-
-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UDP crash #21
Comments
i've forgotten the most important part...... goroutine 76 [running]: |
That's a weird issue. Maybe related to Gvisor bufferv2 changes. Right now, I recommend using the 0.3.3 release (https://github.com/nicocha30/ligolo-ng/releases/tag/v0.3.3), I will investigate this issue. |
@nicocha30 I've spent a few hours trying to hunt this down. It looks like the panic happens because the UDP forwarder endpoint tried to read the network header from the UDP packet buffer, but it is not set. Do you know where the UDP packet is created in the code after being decoded from the ligolo-ng protocol envelope? |
Hi @AdnaneKhan , thanks for trying to hunt this issue! All the logic is done in the HandlePacket function https://github.com/nicocha30/ligolo-ng/blob/master/pkg/proxy/netstack/handlers.go#L65 What is strange is that it worked with the previous version of Gvisor (the one used with Ligolo-ng v0.3.3). |
I'm noticing that while the Windows proxy code has a call to The actual call to create the PacketBuffer happens within that code, right? I'm wondering if that code expects the data to be in a particular format to create the packet with the correct NetworkHeader |
I added the following "hack" to
Essentially I am forcing the PktBufferPtr out of the request struct, and incrementing the reference count. This means that somewhere in the code, the reference count is going to 0, and the packet's buffer is no longer valid. The puzzling part is that this isn't handled by ligolo-code, but instead the gvisor fdbased code. |
@AdnaneKhan can U tell please more about you patch.. I'm confused about *stack.PacketBufferPtr - there is no such var in stack.go. Maybe U mean *stack.PacketBuffer ?? |
@virusvfv stack.PacketBufferPtr refers to the PacketBufferPtr object defined in https://github.com/google/gvisor/blob/master/pkg/tcpip/stack/packet_buffer.go, within the You might have to update the memory offset, since the 56 was on my 64-bit system to get to the pointer within the struct. |
Ok. this works in may case (proxy in Linux x64). @AdnaneKhan Thanks.
@nicocha30 I think U can update your gvisor-ligolo repo with this patch... |
Might be related: @virusvfv @AdnaneKhan have you tested this code on other platforms? |
Tried with the latest gvisor go branch, same issue.
|
@nicocha30 The "hack" code? No, just Linux x64. It definitely would need to be improved in order to be more generic (also not sure if the struct size would be different in case of ipv6, etc.) I think the logic would need to be:
Of course, this avoids the question of why the reference count is off in the first place. It works for TCP, so it makes me think that there is some behavior where the underlying gvisor code is freeing that UDP forwarder request and, as a result, the packet buffer after the ligolo code encodes the data and sends it to agent. |
I made a PR with the "temporary fix" that should prevent the crash until the root cause can be identified and fixed. #28 |
Hey, looks like gvisor may have fixed the issue: |
I released v0.4.2 which fix the issue, thanks a lot @AdnaneKhan and @virusvfv for hunting this issue. |
Wow, this is awesome; pretty cool that Google fixed it! |
hello it seems that UDP issue still crashes server.
to reproduce, try any udp connection (nmap, nc, etc..) through ligolo
The text was updated successfully, but these errors were encountered: