A framework-wide vulnerability in Sliver C2 allows for an unauthenticated, remote Denial of Service by triggering Uncontrolled Memory Allocation (CWE-789 / CWE-400), leading to a process-wide Out-of-Memory (OOM) crash.
Reproduction Steps:
-
Extract Credentials: Obtain the mTLS certificate and private key from a captured or generated Sliver implant.
-
Edit PoC: Open mtls_poc.go and replace the placeholder values in the var block (c2Endpoint, clientCertPEM, clientKeyPEM) with your extracted credentials.
Run the exploit against Sliver server:
go run mtls_poc.goThe exploit abuses the socketReadEnvelope function by sending a malicious uint32 length prefix (up to 2 GiB). Because the server allocates this memory before verifying the Ed25519 signature, and yamux allows up to 128 concurrent streams, an attacker can force the server to attempt ~256 GiB of allocations near-instantaneously.
The Linux kernel's OOM killer will intervene once system memory is exhausted, resulting in a SIGKILL of the sliver-server process.
You can verify this by checking the server status:
sudo dmesg | grep -i "kill"
systemctl status sliverOfficial Advisory GHSA-97vp-pwqj-46qc
Free Palestine