Merge pull request #624 from BishopFox/fix/stage_encryption

Refactoring of client side crypto code
BishopFox · Mar 9, 2022 · f4fcbd9 · f4fcbd9
2 parents 0040473 + 3c86431
commit f4fcbd9
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 43 deletions.
diff --git a/client/command/jobs/stage.go b/client/command/jobs/stage.go
@@ -25,8 +25,8 @@ import (
 
 	"github.com/bishopfox/sliver/client/command/generate"
 	"github.com/bishopfox/sliver/client/console"
-	"github.com/bishopfox/sliver/client/prelude/util"
 	"github.com/bishopfox/sliver/protobuf/clientpb"
+	"github.com/bishopfox/sliver/util"
 	"github.com/desertbit/grumble"
 )
 
@@ -89,7 +89,7 @@ func StageListenerCmd(ctx *grumble.Context, con *console.SliverConsoleClient) {
 	}
 
 	if aesEncrypt {
-		stage2 = util.EncryptStage(stage2, aesEncryptKey, aesEncryptIv)
+		stage2 = util.Encrypt(stage2, []byte(aesEncryptKey), []byte(aesEncryptIv))
 	}
 
 	switch stagingURL.Scheme {

diff --git a/client/prelude/bridge.go b/client/prelude/bridge.go
@@ -21,6 +21,7 @@ package prelude
 import (
 	"bufio"
 	"context"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -29,11 +30,11 @@ import (
 	"strings"
 	"time"
 
-	"github.com/bishopfox/sliver/client/prelude/util"
 	"github.com/bishopfox/sliver/protobuf/clientpb"
 	"github.com/bishopfox/sliver/protobuf/commonpb"
 	"github.com/bishopfox/sliver/protobuf/rpcpb"
 	"github.com/bishopfox/sliver/protobuf/sliverpb"
+	"github.com/bishopfox/sliver/util"
 )
 
 const (
@@ -73,7 +74,8 @@ func (a *OperatorImplantBridge) register() {
 	if err != nil {
 		return
 	}
-	dataBuff := append(util.Encrypt(data), "\n"...)
+	encrypted := util.Encrypt(data, []byte(a.Config.AESKey), nil)
+	dataBuff := append([]byte(fmt.Sprintf("%x", encrypted)), "\n"...)
 	(*a.Conn).Write(dataBuff)
 }
 
@@ -82,7 +84,8 @@ func (a *OperatorImplantBridge) ReceiveLoop() {
 	go func() {
 		for {
 			data := <-a.send
-			dataBuff := append(util.Encrypt(data), "\n"...)
+			encrypted := util.Encrypt(data, []byte(a.Config.AESKey), nil)
+			dataBuff := append([]byte(fmt.Sprintf("%x", encrypted)), "\n"...)
 			(*a.Conn).Write(dataBuff)
 			time.Sleep(time.Duration(a.PBeacon.Sleep))
 		}
@@ -98,7 +101,11 @@ func (a *OperatorImplantBridge) ReceiveLoop() {
 
 func (a *OperatorImplantBridge) handleMessage(message string) {
 	var tempBeacon OperatorBeacon
-	if err := json.Unmarshal([]byte(util.Decrypt(message)), &tempBeacon); err == nil {
+	decoded, err := hex.DecodeString(message)
+	if err != nil {
+		return
+	}
+	if err := json.Unmarshal(util.Decrypt(decoded, []byte(a.Config.AESKey)), &tempBeacon); err == nil {
 		a.PBeacon.Links = a.PBeacon.Links[:0]
 		a.runLinks(&tempBeacon)
 	}

diff --git a/client/prelude/prelude.go b/client/prelude/prelude.go
@@ -124,7 +124,6 @@ func (p *OperatorImplantMapper) AddImplant(a ActiveImplant, callback func(string
 		Executing: make(map[string]Instruction),
 		Sleep:     int(sleepTime),
 	}
-	util.EncryptionKey = &agentConfig.AESKey
 	bridge := NewImplantBridge(&conn, a, p.conf.RPC, beacon, agentConfig, callback)
 	p.Lock()
 	p.implantBridges = append(p.implantBridges, bridge)

diff --git a/client/prelude/util/crypto.go → util/cryptography.go b/client/prelude/util/crypto.go → util/cryptography.go
@@ -22,61 +22,43 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
-	"encoding/hex"
 	"errors"
-	"fmt"
 	"io"
 )
 
-var EncryptionKey *string
-
 //Encrypt the results
-func Encrypt(bites []byte) []byte {
-	plainText, err := pad(bites, aes.BlockSize)
+func Encrypt(data []byte, key []byte, iv []byte) []byte {
+	plainText, err := pad(data, aes.BlockSize)
 	if err != nil {
 		return make([]byte, 0)
 	}
-	block, _ := aes.NewCipher([]byte(*EncryptionKey))
+	block, _ := aes.NewCipher(key)
 	cipherText := make([]byte, aes.BlockSize+len(plainText))
-	iv := cipherText[:aes.BlockSize]
-	if _, err := io.ReadFull(rand.Reader, iv); err != nil {
-		return make([]byte, 0)
+	// Create a random IV if none was provided
+	// len(nil) returns 0
+	if len(iv) == 0 {
+		iv = cipherText[:aes.BlockSize]
+		if _, err := io.ReadFull(rand.Reader, iv); err != nil {
+			return make([]byte, 0)
+		}
 	}
 	mode := cipher.NewCBCEncrypter(block, iv)
 	mode.CryptBlocks(cipherText[aes.BlockSize:], plainText)
-	return []byte(fmt.Sprintf("%x", cipherText))
-}
-
-func EncryptStage(bites []byte, AESKey string, AESIV string) []byte {
-	bites, err := pad(bites, aes.BlockSize)
-	if err != nil {
-		return make([]byte, 0)
-	}
-
-	aesKeyBytes := []byte(AESKey)
-	aesIVBytes := []byte(AESIV)
-
-	block, _ := aes.NewCipher(aesKeyBytes)
-	cipherText := make([]byte, aes.BlockSize+len(bites))
-	mode := cipher.NewCBCEncrypter(block, aesIVBytes)
-	mode.CryptBlocks(cipherText, bites)
-
 	return cipherText
 }
 
 //Decrypt a command
-func Decrypt(text string) string {
-	cipherText, _ := hex.DecodeString(text)
-	block, err := aes.NewCipher([]byte(*EncryptionKey))
+func Decrypt(data []byte, key []byte) []byte {
+	block, err := aes.NewCipher(key)
 	if err != nil {
-		return ""
+		return nil
 	}
-	iv := cipherText[:aes.BlockSize]
-	cipherText = cipherText[aes.BlockSize:]
+	iv := data[:aes.BlockSize]
+	data = data[aes.BlockSize:]
 	mode := cipher.NewCBCDecrypter(block, iv)
-	mode.CryptBlocks(cipherText, cipherText)
-	cipherText, _ = unpad(cipherText, aes.BlockSize)
-	return string(cipherText)
+	mode.CryptBlocks(data, data)
+	data, _ = unpad(data, aes.BlockSize)
+	return data
 }
 
 func pad(buf []byte, size int) ([]byte, error) {