Obfuscation Broken When Cross-compiling to MacOS from Linux

[moloch--]

Describe the bug

Cross-platform obfuscated builds targeting MacOS from Linux fail, however obfuscation works when building MacOS from MacOS.

To Reproduce

From a Linux server cross-compile a MacOS implant with the following command:

generate --mtls example.com --os mac

Produces error:

[*] This process can take awhile, and consumes significant amounts of CPU/Memory                                                                              │···
 ⠧  Compiling, please wait .../root/.sliver/go/src/net/cgo_bsd.go:15:72: could not determine kind of name for C.AI_MASK                                       │···
gcc: error: unrecognized command line option '-mmacosx-version-min=10.10'                                                                                     │···
cgo failed: [go tool cgo -objdir /tmp/crypto_x509_C315139881 -- -I /tmp/crypto_x509_C315139881 -mmacosx-version-min=10.10 -D__MAC_OS_X_VERSION_MAX_ALLOWED=101│···
300 root_cgo_darwin.go]: exit status 1                                                                                                                        │···
 ⠇  Compiling, please wait ...cgo failed: [go tool cgo -objdir /tmp/net_C495415922 -- -I /tmp/net_C495415922 cgo_bsd.go cgo_resnew.go cgo_sockold.go cgo_unix.│···
go]: exit status 1

Desktop (please complete the following information):

• OS: Linux
• Version v0.0.7 7f2ddcf1a7c743e485f8778c9d892eb9dac05dfc

[m3ldis]

For those who come across this, I've found a temporary workaround to be setting up a sliver sever on a mac and copying ~/.sliver/nouns.txt, adjectives.txt, and certs/* from the linux server to ~/.sliver on the mac. The mac's server will use the same cert as your main server so the generated binaries will connect to the linux server correctly.

[moloch--]

The main thing you need to copy over to ensure compatibility are the CA certificates, in order to help facilitate this I added an export-ca option to the CLI in v1.0.3 or later. However, copying ~/.sliver/certs should continue to work just fine as well.

CLI Example

./sliver-server export-ca --type implant --save /Users/moloch/Desktop/

These can be copied over to another machine and you can import them using the CLI:

./sliver-server import-ca --type implant --load /Users/moloch/Desktop/implant.ca

In the future we also plan to support "Remote Builders" to help solve this problem as it's unlikely the core utilities for cross-compiling will vastly improve anytime soon.

Warning: These .ca files contain the private keys used to secure C2 traffic, handle with care!

Additional details available via help:

./sliver-server export-ca --help
./sliver-server import-ca --help

I'll also add these details to a wiki article, thanks @clhefton

[mubix]

Just ran into this, and if you drop the symbol obfuscation it works:

Error With

sliver > generate --http 192.168.1.100 --os mac

[*] Generating new darwin/amd64 implant binary
[*] Symbol obfuscation is enabled.
[*] This process can take awhile, and consumes significant amounts of CPU/Memory
 ⠴  Compiling, please wait ...gcc: error: unrecognized command line option '-mmacosx-version-min=10.11'
cgo failed: [go tool cgo -objdir /tmp/crypto_x509_C779275398 -- -I /tmp/crypto_x509_C779275398 -mmacosx-version-min=10.11 root_cgo_darwin_amd64.go]: exit status 1
 ⠧  Compiling, please wait .../root/.sliver/go/src/net/cgo_bsd.go:15:72: could not determine kind of name for C.AI_MASK
cgo failed: [go tool cgo -objdir /tmp/net_C194214659 -- -I /tmp/net_C194214659 cgo_bsd.go cgo_resnew.go cgo_sockold.go cgo_unix.go]: exit status 1
[!] rpc error: code = Unknown desc = package move: couldn't load packages due to errors: crypto/x509, net

Works without

sliver > generate -b --http 192.168.1.100 --os mac

[*] Generating new darwin/amd64 implant binary
[!] Symbol obfuscation is disabled
[*] Build completed in 00:00:06
[*] Implant saved to /tmp/artifacts/linux/STATIC_TRENCH

[moloch--]

The switch to garble (currently in stage branch) fixes this issue to the best of our ability. To compile anything that requires CGO we still need the MacOS SDK (e.g. OSX Cross).