Codebase list powershell-empire / ac9464e
Refresh patches Sophie Brun 3 years ago
6 changed file(s) with 198 addition(s) and 265 deletion(s). Raw diff Collapse all Expand all
+0
-257
debian/patches/change-database-location.patch less more
0 From: Kali Developers <[email protected]>
1 Date: Fri, 27 Dec 2019 09:25:49 +0100
2 Subject: change-database-location
3
4 Last-Update: 2020-11-30
5 ---
6 empire | 20 +++++++++++++++++++-
7 lib/common/__init__.py | 2 +-
8 lib/common/agents.py | 21 +++++++++++----------
9 lib/common/empire.py | 8 ++++----
10 lib/common/helpers.py | 6 +++---
11 setup/reset.sh | 12 ++++++------
12 setup/setup_database.py | 2 +-
13 7 files changed, 45 insertions(+), 26 deletions(-)
14
15 diff --git a/empire b/empire
16 index c8cb21e..a909e4f 100755
17 --- a/empire
18 +++ b/empire
19 @@ -26,6 +26,24 @@ from flask import Flask, request, jsonify, make_response, abort, url_for, g
20 from flask.json import JSONEncoder
21 from flask_socketio import SocketIO, emit, join_room, leave_room, \
22 close_room, rooms, disconnect
23 +import shutil
24 +
25 +# database old path
26 +DB_OLD_PATH = "/usr/share/powershell-empire/data"
27 +# database new path
28 +DB_PATH = "/var/lib/powershell-empire"
29 +
30 +if os.getuid() != 0:
31 + print("Please run powershell-empire with sudo:")
32 + print("'sudo powershell-empire'")
33 + sys.exit()
34 +
35 +# Handle database creation / switch before import lib.common
36 +if not os.path.isfile(os.path.join(DB_PATH, "empire.db")):
37 + if os.path.exists(os.path.join(DB_OLD_PATH, "empire.db")):
38 + shutil.move((os.path.join(DB_OLD_PATH, "empire.db")), os.path.join(DB_PATH, "empire.db"))
39 + else:
40 + subprocess.run(["setup/setup_database.py"])
41
42 # Empire imports
43 from lib.common import empire, helpers, users
44 @@ -91,7 +109,7 @@ def database_connect():
45 sqlite3.register_adapter(datetime, adapt_datetime)
46 sqlite3.register_converter("timestamp", convert_timestamp)
47 # set the database connectiont to autocommit w/ isolation level
48 - conn = sqlite3.connect('./data/empire.db', check_same_thread=False, detect_types=sqlite3.PARSE_DECLTYPES)
49 + conn = sqlite3.connect(os.path.join(DB_PATH, 'empire.db'), check_same_thread=False, detect_types=sqlite3.PARSE_DECLTYPES)
50 conn.text_factory = str
51 conn.isolation_level = None
52 return conn
53 diff --git a/lib/common/__init__.py b/lib/common/__init__.py
54 index 6fe1ea5..c303440 100644
55 --- a/lib/common/__init__.py
56 +++ b/lib/common/__init__.py
57 @@ -13,7 +13,7 @@ from . import helpers
58 def connect_to_db():
59 try:
60 # set the database connectiont to autocommit w/ isolation level
61 - conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
62 + conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
63 conn.text_factory = str
64 conn.isolation_level = None
65 return conn
66 diff --git a/lib/common/agents.py b/lib/common/agents.py
67 index 9dd24c0..f01a493 100644
68 --- a/lib/common/agents.py
69 +++ b/lib/common/agents.py
70 @@ -89,6 +89,7 @@ class Agents(object):
71 # pull out the controller objects
72 self.mainMenu = MainMenu
73 self.installPath = self.mainMenu.installPath
74 + self.localPath = '/var/lib/powershell-empire/'
75 self.args = args
76
77 # internal agent dictionary for the client's session key, funcions, and URI sets
78 @@ -267,13 +268,13 @@ class Agents(object):
79 parts = path.split("\\")
80
81 # construct the appropriate save path
82 - save_path = "%sdownloads/%s/%s" % (self.installPath, sessionID, "/".join(parts[0:-1]))
83 + save_path = "%sdownloads/%s/%s" % (self.localPath, sessionID, "/".join(parts[0:-1]))
84 filename = os.path.basename(parts[-1])
85
86 try:
87 self.lock.acquire()
88 # fix for 'skywalker' exploit by @zeroSteiner
89 - safePath = os.path.abspath("%sdownloads/" % self.installPath)
90 + safePath = os.path.abspath("%sdownloads/" % self.localPath)
91 if not os.path.abspath(save_path + "/" + filename).startswith(safePath):
92 message = "[!] WARNING: agent {} attempted skywalker exploit!\n[!] attempted overwrite of {} with data {}".format(sessionID, path, data)
93 signal = json.dumps({
94 @@ -333,7 +334,7 @@ class Agents(object):
95 parts = path.split("/")
96
97 # construct the appropriate save path
98 - save_path = "%s/downloads/%s/%s" % (self.installPath, sessionID, "/".join(parts[0:-1]))
99 + save_path = "%s/downloads/%s/%s" % (self.localPath, sessionID, "/".join(parts[0:-1]))
100 filename = parts[-1]
101
102 # decompress data if coming from a python agent:
103 @@ -354,7 +355,7 @@ class Agents(object):
104 try:
105 self.lock.acquire()
106 # fix for 'skywalker' exploit by @zeroSteiner
107 - safePath = os.path.abspath("%s/downloads/" % self.installPath)
108 + safePath = os.path.abspath("%s/downloads/" % self.localPath)
109 if not os.path.abspath(save_path + "/" + filename).startswith(safePath):
110 message = "[!] WARNING: agent {} attempted skywalker exploit!\n[!] attempted overwrite of {} with data {}".format(sessionID, path, data)
111 signal = json.dumps({
112 @@ -394,7 +395,7 @@ class Agents(object):
113 if isinstance(data, bytes):
114 data = data.decode('UTF-8')
115 name = self.get_agent_name_db(sessionID)
116 - save_path = self.installPath + "/downloads/" + str(name) + "/"
117 + save_path = self.localPath + "/downloads/" + str(name) + "/"
118
119 try:
120 self.lock.acquire()
121 @@ -1021,8 +1022,8 @@ class Agents(object):
122 try:
123 self.lock.acquire()
124 # rename the logging/downloads folder
125 - oldPath = "%s/downloads/%s/" % (self.installPath, oldname)
126 - newPath = "%s/downloads/%s/" % (self.installPath, newname)
127 + oldPath = "%s/downloads/%s/" % (self.localPath, oldname)
128 + newPath = "%s/downloads/%s/" % (self.localPath, newname)
129 retVal = True
130
131 # check if the folder is already used
132 @@ -1191,7 +1192,7 @@ class Agents(object):
133
134 # write out the last tasked script to "LastTask" if in debug mode
135 if self.args and self.args.debug:
136 - f = open('%s/LastTask' % (self.installPath), 'w')
137 + f = open('%s/LastTask' % (self.localPath), 'w')
138 f.write(task)
139 f.close()
140 return pk
141 @@ -2039,8 +2040,8 @@ class Agents(object):
142 elif responseName == "TASK_CMD_JOB":
143 #check if this is the powershell keylogging task, if so, write output to file instead of screen
144 if keyLogTaskID and keyLogTaskID == taskID:
145 - safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath)
146 - savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID)
147 + safePath = os.path.abspath("%sdownloads/" % self.mainMenu.localPath)
148 + savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.localPath,sessionID)
149 if not os.path.abspath(savePath).startswith(safePath):
150 message = "[!] WARNING: agent {} attempted skywalker exploit!".format(self.sessionID)
151 signal = json.dumps({
152 diff --git a/lib/common/empire.py b/lib/common/empire.py
153 index 2c7cac9..69a6b16 100755
154 --- a/lib/common/empire.py
155 +++ b/lib/common/empire.py
156 @@ -191,7 +191,7 @@ class MainMenu(cmd.Cmd):
157
158 # if --debug X is passed, log out all dispatcher signals
159 if self.args.debug:
160 - with open('empire.debug', 'a') as debug_file:
161 + with open("/var/lib/powershell-empire/empire.debug", 'a') as debug_file:
162 debug_file.write("%s %s : %s\n" % (helpers.get_datetime(), sender, signal))
163
164 if self.args.debug == '2':
165 @@ -346,11 +346,11 @@ class MainMenu(cmd.Cmd):
166
167 def database_connect(self):
168 """
169 - Connect to the default database at ./data/empire.db.
170 + Connect to the default database at /var/lib/powershell-empire/empire.db.
171 """
172 try:
173 - # set the database connection to autocommit w/ isolation level
174 - self.conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
175 + # set the database connectiont to autocommit w/ isolation level
176 + self.conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
177 self.conn.text_factory = str
178 self.conn.isolation_level = None
179 return self.conn
180 diff --git a/lib/common/helpers.py b/lib/common/helpers.py
181 index 7b5fd6d..053d034 100644
182 --- a/lib/common/helpers.py
183 +++ b/lib/common/helpers.py
184 @@ -273,7 +273,7 @@ def strip_powershell_comments(data):
185
186
187 def keyword_obfuscation(data):
188 - conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
189 + conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
190 conn.isolation_level = None
191 conn.row_factory = None
192 cur = conn.cursor()
193 @@ -606,7 +606,7 @@ def get_config(fields):
194 i.e. 'version,install_path'
195 """
196
197 - conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
198 + conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
199 conn.isolation_level = None
200
201 cur = conn.cursor()
202 @@ -631,7 +631,7 @@ def get_listener_options(listenerName):
203 of the normal menu execution.
204 """
205 try:
206 - conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
207 + conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
208 conn.isolation_level = None
209 conn.row_factory = dict_factory
210 cur = conn.cursor()
211 diff --git a/setup/reset.sh b/setup/reset.sh
212 index 5e291d8..7fcfa89 100755
213 --- a/setup/reset.sh
214 +++ b/setup/reset.sh
215 @@ -13,22 +13,22 @@ then
216 fi
217
218 # reset the database
219 -if [ -e ../data/empire.db ]
220 +if [ -e /var/lib/powershell-empire/empire.db ]
221 then
222 - rm ../data/empire.db
223 + rm /var/lib/powershell-empire/empire.db
224 fi
225
226 python3 ./setup_database.py
227 cd ..
228
229 # remove the debug file if it exists
230 -if [ -e empire.debug ]
231 +if [ -e /var/lib/powershell-empire/empire.debug ]
232 then
233 - rm empire.debug
234 + rm /var/lib/powershell-empire/empire.debug
235 fi
236
237 # remove the download folders
238 -if [ -d ./downloads/ ]
239 +if [ -d /var/lib/powershell-empire/downloads/ ]
240 then
241 - rm -rf ./downloads/
242 + rm -rf /var/lib/powershell-empire/downloads/
243 fi
244 diff --git a/setup/setup_database.py b/setup/setup_database.py
245 index ec88437..8b2e622 100755
246 --- a/setup/setup_database.py
247 +++ b/setup/setup_database.py
248 @@ -65,7 +65,7 @@ OBFUSCATE_COMMAND = r'Token\All\1'
249 #
250 ###################################################
251
252 -conn = sqlite3.connect('%s/data/empire.db' % INSTALL_PATH)
253 +conn = sqlite3.connect('/var/lib/powershell-empire/empire.db')
254
255 c = conn.cursor()
256
+136
-0
debian/patches/change-debug-downloads-dirs.patch less more
0 From: Sophie Brun <[email protected]>
1 Date: Fri, 15 Jan 2021 09:06:48 +0100
2 Subject: Change debug and download dirs
3
4 Last-Update: 2021-01-15
5
6 Avoid to write and store debug and downloads data in application
7 directory. Use /var/lib/powershell-empire (needs to have access to this
8 directory)
9 ---
10 lib/common/agents.py | 21 +++++++++++----------
11 lib/common/empire.py | 2 +-
12 setup/reset.sh | 8 ++++----
13 3 files changed, 16 insertions(+), 15 deletions(-)
14
15 diff --git a/lib/common/agents.py b/lib/common/agents.py
16 index f50042d..085ded9 100644
17 --- a/lib/common/agents.py
18 +++ b/lib/common/agents.py
19 @@ -93,6 +93,7 @@ class Agents(object):
20 # pull out the controller objects
21 self.mainMenu = MainMenu
22 self.installPath = self.mainMenu.installPath
23 + self.localPath = '/var/lib/powershell-empire/'
24 self.args = args
25
26 # internal agent dictionary for the client's session key, funcions, and URI sets
27 @@ -264,13 +265,13 @@ class Agents(object):
28 parts = path.split("\\")
29
30 # construct the appropriate save path
31 - save_path = "%s/downloads/%s/%s" % (self.installPath, sessionID, "/".join(parts[0:-1]))
32 + save_path = "%s/downloads/%s/%s" % (self.localPath, sessionID, "/".join(parts[0:-1]))
33 filename = os.path.basename(parts[-1])
34
35 try:
36 self.lock.acquire()
37 # fix for 'skywalker' exploit by @zeroSteiner
38 - safePath = os.path.abspath("%s/downloads/" % self.installPath)
39 + safePath = os.path.abspath("%s/downloads/" % self.localPath)
40 if not os.path.abspath(save_path + "/" + filename).startswith(safePath):
41 message = "[!] WARNING: agent {} attempted skywalker exploit!\n[!] attempted overwrite of {} with data {}".format(
42 sessionID, path, data)
43 @@ -336,7 +337,7 @@ class Agents(object):
44 parts = path.split("/")
45
46 # construct the appropriate save path
47 - save_path = "%s/downloads/%s/%s" % (self.installPath, sessionID, "/".join(parts[0:-1]))
48 + save_path = "%s/downloads/%s/%s" % (self.localPath, sessionID, "/".join(parts[0:-1]))
49 filename = parts[-1]
50
51 # decompress data if coming from a python agent:
52 @@ -360,7 +361,7 @@ class Agents(object):
53 try:
54 self.lock.acquire()
55 # fix for 'skywalker' exploit by @zeroSteiner
56 - safePath = os.path.abspath("%s/downloads/" % self.installPath)
57 + safePath = os.path.abspath("%s/downloads/" % self.localPath)
58 if not os.path.abspath(save_path + "/" + filename).startswith(safePath):
59 message = "[!] WARNING: agent {} attempted skywalker exploit!\n[!] attempted overwrite of {} with data {}".format(
60 sessionID, path, data)
61 @@ -400,7 +401,7 @@ class Agents(object):
62 if isinstance(data, bytes):
63 data = data.decode('UTF-8')
64 name = self.get_agent_name_db(sessionID)
65 - save_path = self.installPath + "/downloads/" + str(name) + "/"
66 + save_path = self.localPath + "/downloads/" + str(name) + "/"
67
68 # make the recursive directory structure if it doesn't already exist
69 if not os.path.exists(save_path):
70 @@ -819,8 +820,8 @@ class Agents(object):
71 return False
72
73 # rename the logging/downloads folder
74 - old_path = "%s/downloads/%s/" % (self.installPath, old_name)
75 - new_path = "%s/downloads/%s/" % (self.installPath, new_name)
76 + old_path = "%s/downloads/%s/" % (self.localPath, old_name)
77 + new_path = "%s/downloads/%s/" % (self.localPath, new_name)
78 ret_val = True
79
80 # check if the folder is already used
81 @@ -991,7 +992,7 @@ class Agents(object):
82
83 # write out the last tasked script to "LastTask" if in debug mode
84 if self.args and self.args.debug:
85 - f = open('%s/LastTask' % (self.installPath), 'w')
86 + f = open('%s/LastTask' % (self.localPath), 'w')
87 f.write(task)
88 f.close()
89 finally:
90 @@ -1818,8 +1819,8 @@ class Agents(object):
91 elif response_name == "TASK_CMD_JOB":
92 # check if this is the powershell keylogging task, if so, write output to file instead of screen
93 if key_log_task_id and key_log_task_id == task_id:
94 - safePath = os.path.abspath("%s/downloads/" % self.mainMenu.installPath)
95 - savePath = "%s/downloads/%s/keystrokes.txt" % (self.mainMenu.installPath, session_id)
96 + safePath = os.path.abspath("%s/downloads/" % self.mainMenu.localPath)
97 + savePath = "%s/downloads/%s/keystrokes.txt" % (self.mainMenu.localPath, session_id)
98 if not os.path.abspath(savePath).startswith(safePath):
99 message = "[!] WARNING: agent {} attempted skywalker exploit!".format(self.sessionID)
100 signal = json.dumps({
101 diff --git a/lib/common/empire.py b/lib/common/empire.py
102 index eb33176..0fb6543 100755
103 --- a/lib/common/empire.py
104 +++ b/lib/common/empire.py
105 @@ -185,7 +185,7 @@ class MainMenu(cmd.Cmd):
106
107 # if --debug X is passed, log out all dispatcher signals
108 if self.args.debug:
109 - with open('empire.debug', 'a') as debug_file:
110 + with open("/var/lib/powershell-empire/empire.debug", 'a') as debug_file:
111 debug_file.write("%s %s : %s\n" % (helpers.get_datetime(), sender, signal))
112
113 if self.args.debug == '2':
114 diff --git a/setup/reset.sh b/setup/reset.sh
115 index 5c9ddea..532267d 100755
116 --- a/setup/reset.sh
117 +++ b/setup/reset.sh
118 @@ -15,13 +15,13 @@ fi
119 cd ..
120
121 # remove the debug file if it exists
122 -if [ -e empire.debug ]
123 +if [ -e /var/lib/powershell-empire/empire.debug ]
124 then
125 - rm empire.debug
126 + rm /var/lib/powershell-empire/empire.debug
127 fi
128
129 # remove the download folders
130 -if [ -d ./downloads/ ]
131 +if [ -d /var/lib/powershell-empire/downloads/ ]
132 then
133 - rm -rf ./downloads/
134 + rm -rf /var/lib/powershell-empire/downloads/
135 fi
+24
-0
debian/patches/change-default-database-location.patch less more
0 From: Sophie Brun <[email protected]>
1 Date: Fri, 15 Jan 2021 09:11:58 +0100
2 Subject: Change default database location
3
4 Last-Update: 2021-01-15
5
6 Avoid to write data in application directory. Use the
7 /var/lib/powershell-empire directory for the database.
8 ---
9 config.yaml | 2 +-
10 1 file changed, 1 insertion(+), 1 deletion(-)
11
12 diff --git a/config.yaml b/config.yaml
13 index f2a2b36..7994dcf 100644
14 --- a/config.yaml
15 +++ b/config.yaml
16 @@ -1,6 +1,6 @@
17 database:
18 type: sqlite
19 - location: data/empire.db
20 + location: /var/lib/powershell-empire/empire.db
21 defaults:
22 # staging key will first look at OS environment variables, then here.
23 # If empty, will be prompted (like Empire <3.7).
+28
-0
debian/patches/force-sudo-usage less more
0 From: Sophie Brun <[email protected]>
1 Date: Fri, 15 Jan 2021 09:00:38 +0100
2 Subject: Force sudo usage
3
4 Last-Update: 2021-01-15
5
6 Several data are in same directory as the application lib. It can't
7 easily be patched to change this (see the obfuscated_module_source dir).
8 ---
9 empire | 5 +++++
10 1 file changed, 5 insertions(+)
11
12 diff --git a/empire b/empire
13 index f70a020..71c125d 100755
14 --- a/empire
15 +++ b/empire
16 @@ -29,6 +29,11 @@ from flask_socketio import SocketIO, emit, join_room, leave_room, \
17 from sqlalchemy import or_, and_, func
18 from sqlalchemy.orm import aliased
19
20 +if os.getuid() != 0:
21 + print("Please run powershell-empire with sudo:")
22 + print("'sudo powershell-empire'")
23 + sys.exit()
24 +
25 # Empire imports
26 from lib import arguments
27 from lib.common import empire, helpers, users
+7
-7
debian/patches/rename-jinja2-templates.patch less more
528528 template_options = {
529529 'staging_folder': stagingFolder,
530530 diff --git a/lib/listeners/http.py b/lib/listeners/http.py
531 index f333889..056b7ab 100755
531 index 49e0023..dd8ab21 100755
532532 --- a/lib/listeners/http.py
533533 +++ b/lib/listeners/http.py
534 @@ -682,8 +682,8 @@ class Listener(object):
534 @@ -664,8 +664,8 @@ class Listener(object):
535535 os.path.join(self.mainMenu.installPath, '/data/agent/stagers'),
536536 os.path.join(self.mainMenu.installPath, './data/agent/stagers')]
537537 eng = templating.TemplateEngine(template_path)
543543 'working_hours': workingHours,
544544 'kill_date': killDate,
545545 diff --git a/lib/listeners/redirector.py b/lib/listeners/redirector.py
546 index b2fca5f..5876219 100755
546 index 24ef3b2..2b0eb9d 100755
547547 --- a/lib/listeners/redirector.py
548548 +++ b/lib/listeners/redirector.py
549549 @@ -433,7 +433,7 @@ class Listener(object):
556556 f.close()
557557
558558 diff --git a/lib/stagers/multi/pyinstaller.py b/lib/stagers/multi/pyinstaller.py
559 index aa8f3a7..de96e6c 100644
559 index f27d43a..3e9f1c2 100644
560560 --- a/lib/stagers/multi/pyinstaller.py
561561 +++ b/lib/stagers/multi/pyinstaller.py
562 @@ -121,8 +121,8 @@ class Stager(object):
563 cur.close()
564
562 @@ -113,8 +113,8 @@ class Stager(object):
563 else:
564 filesToExtractImportsFrom_List = []
565565
566566 - stagerFFP_Str = self.mainMenu.installPath + "/data/agent/stagers/http.py"
567567 - stagerFFP_Str = os.path.join(self.mainMenu.installPath, "data/agent/stagers/http.py")
+3
-1
debian/patches/series less more
00 rename-jinja2-templates.patch
11 update-shebang-for-python3.patch
22 use-cryptodome.patch
3 change-database-location.patch
3 force-sudo-usage
4 change-debug-downloads-dirs.patch
5 change-default-database-location.patch