Blocking backticks from user agent strings in the config so that we c…

…an support other characters that would normally need to be escaped.
BishopFox · Nov 2, 2023 · c1d1bf7 · c1d1bf7
1 parent d46e43d
commit c1d1bf7
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/implant/sliver/transports/httpclient/httpclient.go b/implant/sliver/transports/httpclient/httpclient.go
@@ -48,7 +48,7 @@ import (
 var (
 	goHTTPDriver = "go"
 
-	userAgent      = {{printf "%q" GenerateUserAgent}}
+	userAgent      = `{{GenerateUserAgent}}`
 	nonceQueryArgs = "{{.HTTPC2ImplantConfig.NonceQueryArgs}}" // "abcdefghijklmnopqrstuvwxyz"
 
 	ErrClosed                             = errors.New("http session closed")

diff --git a/server/configs/http-c2.go b/server/configs/http-c2.go
@@ -394,6 +394,7 @@ var (
 	ErrTooFewSessionFiles         = errors.New("implant config must specify at least one session_files value")
 	ErrNonuniqueFileExt           = errors.New("implant config must specify unique file extensions")
 	ErrQueryParamNameLen          = errors.New("implant config url query parameter names must be 3 or more characters")
+	ErrUserAgentIllegalCharacters = errors.New("user agent cannot contain the ` character")
 
 	fileNameExp = regexp.MustCompile(`[^a-zA-Z0-9\\._-]+`)
 )
@@ -536,5 +537,17 @@ func checkImplantConfig(config *HTTPC2ImplantConfig) error {
 		}
 	}
 
+	/*
+		User agent
+
+		Do not allow backticks in user agents because that breaks compilation of the
+		implant.
+	*/
+	if strings.Index(config.UserAgent, "`") != -1 {
+		// Blank out the user agent so that a default one will be filled in later
+		config.UserAgent = ""
+		return ErrUserAgentIllegalCharacters
+	}
+
 	return nil
 }