Merge pull request #91 from BC-SECURITY/dev

VERSION

@@ -1 +1 @@
-3.0.5
+3.0.6

changelog

@@ -1,14 +1,25 @@
+1/31/2020
+------------
+- Version 3.0.6 Master Release
+	- Fixed osx stager generation byte/str errors - #84 (@hypnoticpattern)
+	- Fixed osx appbundle generation which was stripping the wrong string - #84 (@hypnoticpattern)
+	- Removed future imports from python3 launcher, so it works without any extra libraries - #81 (@Cx01N)
+	- Staging key no longer needs to be exactly 32 characters - #85 (@Cx01N)
+	- Add "stale" property to agents endpoint - #90 (@Vinnybod)
+	- Agents endpoint now returns agents without failing due to session_key encoding - #90 (@Vinnybod)
+	- Fixed an indentation bug in aes.py (@Cx01N)
+
 1/21/2020
 ------------
 - Version 3.0.5 Master Release
-    - Fixed setup_database.py python3 issue - #75 (@linxon)
-    - Added loaded listener types to API - #78 (@Vinnybod)
-    - Fixed python launcherBase (@Cx01N)
-    - Updated Python 3.8 compatibility in stager - #72 (@complana)
-    - Fixed Powerup Invoke-allchecks issue - #64 (@SkiddieTech)
-    - Fixed shellcode stager - #76 (@Hubbl3)
-    - Fixed binary upload error - #55 (@Hubbl3)
-    - Fixed multi/bash error (@Cx01N)
+	- Fixed setup_database.py python3 issue - #75 (@linxon)
+	- Added loaded listener types to API - #78 (@Vinnybod)
+	- Fixed python launcherBase (@Cx01N)
+	- Updated Python 3.8 compatibility in stager - #72 (@complana)
+	- Fixed Powerup Invoke-allchecks issue - #64 (@SkiddieTech)
+	- Fixed shellcode stager - #76 (@Hubbl3)
+	- Fixed binary upload error - #55 (@Hubbl3)
+	- Fixed multi/bash error (@Cx01N)
 
 1/14/2020
 ------------

data/agent/agent.py

@@ -1,37 +1,25 @@
-from __future__ import division
-from future import standard_library
-standard_library.install_aliases()
-from builtins import str
-from builtins import range
-from builtins import object
-from past.utils import old_div
-import __future__
 import struct
-import time
 import base64
 import subprocess
 import random
 import time
 import datetime
 import os
 import sys
-import trace
-import shlex
 import zlib
 import threading
 import http.server
 import zipfile
 import io
 import imp
-import marshal
 import re
 import shutil
 import pwd
 import socket
 import math
 import stat
 import grp
-from stat import S_ISREG, ST_CTIME, ST_MODE
+import numbers
 from os.path import expanduser
 from io import StringIO
 from threading import Thread
@@ -531,6 +519,15 @@ def process_packet(packetType, data, resultID):
     else:
         send_message(build_response_packet(0, "invalid tasking ID: %s" %(taskingID), resultID))
 
+def old_div(a, b):
+    """
+    Equivalent to ``a / b`` on Python 2 without ``from __future__ import
+    division``.
+    """
+    if isinstance(a, numbers.Integral) and isinstance(b, numbers.Integral):
+        return a // b
+    else:
+        return a / b
 
 ################################################
 #

data/agent/stagers/common/aes.py

@@ -235,7 +235,8 @@ def __init__(self, key, iv=None):
         else:
             if isinstance(iv, str):
                 self._last_cipherblock = _string_to_bytes(iv)
-            self._last_cipherblock = iv
+            else:
+                self._last_cipherblock = iv
 
         AESBlockModeOfOperation.__init__(self, key)
 

data/agent/stagers/http.py

@@ -10,9 +10,7 @@
         stage_1
         stage_2
 """
-from __future__ import print_function
 
-import copy
 import random
 import string
 import urllib.request as urllib

empire

@@ -775,11 +775,19 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
         for activeAgent in activeAgentsRaw:
             [ID, session_id, listener, name, language, language_version, delay, jitter, external_ip, internal_ip, username, high_integrity, process_name, process_id, hostname, os_details, session_key, nonce, checkin_time, lastseen_time, parent, children, servers, profile, functions, kill_date, working_hours, lost_limit, taskings, results] = activeAgent
 
-            agents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key, "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results})
+            intervalMax = (delay + delay * jitter)+30
+
+            # get the agent last check in time
+            agentTime = time.mktime(time.strptime(lastseen_time, "%Y-%m-%d %H:%M:%S"))
+
+            stale = agentTime < time.mktime(time.localtime()) - intervalMax
+
+            agents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key.decode('latin-1').encode('utf-8'), "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results, "stale":stale})
 
         return jsonify({'agents' : agents})
 
 
+
     @app.route('/api/agents/stale', methods=['GET'])
     def get_agents_stale():
         """
@@ -801,7 +809,7 @@ def start_restful_api(empireMenu, suppress=False, username=None, password=None,
 
             if agentTime < time.mktime(time.localtime()) - intervalMax:
 
-                staleAgents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key, "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results})
+                staleAgents.append({"ID":ID, "session_id":session_id, "listener":listener, "name":name, "language":language, "language_version":language_version, "delay":delay, "jitter":jitter, "external_ip":external_ip, "internal_ip":internal_ip, "username":username, "high_integrity":high_integrity, "process_name":process_name, "process_id":process_id, "hostname":hostname, "os_details":os_details, "session_key":session_key.decode('latin-1').encode('utf-8'), "nonce":nonce, "checkin_time":checkin_time, "lastseen_time":lastseen_time, "parent":parent, "children":children, "servers":servers, "profile":profile,"functions":functions, "kill_date":kill_date, "working_hours":working_hours, "lost_limit":lost_limit, "taskings":taskings, "results":results})
 
         return jsonify({'agents' : staleAgents})
 

lib/common/empire.py

@@ -15,7 +15,7 @@
 from builtins import str
 from builtins import range
 
-VERSION = "3.0.5 BC-Security Fork"
+VERSION = "3.0.6 BC-Security Fork"
 
 from pydispatch import dispatcher
 

lib/common/listeners.py

@@ -155,7 +155,7 @@ def set_listener_option(self, listenerName, option, value):
                     # if the staging key isn't 32 characters, assume we're md5 hashing it
                     value = str(value).strip()
                     if len(value) != 32:
-                        stagingKeyHash = hashlib.md5(value).hexdigest()
+                        stagingKeyHash = hashlib.md5(value.encode('UTF-8')).hexdigest()
                         print(helpers.color('[!] Warning: staging key not 32 characters, using hash of staging key instead: %s' % (stagingKeyHash)))
                         listenerObject.options[option]['Value'] = stagingKeyHash
                     else:

lib/common/stagers.py

@@ -274,10 +274,10 @@ def generate_appbundle(self, launcherCode, Arch, icon, AppName, disarm):
 
         if Arch == 'x64':
 
-            f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher")
+            f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x64/launcher.app/Contents/MacOS/launcher", "rb")
             directory = self.mainMenu.installPath + "/data/misc/apptemplateResources/x64/launcher.app/"
         else:
-            f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher")
+            f = open(self.mainMenu.installPath + "/data/misc/apptemplateResources/x86/launcher.app/Contents/MacOS/launcher", "rb")
             directory = self.mainMenu.installPath + "/data/misc/apptemplateResources/x86/launcher.app/"
 
         macho = macholib.MachO.MachO(f.name)
@@ -292,10 +292,10 @@ def generate_appbundle(self, launcherCode, Arch, icon, AppName, disarm):
             count = 0
             if int(cmd[count].cmd) == macholib.MachO.LC_SEGMENT_64 or int(cmd[count].cmd) == macholib.MachO.LC_SEGMENT:
                 count += 1
-                if cmd[count].segname.strip('\x00') == '__TEXT' and cmd[count].nsects > 0:
+                if cmd[count].segname.strip(b'\x00') == b'__TEXT' and cmd[count].nsects > 0:
                     count += 1
                     for section in cmd[count]:
-                        if section.sectname.strip('\x00') == '__cstring':
+                        if section.sectname.strip(b'\x00') == b'__cstring':
                             offset = int(section.offset)
                             placeHolderSz = int(section.size) - 52
 
@@ -304,7 +304,7 @@ def generate_appbundle(self, launcherCode, Arch, icon, AppName, disarm):
 
         if placeHolderSz and offset:
 
-            launcher = launcherCode + "\x00" * (placeHolderSz - len(launcherCode))
+            launcher = launcherCode.encode('utf8') + b'\x00' * (placeHolderSz - len(launcherCode))
             patchedBinary = template[:offset]+launcher+template[(offset+len(launcher)):]
             if AppName == "":
                 AppName = "launcher"

lib/stagers/osx/application.py

@@ -97,6 +97,6 @@ def generate(self):
 
         else:
             disarm = False
-            launcher = launcher.strip('echo').strip(' | /usr/bin/python &').strip("\"")
+            launcher = launcher.strip('echo').strip(' | /usr/bin/python3 &').strip("\"")
             ApplicationZip = self.mainMenu.stagers.generate_appbundle(launcherCode=launcher,Arch=arch,icon=icnsPath,AppName=AppName, disarm=disarm)
             return ApplicationZip