New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Skywalker fix #52

Merged
merged 3 commits into from Sep 22, 2015
Jump to file or symbol
Failed to load files and symbols.
+23 −2
Diff settings

Always

Just for now

View
@@ -1,3 +1,7 @@
9/21/2015
---------
-Fix for 'skywalker' file overwrite exploit on control server (thanks @zeroSteiner!)
9/12/2015
---------
-Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation
View
@@ -195,6 +195,13 @@ def save_file(self, sessionID, path, data, append=False):
savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
filename = parts[-1]
# fix for 'skywalker' exploit by @zeroSteiner
safePath = os.path.abspath("%s/downloads/%s/" %(self.installPath, sessionID))
if not os.path.abspath(savePath+"/"+filename).startswith(safePath):
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
return
# make the recursive directory structure if it doesn't already exist
if not os.path.exists(savePath):
os.makedirs(savePath)
@@ -210,7 +217,7 @@ def save_file(self, sessionID, path, data, append=False):
f.close()
# notify everyone that the file was downloaded
dispatcher.send("[+] Part of file "+filename+" from "+str(sessionID)+" saved", sender="Agents")
dispatcher.send("[+] Part of file %s from %s saved" %(filename, sessionID), sender="Agents")
def save_module_file(self, sessionID, path, data):
@@ -227,6 +234,13 @@ def save_module_file(self, sessionID, path, data):
savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
filename = parts[-1]
# fix for 'skywalker' exploit by @zeroSteiner
safePath = os.path.abspath("%s/downloads/%s/" %(self.installPath, sessionID))
if not os.path.abspath(savePath+"/"+filename).startswith(safePath):
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
return
# make the recursive directory structure if it doesn't already exist
if not os.path.exists(savePath):
os.makedirs(savePath)
View
@@ -9,7 +9,7 @@
"""
# make version for Empire
VERSION = "1.2"
VERSION = "1.2.1"
from pydispatch import dispatcher
@@ -255,6 +255,9 @@ def handle_event(self, signal, sender):
elif "[!] Agent" in signal and "exiting" in signal:
print helpers.color(signal)
elif "WARNING" in signal or "attempted overwrite" in signal:
print helpers.color(signal)
elif "on the blacklist" in signal:
print helpers.color(signal)