0 | |
From: Kali Developers <[email protected]>
|
1 | |
Date: Fri, 27 Dec 2019 09:25:49 +0100
|
2 | |
Subject: change-database-location
|
3 | |
|
4 | |
Last-Update: 2020-11-30
|
5 | |
---
|
6 | |
empire | 20 +++++++++++++++++++-
|
7 | |
lib/common/__init__.py | 2 +-
|
8 | |
lib/common/agents.py | 21 +++++++++++----------
|
9 | |
lib/common/empire.py | 8 ++++----
|
10 | |
lib/common/helpers.py | 6 +++---
|
11 | |
setup/reset.sh | 12 ++++++------
|
12 | |
setup/setup_database.py | 2 +-
|
13 | |
7 files changed, 45 insertions(+), 26 deletions(-)
|
14 | |
|
15 | |
diff --git a/empire b/empire
|
16 | |
index c8cb21e..a909e4f 100755
|
17 | |
--- a/empire
|
18 | |
+++ b/empire
|
19 | |
@@ -26,6 +26,24 @@ from flask import Flask, request, jsonify, make_response, abort, url_for, g
|
20 | |
from flask.json import JSONEncoder
|
21 | |
from flask_socketio import SocketIO, emit, join_room, leave_room, \
|
22 | |
close_room, rooms, disconnect
|
23 | |
+import shutil
|
24 | |
+
|
25 | |
+# database old path
|
26 | |
+DB_OLD_PATH = "/usr/share/powershell-empire/data"
|
27 | |
+# database new path
|
28 | |
+DB_PATH = "/var/lib/powershell-empire"
|
29 | |
+
|
30 | |
+if os.getuid() != 0:
|
31 | |
+ print("Please run powershell-empire with sudo:")
|
32 | |
+ print("'sudo powershell-empire'")
|
33 | |
+ sys.exit()
|
34 | |
+
|
35 | |
+# Handle database creation / switch before import lib.common
|
36 | |
+if not os.path.isfile(os.path.join(DB_PATH, "empire.db")):
|
37 | |
+ if os.path.exists(os.path.join(DB_OLD_PATH, "empire.db")):
|
38 | |
+ shutil.move((os.path.join(DB_OLD_PATH, "empire.db")), os.path.join(DB_PATH, "empire.db"))
|
39 | |
+ else:
|
40 | |
+ subprocess.run(["setup/setup_database.py"])
|
41 | |
|
42 | |
# Empire imports
|
43 | |
from lib.common import empire, helpers, users
|
44 | |
@@ -91,7 +109,7 @@ def database_connect():
|
45 | |
sqlite3.register_adapter(datetime, adapt_datetime)
|
46 | |
sqlite3.register_converter("timestamp", convert_timestamp)
|
47 | |
# set the database connectiont to autocommit w/ isolation level
|
48 | |
- conn = sqlite3.connect('./data/empire.db', check_same_thread=False, detect_types=sqlite3.PARSE_DECLTYPES)
|
49 | |
+ conn = sqlite3.connect(os.path.join(DB_PATH, 'empire.db'), check_same_thread=False, detect_types=sqlite3.PARSE_DECLTYPES)
|
50 | |
conn.text_factory = str
|
51 | |
conn.isolation_level = None
|
52 | |
return conn
|
53 | |
diff --git a/lib/common/__init__.py b/lib/common/__init__.py
|
54 | |
index 6fe1ea5..c303440 100644
|
55 | |
--- a/lib/common/__init__.py
|
56 | |
+++ b/lib/common/__init__.py
|
57 | |
@@ -13,7 +13,7 @@ from . import helpers
|
58 | |
def connect_to_db():
|
59 | |
try:
|
60 | |
# set the database connectiont to autocommit w/ isolation level
|
61 | |
- conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
|
62 | |
+ conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
|
63 | |
conn.text_factory = str
|
64 | |
conn.isolation_level = None
|
65 | |
return conn
|
66 | |
diff --git a/lib/common/agents.py b/lib/common/agents.py
|
67 | |
index 9dd24c0..f01a493 100644
|
68 | |
--- a/lib/common/agents.py
|
69 | |
+++ b/lib/common/agents.py
|
70 | |
@@ -89,6 +89,7 @@ class Agents(object):
|
71 | |
# pull out the controller objects
|
72 | |
self.mainMenu = MainMenu
|
73 | |
self.installPath = self.mainMenu.installPath
|
74 | |
+ self.localPath = '/var/lib/powershell-empire/'
|
75 | |
self.args = args
|
76 | |
|
77 | |
# internal agent dictionary for the client's session key, funcions, and URI sets
|
78 | |
@@ -267,13 +268,13 @@ class Agents(object):
|
79 | |
parts = path.split("\\")
|
80 | |
|
81 | |
# construct the appropriate save path
|
82 | |
- save_path = "%sdownloads/%s/%s" % (self.installPath, sessionID, "/".join(parts[0:-1]))
|
83 | |
+ save_path = "%sdownloads/%s/%s" % (self.localPath, sessionID, "/".join(parts[0:-1]))
|
84 | |
filename = os.path.basename(parts[-1])
|
85 | |
|
86 | |
try:
|
87 | |
self.lock.acquire()
|
88 | |
# fix for 'skywalker' exploit by @zeroSteiner
|
89 | |
- safePath = os.path.abspath("%sdownloads/" % self.installPath)
|
90 | |
+ safePath = os.path.abspath("%sdownloads/" % self.localPath)
|
91 | |
if not os.path.abspath(save_path + "/" + filename).startswith(safePath):
|
92 | |
message = "[!] WARNING: agent {} attempted skywalker exploit!\n[!] attempted overwrite of {} with data {}".format(sessionID, path, data)
|
93 | |
signal = json.dumps({
|
94 | |
@@ -333,7 +334,7 @@ class Agents(object):
|
95 | |
parts = path.split("/")
|
96 | |
|
97 | |
# construct the appropriate save path
|
98 | |
- save_path = "%s/downloads/%s/%s" % (self.installPath, sessionID, "/".join(parts[0:-1]))
|
99 | |
+ save_path = "%s/downloads/%s/%s" % (self.localPath, sessionID, "/".join(parts[0:-1]))
|
100 | |
filename = parts[-1]
|
101 | |
|
102 | |
# decompress data if coming from a python agent:
|
103 | |
@@ -354,7 +355,7 @@ class Agents(object):
|
104 | |
try:
|
105 | |
self.lock.acquire()
|
106 | |
# fix for 'skywalker' exploit by @zeroSteiner
|
107 | |
- safePath = os.path.abspath("%s/downloads/" % self.installPath)
|
108 | |
+ safePath = os.path.abspath("%s/downloads/" % self.localPath)
|
109 | |
if not os.path.abspath(save_path + "/" + filename).startswith(safePath):
|
110 | |
message = "[!] WARNING: agent {} attempted skywalker exploit!\n[!] attempted overwrite of {} with data {}".format(sessionID, path, data)
|
111 | |
signal = json.dumps({
|
112 | |
@@ -394,7 +395,7 @@ class Agents(object):
|
113 | |
if isinstance(data, bytes):
|
114 | |
data = data.decode('UTF-8')
|
115 | |
name = self.get_agent_name_db(sessionID)
|
116 | |
- save_path = self.installPath + "/downloads/" + str(name) + "/"
|
117 | |
+ save_path = self.localPath + "/downloads/" + str(name) + "/"
|
118 | |
|
119 | |
try:
|
120 | |
self.lock.acquire()
|
121 | |
@@ -1021,8 +1022,8 @@ class Agents(object):
|
122 | |
try:
|
123 | |
self.lock.acquire()
|
124 | |
# rename the logging/downloads folder
|
125 | |
- oldPath = "%s/downloads/%s/" % (self.installPath, oldname)
|
126 | |
- newPath = "%s/downloads/%s/" % (self.installPath, newname)
|
127 | |
+ oldPath = "%s/downloads/%s/" % (self.localPath, oldname)
|
128 | |
+ newPath = "%s/downloads/%s/" % (self.localPath, newname)
|
129 | |
retVal = True
|
130 | |
|
131 | |
# check if the folder is already used
|
132 | |
@@ -1191,7 +1192,7 @@ class Agents(object):
|
133 | |
|
134 | |
# write out the last tasked script to "LastTask" if in debug mode
|
135 | |
if self.args and self.args.debug:
|
136 | |
- f = open('%s/LastTask' % (self.installPath), 'w')
|
137 | |
+ f = open('%s/LastTask' % (self.localPath), 'w')
|
138 | |
f.write(task)
|
139 | |
f.close()
|
140 | |
return pk
|
141 | |
@@ -2039,8 +2040,8 @@ class Agents(object):
|
142 | |
elif responseName == "TASK_CMD_JOB":
|
143 | |
#check if this is the powershell keylogging task, if so, write output to file instead of screen
|
144 | |
if keyLogTaskID and keyLogTaskID == taskID:
|
145 | |
- safePath = os.path.abspath("%sdownloads/" % self.mainMenu.installPath)
|
146 | |
- savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.installPath,sessionID)
|
147 | |
+ safePath = os.path.abspath("%sdownloads/" % self.mainMenu.localPath)
|
148 | |
+ savePath = "%sdownloads/%s/keystrokes.txt" % (self.mainMenu.localPath,sessionID)
|
149 | |
if not os.path.abspath(savePath).startswith(safePath):
|
150 | |
message = "[!] WARNING: agent {} attempted skywalker exploit!".format(self.sessionID)
|
151 | |
signal = json.dumps({
|
152 | |
diff --git a/lib/common/empire.py b/lib/common/empire.py
|
153 | |
index 2c7cac9..69a6b16 100755
|
154 | |
--- a/lib/common/empire.py
|
155 | |
+++ b/lib/common/empire.py
|
156 | |
@@ -191,7 +191,7 @@ class MainMenu(cmd.Cmd):
|
157 | |
|
158 | |
# if --debug X is passed, log out all dispatcher signals
|
159 | |
if self.args.debug:
|
160 | |
- with open('empire.debug', 'a') as debug_file:
|
161 | |
+ with open("/var/lib/powershell-empire/empire.debug", 'a') as debug_file:
|
162 | |
debug_file.write("%s %s : %s\n" % (helpers.get_datetime(), sender, signal))
|
163 | |
|
164 | |
if self.args.debug == '2':
|
165 | |
@@ -346,11 +346,11 @@ class MainMenu(cmd.Cmd):
|
166 | |
|
167 | |
def database_connect(self):
|
168 | |
"""
|
169 | |
- Connect to the default database at ./data/empire.db.
|
170 | |
+ Connect to the default database at /var/lib/powershell-empire/empire.db.
|
171 | |
"""
|
172 | |
try:
|
173 | |
- # set the database connection to autocommit w/ isolation level
|
174 | |
- self.conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
|
175 | |
+ # set the database connectiont to autocommit w/ isolation level
|
176 | |
+ self.conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
|
177 | |
self.conn.text_factory = str
|
178 | |
self.conn.isolation_level = None
|
179 | |
return self.conn
|
180 | |
diff --git a/lib/common/helpers.py b/lib/common/helpers.py
|
181 | |
index 7b5fd6d..053d034 100644
|
182 | |
--- a/lib/common/helpers.py
|
183 | |
+++ b/lib/common/helpers.py
|
184 | |
@@ -273,7 +273,7 @@ def strip_powershell_comments(data):
|
185 | |
|
186 | |
|
187 | |
def keyword_obfuscation(data):
|
188 | |
- conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
|
189 | |
+ conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
|
190 | |
conn.isolation_level = None
|
191 | |
conn.row_factory = None
|
192 | |
cur = conn.cursor()
|
193 | |
@@ -606,7 +606,7 @@ def get_config(fields):
|
194 | |
i.e. 'version,install_path'
|
195 | |
"""
|
196 | |
|
197 | |
- conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
|
198 | |
+ conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
|
199 | |
conn.isolation_level = None
|
200 | |
|
201 | |
cur = conn.cursor()
|
202 | |
@@ -631,7 +631,7 @@ def get_listener_options(listenerName):
|
203 | |
of the normal menu execution.
|
204 | |
"""
|
205 | |
try:
|
206 | |
- conn = sqlite3.connect('./data/empire.db', check_same_thread=False)
|
207 | |
+ conn = sqlite3.connect('/var/lib/powershell-empire/empire.db', check_same_thread=False)
|
208 | |
conn.isolation_level = None
|
209 | |
conn.row_factory = dict_factory
|
210 | |
cur = conn.cursor()
|
211 | |
diff --git a/setup/reset.sh b/setup/reset.sh
|
212 | |
index 5e291d8..7fcfa89 100755
|
213 | |
--- a/setup/reset.sh
|
214 | |
+++ b/setup/reset.sh
|
215 | |
@@ -13,22 +13,22 @@ then
|
216 | |
fi
|
217 | |
|
218 | |
# reset the database
|
219 | |
-if [ -e ../data/empire.db ]
|
220 | |
+if [ -e /var/lib/powershell-empire/empire.db ]
|
221 | |
then
|
222 | |
- rm ../data/empire.db
|
223 | |
+ rm /var/lib/powershell-empire/empire.db
|
224 | |
fi
|
225 | |
|
226 | |
python3 ./setup_database.py
|
227 | |
cd ..
|
228 | |
|
229 | |
# remove the debug file if it exists
|
230 | |
-if [ -e empire.debug ]
|
231 | |
+if [ -e /var/lib/powershell-empire/empire.debug ]
|
232 | |
then
|
233 | |
- rm empire.debug
|
234 | |
+ rm /var/lib/powershell-empire/empire.debug
|
235 | |
fi
|
236 | |
|
237 | |
# remove the download folders
|
238 | |
-if [ -d ./downloads/ ]
|
239 | |
+if [ -d /var/lib/powershell-empire/downloads/ ]
|
240 | |
then
|
241 | |
- rm -rf ./downloads/
|
242 | |
+ rm -rf /var/lib/powershell-empire/downloads/
|
243 | |
fi
|
244 | |
diff --git a/setup/setup_database.py b/setup/setup_database.py
|
245 | |
index ec88437..8b2e622 100755
|
246 | |
--- a/setup/setup_database.py
|
247 | |
+++ b/setup/setup_database.py
|
248 | |
@@ -65,7 +65,7 @@ OBFUSCATE_COMMAND = r'Token\All\1'
|
249 | |
#
|
250 | |
###################################################
|
251 | |
|
252 | |
-conn = sqlite3.connect('%s/data/empire.db' % INSTALL_PATH)
|
253 | |
+conn = sqlite3.connect('/var/lib/powershell-empire/empire.db')
|
254 | |
|
255 | |
c = conn.cursor()
|
256 | |
|