View Issue Details

IDProjectCategoryView StatusLast Update
0007533Kali LinuxKali Package Bugpublic2022-02-07 13:03
ReporterSc0k1ng37 Assigned Tosbrun  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2021.4 
Summary0007533: Powershell-empire bypassuac_fodhelper.py local variable error
Description

Empire Version

Empire 4.30

OS Information (Linux flavor, Python version)

OS: Debian 5.15.5
Python: 2.7.18

Powershell-empire contains an error in the following script ‘/usr/share/powershell-empire/empire/server/modules/powershell/privesc/bypassuac_fodhelper.py’:
[!] Error: UnboundLocalError("local variable 'script_end' referenced before assignment")

Steps To Reproduce

Steps to reproduce the behavior:
sudo apt-get update
sudo apt-get install powershell-empire
sudo powershell-empire server

Open a new terminal:
sudo powershell-empire client

(Empire: <agent_name>) > usemodule privesc/bypassuac_fodhelper
(Empire: powershell/privesc/bypassuac_fodhelper) > set Listener http
(Empire: powershell/privesc/bypassuac_fodhelper) > execute
[!] Error: UnboundLocalError("local variable 'script_end' referenced before assignment")
Expected behavior

The output should be as followed:
[>] Module is not opsec safe, run? [y/N] y

(Empire: powershell/privesc/bypassuac_fodhelper) >
Job started: 4STVDU
[+] Initial agent <agent_name> from <target_ip> now active (Slack)

(Empire: powershell/privesc/bypassuac_fodhelper) >

Additional Information

Snaptext from bypassuac_fodhelper.py reference to local variable 'script_end' :

else:
script_end += "Invoke-FodHelperBypass -Command "%s"" % (enc_script)
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)

        return script

I have google for possible solution, but I cannot find a good solution for it. So I am unable to continue the empire exercises
To Reproduce

Activities

antbhlk

antbhlk

2022-01-12 10:47

reporter   ~0015626

fix

Sc0k1ng37

Sc0k1ng37

2022-01-12 11:01

reporter   ~0015635

Hi antbhlk,

What do you mean with 'fix'?

X0RW3LL

X0RW3LL

2022-01-12 17:41

reporter   ~0015636

This you?
https://github.com/BC-SECURITY/Empire/issues/534

Please don't spam Mantis with irrelevant bug reports. This belongs to the BC-Security repo, to which you already reported.

Sc0k1ng37

Sc0k1ng37

2022-01-12 17:45

reporter   ~0015637

Oke, than you can close my bug report.

Thanks for your support.

X0RW3LL

X0RW3LL

2022-01-12 17:49

reporter   ~0015638

Don't get me wrong; I'm a reporter just like you, but I believe the team is mostly concerned with issues directly related to the distro itself, and not so much with 3rd-party package-specific issues.
These things take time. I hope BC-Security gets back to you asap.

Sc0k1ng37

Sc0k1ng37

2022-01-13 09:40

reporter   ~0015639

Np. I will wait on the response from the BC-Security group.
This bug report can now be closed.

X0RW3LL

X0RW3LL

2022-01-13 09:42

reporter   ~0015640

I fixed it. Will someone from the team please consider this fix? It seems like the scripts are updated on BC-SECURITY's repo, but not in the metapackage.

bypassuac (Agent Interactive menu)

$ sudo vim /usr/share/powershell-empire/empire/server/modules/powershell/privesc/bypassuac_eventvwr.py

Line:33, which reads (moduleSource = main_menu.installPath + "/data/module_source/privesc/Invoke-EventVwrBypass.ps1")

Change moduleSource to module_source

Line:68, which reads (scriptEnd = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand))

Change scriptEnd to script_end

powershell/privesc/bypassuac_fodhelper

$ sudo vim /usr/share/powershell-empire/empire/server/modules/powershell/privesc/bypassuac_fodhelper.py

Line:63, which reads (script_end += "Invoke-FodHelperBypass -Command \"%s\"" % (enc_script))

Change it so the variable is declared, not augmented-assigned. The line should be:

script_end = "Invoke-FodHelperBypass -Command \"%s\"" % (enc_script) # changed (+=) to (=) [without the parenthesis]

X0RW3LL

X0RW3LL

2022-01-14 13:56

reporter   ~0015641

Heads up: this also extends to other bypassuac_*.py scripts. I was testing those two specific techniques until Sc0K1ng37 brought it to my attention that it's the same issue for others as well.

sbrun

sbrun

2022-01-14 15:14

manager   ~0015642

Thanks for the bug report.

I have uploaded the version 4.3.1-0kali2 with the fix. It will be available soon in kali-rolling.

Issue History

Date Modified Username Field Change
2022-01-11 11:54 Sc0k1ng37 New Issue
2022-01-12 10:47 antbhlk Note Added: 0015626
2022-01-12 11:01 Sc0k1ng37 Note Added: 0015635
2022-01-12 17:41 X0RW3LL Note Added: 0015636
2022-01-12 17:45 Sc0k1ng37 Note Added: 0015637
2022-01-12 17:49 X0RW3LL Note Added: 0015638
2022-01-13 09:40 Sc0k1ng37 Note Added: 0015639
2022-01-13 09:42 X0RW3LL Note Added: 0015640
2022-01-14 13:54 sbrun Assigned To => sbrun
2022-01-14 13:54 sbrun Status new => assigned
2022-01-14 13:56 X0RW3LL Note Added: 0015641
2022-01-14 15:14 sbrun Note Added: 0015642
2022-02-07 13:03 sbrun Status assigned => resolved
2022-02-07 13:03 sbrun Resolution open => fixed