Skip to content
This repository was archived by the owner on Jan 29, 2020. It is now read-only.

Commit ffb88a6

Browse files
HarmJ0yHarmJ0y
committed
Merge pull request #52 from PowerShellEmpire/skywalker_fix
Skywalker fix
2 parents ed8c476 + 6be3d4c commit ffb88a6

File tree

3 files changed

+23
-2
lines changed

3 files changed

+23
-2
lines changed

changelog

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,7 @@
1+
9/21/2015
2+
---------
3+
-Fix for 'skywalker' file overwrite exploit on control server (thanks @zeroSteiner!)
4+
15
9/12/2015
26
---------
37
-Added credentials/mimikatz/mimitokens to take advantage of Mimikatz' token listing/elevation

lib/common/agents.py

Lines changed: 15 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,13 @@ def save_file(self, sessionID, path, data, append=False):
195195
savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
196196
filename = parts[-1]
197197

198+
# fix for 'skywalker' exploit by @zeroSteiner
199+
safePath = os.path.abspath("%s/downloads/%s/" %(self.installPath, sessionID))
200+
if not os.path.abspath(savePath+"/"+filename).startswith(safePath):
201+
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
202+
dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
203+
return
204+
198205
# make the recursive directory structure if it doesn't already exist
199206
if not os.path.exists(savePath):
200207
os.makedirs(savePath)
@@ -210,7 +217,7 @@ def save_file(self, sessionID, path, data, append=False):
210217
f.close()
211218

212219
# notify everyone that the file was downloaded
213-
dispatcher.send("[+] Part of file "+filename+" from "+str(sessionID)+" saved", sender="Agents")
220+
dispatcher.send("[+] Part of file %s from %s saved" %(filename, sessionID), sender="Agents")
214221

215222

216223
def save_module_file(self, sessionID, path, data):
@@ -227,6 +234,13 @@ def save_module_file(self, sessionID, path, data):
227234
savePath = self.installPath + "/downloads/"+str(sessionID)+"/" + "/".join(parts[0:-1])
228235
filename = parts[-1]
229236

237+
# fix for 'skywalker' exploit by @zeroSteiner
238+
safePath = os.path.abspath("%s/downloads/%s/" %(self.installPath, sessionID))
239+
if not os.path.abspath(savePath+"/"+filename).startswith(safePath):
240+
dispatcher.send("[!] WARNING: agent %s attempted skywalker exploit!" %(sessionID), sender="Agents")
241+
dispatcher.send("[!] attempted overwrite of %s with data %s" %(path, data), sender="Agents")
242+
return
243+
230244
# make the recursive directory structure if it doesn't already exist
231245
if not os.path.exists(savePath):
232246
os.makedirs(savePath)

lib/common/empire.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
"""
1010

1111
# make version for Empire
12-
VERSION = "1.2"
12+
VERSION = "1.2.1"
1313

1414

1515
from pydispatch import dispatcher
@@ -255,6 +255,9 @@ def handle_event(self, signal, sender):
255255
elif "[!] Agent" in signal and "exiting" in signal:
256256
print helpers.color(signal)
257257

258+
elif "WARNING" in signal or "attempted overwrite" in signal:
259+
print helpers.color(signal)
260+
258261
elif "on the blacklist" in signal:
259262
print helpers.color(signal)
260263

0 commit comments

Comments
 (0)