Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Powershell-empire bypassuac_fodhelper.py local variable error #534

Closed
ScorpionKing34 opened this issue Jan 11, 2022 · 2 comments
Closed

[BUG] Powershell-empire bypassuac_fodhelper.py local variable error #534

ScorpionKing34 opened this issue Jan 11, 2022 · 2 comments
Labels
bug Something isn't working confirmed

Comments

@ScorpionKing34
Copy link

ScorpionKing34 commented Jan 11, 2022
edited
Loading

Note: Please fill out all sections (if applicable) and do not delete the below section headers, otherwise the bot will close the issue.

Empire Version

  • Empire 4.30

OS Information (Linux flavor, Python version)

  • OS: Debian 5.15.5
  • Python: 2.7.18

Describe the bug

Powershell-empire contains an error in the following script ‘/usr/share/powershell-empire/empire/server/modules/powershell/privesc/bypassuac_fodhelper.py’:
[!] Error: UnboundLocalError("local variable 'script_end' referenced before assignment")

Snaptext from bypassuac_fodhelper.py reference to local variable 'script_end' :

else:
script_end += "Invoke-FodHelperBypass -Command "%s"" % (enc_script)
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)

            return script

I have google for possible solution, but I cannot find a good solution for it. So I am unable to continue the empire exercises

To Reproduce

Steps to reproduce the behavior:
sudo apt-get update
sudo apt-get install powershell-empire
sudo powershell-empire server

Open a new terminal
sudo powershell-empire client

(Empire: <agent_name>) > usemodule privesc/bypassuac_fodhelper
(Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http
(Empire: powershell/privesc/bypassuac_fodhelper) > execute
[!] Error: UnboundLocalError("local variable 'script_end' referenced before assignment")

Expected behavior

The output should be as followed:
[>] Module is not opsec safe, run? [y/N] y

(Empire: powershell/privesc/bypassuac_fodhelper) >
Job started: 4STVDU
[+] Initial agent <agent_name> from <target_ip> now active (Slack)

(Empire: powershell/privesc/bypassuac_fodhelper) >

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Additional context

Add any other context about the problem here.
@ScorpionKing34 ScorpionKing34 added the bug Something isn't working label Jan 11, 2022
@X0RW3LL
Copy link

X0RW3LL commented Jan 13, 2022
edited
Loading

I was having the same issue when I was using the Kali package version of Empire 4.3.0-0kali1, and I think these changes will resolve the issues with the script with bypassuac_fodhelper.py* and bypassuac_eventvwr.py*

* Use the locate command to get the full path to the scripts

Case: Agent Interactive Menu (bypassuac shortcut) [2 changes required]

Step 1: Edit the following lines of code in bypassuac_eventvwr.py

Step 2: On line 33:

moduleSource = main_menu.installPath + "/data/module_source/privesc/Invoke-EventVwrBypass.ps1"

Step 3: Change moduleSource to module_source

module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-EventVwrBypass.ps1"

Step 4: On line 68:

scriptEnd = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)

Step 5: Change scriptEnd to script_end

script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)

Case: usemodule powershell/privesc/bypassuac_fodhelper [1 change required]

Step 1: Edit bypassuac_fodhelper.py

Step 2: On line 63:

script_end += "Invoke-FodHelperBypass -Command "%s"" % (enc_script)

Notice how the statement shows augmented assignment (script_end +=) as opposed to a variable declaration (script_end =)

Step 3: Change the line so that the variable is declared (remove the + sign before the = sign)

script_end = "Invoke-FodHelperBypass -Command "%s"" % (enc_script)

If you have any questions about the changes I made, or to verify the whether the changes worked, please let me know!

Special thanks to TJNull <3
Github: https://github.com/tjnull
Twitter: https://twitter.com/TJ_Null

Looks like this might extend to other bypassuac_*.py scripts. Kindly use the same principles when editing, as the issues are most likely the same. Thanks, @ScorpionKing34!

@Cx01N
Copy link

Cx01N commented Jan 14, 2022

I appreciate everyone taking the time to let us know what to fix. I merged the fixes and testing now, will cut a release as soon as we are done. Thanks!

@Cx01N Cx01N closed this as completed Jan 26, 2022
vinnybod added a commit that referenced this issue Feb 21, 2023
@vinnybod
starkiller sync - attempt to pull the ref from remote (#534)
79a65e2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working confirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Cx01N @ScorpionKing34 @X0RW3LL