ReadPacket(&packetHeader, &shellPacketRet)
...
func (buffer *Buffer) ReadLowLevelPacket() (protocol.Packet, error) {
packet := <-buffer.Chan
// blocking here我试着修复了该bug,已提交pr #2
还添加了goto命令的节点0,与admin节点绑定。场景:当某个victim节点退出时命令行会继续显示(node 1),可以通过goto 0跳转回(node admin),不过建议未来能根据路由动态更新命令提示符
非常感谢您提交的issue和提交的修复代码,但是由于修复代码不通用(在Mac/Linux上不起作用),所以我自己修复了这个问题。非常高兴您能帮助完善该项目。
抱歉我没有测试*nix下,刚才试了下确实不行。您的修复方案很nice,学习了。昨天之后想到我那样强制关闭channel可能在多shell并发下带来副作用orz