Fix for 'skywalker' file overwrite exploit on control server.

Thank you to @zeroSteiner for the disclosure!
2015-09-21 22:32:46 -04:00 · 2015-09-21 22:32:46 -04:00 · 9079a54119
parent ed8c476f43
commit 9079a54119
3 changed files with 21 additions and 2 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+9/21/2015
+---------
+-Fix for 'skywalker' file overwrite exploit on control server (thanks @zeroSteiner!)
+
 9/12/2015
 ---------
 -Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation
--- a/lib/common/agents.py
+++ b/lib/common/agents.py
@ -195,6 +195,12 @@ class Agents:
        savePath =  self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
        filename = parts[-1]

+        # fix for 'skywalker' exploit by @zeroSteiner
+        if not os.path.abspath(savePath+"/"+filename).startswith(self.installPath):
+            dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
+            dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
+            return
+
        # make the recursive directory structure if it doesn't already exist
        if not os.path.exists(savePath):
            os.makedirs(savePath)
@ -210,7 +216,7 @@ class Agents:
        f.close()

        # notify everyone that the file was downloaded
-        dispatcher.send("[+] Part of file "+filename+" from "+str(sessionID)+" saved", sender="Agents")
+        dispatcher.send("[+] Part of file %s from %s saved" %(filename, sessionID), sender="Agents")
    

    def save_module_file(self, sessionID, path, data):
@ -227,6 +233,12 @@ class Agents:
        savePath =  self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
        filename = parts[-1]

+        # fix for 'skywalker' exploit by @zeroSteiner
+        if not os.path.abspath(savePath+"/"+filename).startswith(self.installPath):
+            dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
+            dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
+            return
+
        # make the recursive directory structure if it doesn't already exist
        if not os.path.exists(savePath):
            os.makedirs(savePath)
--- a/lib/common/empire.py
+++ b/lib/common/empire.py
@ -9,7 +9,7 @@ menu loops.
 """

 # make version for Empire
-VERSION = "1.2"
+VERSION = "1.2.1"


 from pydispatch import dispatcher
@ -255,6 +255,9 @@ class MainMenu(cmd.Cmd):
            elif "[!] Agent" in signal and "exiting" in signal:
                print helpers.color(signal)

+            elif "WARNING" in signal or "attempted overwrite" in signal:
+                print helpers.color(signal)
+
            elif "on the blacklist" in signal:
                print helpers.color(signal)