Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon EmpireProject

Agent dies after check-in via redirector

Open ghost opened this issue 6 years ago • 4 comments

Empire Version

2.5

OS Information (Linux flavor, Python version)

Kali 2018.2, python 2.7.15rc1

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

After successful check-in via redirector an agent stops showing any signs of life.

Screenshot of error, embedded text output, or Pastebin link to the error

Last seen doesn't change

Any additional information

https://pastebin.com/ARyzN5JM

ghost avatar Jun 06 '18 21:06 ghost

Let me know if you need assistance, I've got a lab ready to reproduce the issue.

ghost avatar Jun 11 '18 09:06 ghost

This issue has been discussed before, and its the same problem as #370. The quickest fix would be to recreate the fix for #370 in the redirector stager generation. (just adding a header with the correct listener name)

mr64bit avatar Jun 11 '18 13:06 mr64bit

@mr64bit can you please explain more accurately what we have to change? I thank you

jammys avatar Nov 04 '18 23:11 jammys

The source of the problem is that when Empire generates the agent, it inserts the address of the listener that received the request. The listener currently has no way of knowing that the request came through the pivot. This was fixed in the PHP listener by having the pivot point add an HTTP header to tell Empire which pivot it came through.

This can't be done the same way for the pivot listener, since the pivot point is just forwarding a TCP connection. But, this could be fixed in two different ways in the stager itself. You could have the stager add an HTTP header with the name of the pivot listener. Second, at the end of the staging process, just use the staging address for comms, instead of the new one that comes in the agent code.

On Sun, Nov 4, 2018 at 6:08 PM jammys [email protected] wrote:

@mr64bit https://github.com/mr64bit can you please explain more accurately what we have to change? I thank you

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/EmpireProject/Empire/issues/1158#issuecomment-435717366, or mute the thread https://github.com/notifications/unsubscribe-auth/ACFwUGKBRnnRUQ0w8b24ksZaRHYUOCR8ks5ur3N0gaJpZM4UdXSi .

mr64bit avatar Nov 05 '18 14:11 mr64bit