Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Malleable C2 / incorrect URIs #392

Closed
SaltyWafffles opened this issue Nov 9, 2020 · 3 comments · Fixed by #393
Closed

[BUG] Malleable C2 / incorrect URIs #392

SaltyWafffles opened this issue Nov 9, 2020 · 3 comments · Fixed by #393
Assignees
@Cx01N
Labels
bug Something isn't working

Comments

@SaltyWafffles
Copy link

Note: Please fill out all sections (if applicable) and do not delete the below section headers, otherwise the bot will close the issue.

Empire Version

  • Empire 3.6.0

OS Information (Linux flavor, Python version)

  • OS: Kali 2020.3
  • Python: 3.8.6

Describe the bug

Generating a Malleable listener with an appropriately populated C2 profile works successfully, but any agent generated from them is not passed the correct URIs. Seems that it is defaulting to '/'.

To Reproduce

Steps to reproduce the behavior:

  1. Populate a C2 profile
  2. Create a malleable listener using that profile
  3. Generate a stager for that listener
  4. Execute an agent on target machine
  5. Monitor the HTTP comms via wireshark

Expected behavior

Generated agents should be configured to call out with the specified HTTP GET/POST URIs as specified in the supplied C2 profile.

Screenshots

image

image

Additional context

I tried putting trailing '/'s in the C2 profile, but that caused the same issue of the agent just reaching out for '/' as the GET URI.
@SaltyWafffles SaltyWafffles added the bug Something isn't working label Nov 9, 2020
@Cx01N
Copy link

Cx01N commented Nov 10, 2020
edited
Loading

I think the options clearing that we implemented in the last release messed with the malleable listener. Could you give this branch a shot and let me know if it fixes your issue?
#393

I tested the havex profile from our repo and it seems to be working. Which one were you using? Just so I can make sure it's not a broken profile (some have issues, unfortunately).
https://github.com/BC-SECURITY/Malleable-C2-Profiles/tree/master/APT

image

@Cx01N Cx01N self-assigned this Nov 10, 2020
@SaltyWafffles
Copy link
Author

That branch seemed to fix the issue.

I was using the amazon.profile originally, but the havex.profile in your repository is working fine for me now.

@Cx01N
Copy link

Cx01N commented Nov 10, 2020

I'll roll out a patch this week. Thanks for finding this!

@Cx01N Cx01N linked a pull request Nov 10, 2020 that will close this issue
Fix for clear options issue for malleable listener #393
Merged
@Cx01N Cx01N closed this as completed Nov 16, 2020
vinnybod pushed a commit that referenced this issue Jul 9, 2022
@Cx01N
fixed spawnas to work with new bat file format (#392)
eca3d44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Cx01N Cx01N

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix for clear options issue for malleable listener BC-SECURITY/Empire
2 participants
@Cx01N @SaltyWafffles