infosecn1nja
/
Empire
mirror of https://github.com/infosecn1nja/Empire.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix for 'skywalker' file overwrite exploit on control server. 

Thank you to @zeroSteiner for the disclosure!
1.6
Harmj0y 2015-09-21 22:32:46 -04:00
parent ed8c476f43
commit 9079a54119
3 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changelog
View File

@ -1,3 +1,7 @@
9/21/2015
---------
-Fix for 'skywalker' file overwrite exploit on control server (thanks @zeroSteiner!)
9/12/2015 9/12/2015
--------- ---------
-Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation -Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation

14
lib/common/agents.py
View File

@ -195,6 +195,12 @@ class Agents:
savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1]) savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
filename = parts[-1] filename = parts[-1]
# fix for 'skywalker' exploit by @zeroSteiner
if not os.path.abspath(savePath+"/"+filename).startswith(self.installPath):
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
return
# make the recursive directory structure if it doesn't already exist # make the recursive directory structure if it doesn't already exist
if not os.path.exists(savePath): if not os.path.exists(savePath):
os.makedirs(savePath) os.makedirs(savePath)
@ -210,7 +216,7 @@ class Agents:
f.close() f.close()
# notify everyone that the file was downloaded # notify everyone that the file was downloaded
dispatcher.send("[+] Part of file "+filename+" from "+str(sessionID)+" saved", sender="Agents") dispatcher.send("[+] Part of file %s from %s saved" %(filename, sessionID), sender="Agents")
def save_module_file(self, sessionID, path, data): def save_module_file(self, sessionID, path, data):
@ -227,6 +233,12 @@ class Agents:
savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1]) savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
filename = parts[-1] filename = parts[-1]
# fix for 'skywalker' exploit by @zeroSteiner
if not os.path.abspath(savePath+"/"+filename).startswith(self.installPath):
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
return
# make the recursive directory structure if it doesn't already exist # make the recursive directory structure if it doesn't already exist
if not os.path.exists(savePath): if not os.path.exists(savePath):
os.makedirs(savePath) os.makedirs(savePath)

5
lib/common/empire.py
View File

@ -9,7 +9,7 @@ menu loops.
""" """
# make version for Empire # make version for Empire
VERSION = "1.2" VERSION = "1.2.1"
from pydispatch import dispatcher from pydispatch import dispatcher
@ -255,6 +255,9 @@ class MainMenu(cmd.Cmd):
elif "[!] Agent" in signal and "exiting" in signal: elif "[!] Agent" in signal and "exiting" in signal:
print helpers.color(signal) print helpers.color(signal)
elif "WARNING" in signal or "attempted overwrite" in signal:
print helpers.color(signal)
elif "on the blacklist" in signal: elif "on the blacklist" in signal:
print helpers.color(signal) print helpers.color(signal)