gRPC Calling Convention Simulation

[DuckSoft]

In this thread we are going to discuss the behaviour about how gRPC is (ab)using HTTP/2 Streams and Headers, and how is the exact subset of behaviour we need to become a legitimate client.

Found a documentation: https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-HTTP2.md

[DuckSoft]

The repeated sequence of Length-Prefixed-Message items is delivered in DATA frames

• Length-Prefixed-Message → Compressed-Flag Message-Length Message
• Compressed-Flag → 0 / 1 # encoded as 1 byte unsigned integer
• Message-Length → {length of Message} # encoded as 4 byte unsigned integer (big endian)
• Message → *{binary octet}

A Compressed-Flag value of 1 indicates that the binary octet sequence of Message is compressed using the mechanism declared by the Message-Encoding header. A value of 0 indicates that no encoding of Message bytes has occurred. Compression contexts are NOT maintained over message boundaries, implementations must create a new context for each message in the stream. If the Message-Encoding header is omitted then the Compressed-Flag must be 0.

So that generally means that we should put an extra header of gRPC, which generally contains a non-compressed flag (0x00), a 4-byte unsigned big-endian message length (xx xx xx xx), and following the protobuf message.

[DuckSoft]

A Working PoC:

package main

import (
	"crypto/tls"
	"golang.org/x/net/http2"
	"io"
	"log"
	"net"
	"net/http"
	"os"
	"time"
)

func main() {
	client := http.Client{
		Transport: &http2.Transport{AllowHTTP: false, DialTLS: func(network, addr string, cfg *tls.Config) (net.Conn, error) {
			return net.Dial(network, addr)
		}},
	}
	reader, writer := io.Pipe()
	req, err := http.NewRequest(http.MethodPost, "https://127.0.0.1:23333/GunService/Tun", io.NopCloser(reader))
	if err != nil {
		panic(err)
	}
	req.Header.Set("content-type", "application/grpc+proto")
	req.Header.Set("user-agent", "grpc-java/1.2.3")
	go func() {
		for {
			n, err := writer.Write([]byte{0x00, 0x00, 0x00, 0x00, 0x04, 0x0A, 0x02, 0x2E, 0x0A})
			time.Sleep(time.Second)
			log.Printf("%d written", n)
			if err != nil {
				panic(err)
			}
		}
	}()
	resp, err := client.Do(req)
	if err != nil {
		panic(err)
	}
	_, _ = io.Copy(os.Stdout, resp.Body)
}