Merge pull request #33 from BC-SECURITY/sponsors-dev

Empire 3.7.2 Release
BC-SECURITY · Feb 5, 2021 · 1bf3d51 · 1bf3d51
2 parents 8a45100 + bdaa374
commit 1bf3d51
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 19 deletions.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.7.0
+3.7.2
diff --git a/changelog b/changelog
@@ -1,3 +1,14 @@
+2/5/2021
+------------
+- Version 3.7.2 Master Release
+        - Fixed Malleable C2 issue where netbios/netbiosu transformations used excessive resources (@Cx01N)
+        - Fixed error when loading http_hop listener options (@Cx01N)
+
+1/27/2021
+------------
+- Version 3.7.1 Master Release
+        - Added Kali message to main menu
+
 1/18/2021
 ------------
 - Version 3.7.0 Master Release

diff --git a/data/profiles b/data/profiles
diff --git a/lib/common/empire.py b/lib/common/empire.py
@@ -19,7 +19,7 @@
 from datetime import datetime, timezone
 from flask_socketio import SocketIO
 
-VERSION = "3.7.0 BC Security Fork"
+VERSION = "3.7.2 BC Security Fork"
 
 from pydispatch import dispatcher
 

diff --git a/lib/common/malleable/transformation.py b/lib/common/malleable/transformation.py
@@ -272,6 +272,10 @@ def _netbios(self):
         netbios algorithm."""
         self.transform = lambda data: netbios_transform(data)
         self.transform_r = lambda data: netbios_transform_r(data)
+        self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x61)+chr((f_ord(_)&0xF)+0x61) for _ in %(var)s])\n" % {"var":var}
+        self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x61)<<4)|((f_ord(%(var)s[_+1])-0x61)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
+        self.generate_powershell = lambda var: netbios_powershell(var)
+        self.generate_powershell_r = lambda var: netbios_powershell_r(var)
 
         def netbios_transform(data):
             if isinstance(data, str):
@@ -285,33 +289,39 @@ def netbios_transform_r(data):
             r = "".join([chr(((data[i]-0x61)<<4)|((data[i+1]-0x61)&0xF)) for i in range(0, len(data), 2)])
             return r.encode('latin-1')
 
-        self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x61)+chr((f_ord(_)&0xF)+0x61) for _ in %(var)s])\n" % {"var":var}
-        self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x61)<<4)|((f_ord(%(var)s[_+1])-0x61)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
-        self.generate_powershell = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_++){([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -shr 4)+97;([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -band 15)+97;}));" % {"var":var}
-        self.generate_powershell_r = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_+=2){(([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_]-97) -shl 4) -bor (([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_+1]-97) -band 15);}));" % {"var":var}
+        def netbios_powershell(var):
+            return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i++){($data2[$i] -shr 4)+97;($data2[$i] -band 15)+97;}));" % {"var": var}
+
+        def netbios_powershell_r(var):
+            return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i+=2){($data2[$i]-97 -shl 4) -bor ($data2[$i+1]-97 -band 15);}));" % {"var":var}
 
     def _netbiosu(self):
         """Configure the `netbiosu` Transform, which encodes an arbitrary input using the upper-case
         netbios algorithm."""
-        self.transform = lambda data: netbios_transform(data)
-        self.transform_r = lambda data: netbios_transform_r(data)
+        self.transform = lambda data: netbiosu_transform(data)
+        self.transform_r = lambda data: netbiosu_transform_r(data)
+        self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x41)+chr((f_ord(_)&0xF)+0x41) for _ in %(var)s])\n" % {"var":var}
+        self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x41)<<4)|((f_ord(%(var)s[_+1])-0x41)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
+        self.generate_powershell = lambda var: netbiosu_powershell(var)
+        self.generate_powershell_r = lambda var: netbiosu_powershell_r(var)
 
-        def netbios_transform(data):
+        def netbiosu_transform(data):
             if isinstance(data, str):
                 data = data.encode('latin-1')
             r = "".join([chr((c>>4)+0x41)+chr((c&0xF)+0x41) for c in data])
             return r.encode('latin-1')
 
-        def netbios_transform_r(data):
+        def netbiosu_transform_r(data):
             if isinstance(data, str):
                 data = data.encode('latin-1')
             r = "".join([chr(((data[i]-0x41)<<4)|((data[i+1]-0x41)&0xF)) for i in range(0, len(data), 2)])
             return r.encode('latin-1')
 
-        self.generate_python = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr((f_ord(_)>>4)+0x41)+chr((f_ord(_)&0xF)+0x41) for _ in %(var)s])\n" % {"var":var}
-        self.generate_python_r = lambda var: "f_ord=ord if __import__('sys').version_info[0]<3 else int;%(var)s=''.join([chr(((f_ord(%(var)s[_])-0x41)<<4)|((f_ord(%(var)s[_+1])-0x41)&0xF)) for _ in range(0,len(%(var)s),2)])\n" % {"var":var}
-        self.generate_powershell = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_++){([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -shr 4)+65;([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_] -band 15)+65;}));" % {"var":var}
-        self.generate_powershell_r = lambda var: "%(var)s=[System.Text.Encoding]::Default.GetString($(for($_=0;$_ -lt %(var)s.length;$_+=2){(([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_]-65) -shl 4) -bor (([System.Text.Encoding]::Default.GetBytes(%(var)s)[$_+1]-65) -band 15);}));" % {"var":var}
+        def netbiosu_powershell(var):
+            return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i++){($data2[$i] -shr 4)+65;($data2[$i] -band 15)+65;}));" % {"var":var}
+
+        def netbiosu_powershell_r(var):
+            return "$data2=[System.Text.Encoding]::Default.GetBytes(%(var)s);%(var)s=[System.Text.Encoding]::Default.GetString($(for($i=0;$i -lt %(var)s.Length;$i+=2){($data2[$i]-65 -shl 4) -bor ($data2[$i+1]-65 -band 15);}));" % {"var":var}
 
     def _prepend(self, string):
         """Configure the `prepend` Transform, which prepends a static string to an arbitrary input.

diff --git a/lib/listeners/http_hop.py b/lib/listeners/http_hop.py
@@ -486,9 +486,9 @@ def start(self, name=''):
 
         if redirectListenerOptions:
 
-            self.options['RedirectStagingKey']['Value'] = redirectListenerOptions['StagingKey']['Value']
-            self.options['DefaultProfile']['Value'] = redirectListenerOptions['DefaultProfile']['Value']
-            redirectHost = redirectListenerOptions['Host']['Value']
+            self.options['RedirectStagingKey']['Value'] = redirectListenerOptions.options['StagingKey']['Value']
+            self.options['DefaultProfile']['Value'] = redirectListenerOptions.options['DefaultProfile']['Value']
+            redirectHost = redirectListenerOptions.options['Host']['Value']
 
             uris = [a for a in self.options['DefaultProfile']['Value'].split('|')[0].split(',')]
 

diff --git a/lib/listeners/http_malleable.py b/lib/listeners/http_malleable.py
@@ -887,7 +887,7 @@ def generate_comms(self, listenerOptions, language=None):
                     getTask += "$data = [System.Text.Encoding]::Default.GetString($data);"
 
                 # ==== INTERPRET RESULTS ====
-                getTask += profile.get.server.output.generate_powershell_r("$data");
+                getTask += profile.get.server.output.generate_powershell_r("$data")
                 getTask += "$data = [System.Text.Encoding]::Default.GetBytes($data);"
 
                 # ==== RETURN RESULTS ====
+80 −0		Crimeware/asprox.profile
+139 −0		Crimeware/emotet.profile
+73 −0		Crimeware/fiesta.profile
+71 −0		Crimeware/fiesta2.profile
+140 −0		Crimeware/globeimposter.profile
+142 −0		Crimeware/hancitor.profile
+129 −0		Crimeware/kronos.profile
+157 −0		Crimeware/ramnit.profile
+144 −0		Crimeware/rigEK.profile
+213 −0		Crimeware/saefko.profile
+382 −0		Crimeware/trick_ryuk.profile
+115 −0		Crimeware/trickbot.profile
+154 −0		Crimeware/ursnif_IcedID.profile
+364 −0		Crimeware/zloader.profile
+591 −0		Normal/bing_maps.profile
+286 −0		Normal/iheartradio.profile
+666 −0		Normal/jquery-c2.4.2.profile
+281 −0		Normal/slack.profile
+123 −0		Normal/wikipedia_getonly.profile
+2 −2		README.md