Empire icon indicating copy to clipboard operation
Empire copied to clipboard

Published 20 hours ago verified publisher icon EmpireProject

An error occurred while enumerating through a collection: The collection has been modified

Open BilalBenseddiq opened this issue 6 years ago • 2 comments

Empire Version

Empire v2.5

OS Information (Linux flavor, Python version)

Kali Linux, python v2

Expected behavior and description of the error, including any actions taken immediately prior to the error. The more detail the better.

Hello,

I'm trying to implement a new listener/agent using another cloud storage system than Dropbox. Every command works appropriately, except script execution (ex: trollsploit/message, or privesc/powerup/allchecks), indeed, the following steps arise:

  1. The listener sends the task to the agent within a cloud file
  2. The agent reads the file, it is a type 110 request (dynamic code execution, no wait, don't save output), it launches the new job ( $jobID = Start-AgentJob $data) and then send "Job started: XXXX" to the listener (which receives it)
  3. The agent continues its main loop, especially entering the foreach: ForEach($JobName in $Script:Jobs.Keys)
  4. When the job is completed, it enters the following condition:
				if(Get-AgentJobCompleted -JobName $JobName) {
					# the job has stopped, so receive results/cleanup
					$Results = Stop-AgentJob -JobName $JobName | fl | Out-String
  1. The agent crashes with the following error message:

An error occurred while enumerating through a collection: The collection has been modified

Of course, because the Stop-AgentJob function called within the foreach that parses the jobs collection removes on of the job during the enumeration.

Can you please explain to me how did you get that code to execute successfuly ?

BilalBenseddiq avatar Aug 17 '18 10:08 BilalBenseddiq

That's a normal message to see when running an agent without setting $ErrorActionPreference, but I've never had an agent die because of it.

Can do provide more information about the Agent's environment?

Also, if you remove the $ErrorActionPreference line from data/agent/stagers/http.ps1 and start an HTTP agent, does it die as well when running a background job?

mr64bit avatar Aug 17 '18 23:08 mr64bit

Hi mr64bit and thank you for your interest in this issue.

I just checked and my agent has $ErrorActionPreference correctly set to "SilentlyContinue", it runs in a Windows 7 SP1 (professional) .

When removing the $ErrorActionPreference line from data/agent/stagers/http.ps1 and start an HTTP agent, interestingly, the same error is sent, but the agent does not crashes at all and accepts correctly other requests.

BilalBenseddiq avatar Aug 20 '18 09:08 BilalBenseddiq